ensp-DHCP的配置

DHCP协议概述

典型的服务器-客户端模型；
使用UDP作为其传输层协议；
客户端可以从DHCP服务器那里获得能够自行完成配置的信息包括IP地址、默认网关地址、域名服务器地址和一些特定平台的信息。

DHCP的工作方式

DHCP工作步骤：

客户端在网络中寻找DHCP服务器；
服务器向DHCP客户端提供一个IP地址；
客户端向DHCP服务器申请该IP地址的使用权；
服务器向DHCP客户端确认它可以使用该IP地址。

DHCP发现消息的封装

DHCP提供消息的封装

DHCP服务器通过DHCP请求消息判断是否在向自己请求IP地址

关于笔记本电脑会选择哪一个DHCP服务器提供的ip和谁先发给笔记本电脑的快慢有关，谁先发给笔记本电脑ip，笔记本电脑就选择那台DHCP服务器提供的ip

DHCP确认消息的封装

DHCP中继代理的作用

DHCP请求报文是以广播包的形式请求的，那么DHCP服务器不在本网段怎么获得ip地址呢，通过DHCP中继代理这种技术就很好的解决了这个问题

DHCP封装格式

DHCP欺骗攻击概述

DHCP欺骗攻击方式：
1.攻击者冒充成DHCP服务器；
2.攻击者冒充成DHCP客户端。

攻击者伪装成DHCP服务器

攻击者伪装出大量DHCP客户端

DHCP配置

DHCP服务器的配置

路由器提供DHCP服务器功能的两种配置方式：
基于接口地址池的配置方式；
基于全局地址池的配置方式。

两种地址池的区别:
全局地址池：可以应用到设备的任何端口上，可以独立配置地址池内所有信息。
接口地址池：只能在一个配置IP的端口上启用，网关和地址池名称都是固定的，地址池网段就是接口地址的网段。无法应用到其他接口。

基于接口地址池配置DHCP服务器

[AR1_DHCP_SERVER]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[AR1_DHCP_SERVER]interface gigabitethernet 0/0/1
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]ip address 10.0.10.1 255.255.255.224
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]dhcp select interface
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]quit
[AR1_DHCP_SERVER]interface gigabitethernet 0/0/2
[AR1_DHCP_SERVER-GigabitEthernet0/0/2]ip address 10.0.20.1 255.255.255.192
[AR1_DHCP_SERVER-GigabitEthernet0/0/2]dhcp select interface

mmp,我在这里老是PC获取不到ip,最后知道真相的我眼泪掉下来，原因找到了，ENSP有个坑爹设定，选定DHCP自动获取后，右下角还有应用要点击确认一下，不然不会起作用。

PC10和PC20获得的IP地址信息

PC10>ipconfig
 
Link local IPv6 address...........: fe80::5689:98ff:fedd:436d
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 10.0.10.30
Subnet mask.......................: 255.255.255.224
Gateway...........................: 10.0.10.1
Physical address..................: 54-89-98-DD-43-6D
DNS server........................:

PC20>ipconfig
 
Link local IPv6 address...........: fe80::5689:98ff:feaf:725d
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 10.0.20.62
Subnet mask.......................: 255.255.255.192
Gateway...........................: 10.0.20.1
Physical address..................: 54-89-98-AF-72-5D
DNS server........................:

在DHCPServer上使用display ip pool interface命令用来查看接口地址池配置情况

AR1_DHCP_SERVER上配置DHCP客户端

[AR1_DHCP_SERVER]interface gigabitethernet 0/0/0
[AR1_DHCP_SERVER -GigabitEthernet0/0/0]ip address dhcp-alloc

基于全局地址池配置DHCP服务器

在AR1_DHCP_SERVER上基于全局地址池配置DHCP服务器

[AR1_DHCP_SERVER]ip pool Pool_AR1
[AR1_DHCP_SERVER-ip-pool-Pool_AR1]network 10.0.10.0 mask 255.255.255.224 
[AR1_DHCP_SERVER-ip-pool-Pool_AR1]gateway-list 10.0.10.1
[AR1_DHCP_SERVER-ip-pool-Pool_AR1]excluded-ip-address 10.0.10.25 10.0.10.29 
[AR1_DHCP_SERVER-ip-pool-Pool_AR1]static-bind ip-address 10.0.10.30 mac-address 5489-989f-49ff 
[AR1_DHCP_SERVER-ip-pool-Pool_AR1]lease day 30
[AR1_DHCP_SERVER-ip-pool-Pool_AR1]quit
[AR1_DHCP_SERVER]dhcp enable
[AR1_DHCP_SERVER]interface gigabitethernet 0/0/1
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]dhcp select global  #把这个接口设置为全局接口
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]ip address 10.0.10.1 24 #配置ip同时承担网关的角色

查看IP地址池信息

[AR1_DHCP_SERVER]display ip pool name Pool_AR1 
  Pool-name      : Pool_AR1
  Pool-No        : 0
  Lease          : 30 Days 0 Hours 0 Minutes
  Domain-name    : -
  DNS-server0    : -               
  NBNS-server0   : -               
  Netbios-type   : -               
  Position       : Local           Status           : Unlocked
  Gateway-0      : 10.0.10.1       
  Mask           : 255.255.255.224
  VPN instance   : --
 -----------------------------------------------------------------------------
         Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 -----------------------------------------------------------------------------
       10.0.10.1      10.0.10.30    29     2         22(0)         0        5
 -----------------------------------------------------------------------------

查看FTP服务器和PC10的IP地址信息，在获得ip的时候是从地址池中最后一个开始获得的

FTP>ipconfig
 
Link local IPv6 address...........: fe80::5689:98ff:fe9f:49ff
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 10.0.10.30
Subnet mask.......................: 255.255.255.224
Gateway...........................: 10.0.10.1
Physical address..................: 54-89-98-9F-49-FF
DNS server........................:

PC10>ipconfig 
 
Link local IPv6 address...........: fe80::5689:98ff:fedd:436d
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 10.0.10.24
Subnet mask.......................: 255.255.255.224
Gateway...........................: 10.0.10.1
Physical address..................: 54-89-98-DD-43-6D
DNS server........................:

DHCP中继的配置

AR1_DHCP_SERVER上新添加的配置

[AR1_DHCP_SERVER]ip pool Pool_AR2_VLAN30
Info: It's successful to create an IP address pool.
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN30]network 172.16.30.0 mask 26
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN30]gateway-list 172.16.30.1
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN30]lease day 30
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN30]quit
[AR1_DHCP_SERVER]ip pool Pool_AR2_VLAN40
Info: It's successful to create an IP address pool.
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN40]network 172.16.40.0 mask 26
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN40]gateway-list 172.16.40.1
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN40]lease day 30
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN40]quit
[AR1_DHCP_SERVER]interface gigabitethernet 0/0/2
[AR1_DHCP_SERVER-GigabitEthernet0/0/2]
[AR1_DHCP_SERVER-GigabitEthernet0/0/2]dhcp select global
[AR1_DHCP_SERVER-GigabitEthernet0/0/2]ip address 10.0.12.1 30

在AR2_DHCP_RELAY上配置DHCP中继代理

[AR2_DHCP_RELAY]dhcp enable
[AR2_DHCP_RELAY]interface gigabitethernet 0/0/1
[AR2_DHCP_RELAY-GigabitEthernet0/0/1]ip address 172.16.30.1 26
[AR2_DHCP_RELAY-GigabitEthernet0/0/1]dhcp select relay
[AR2_DHCP_RELAY-GigabitEthernet0/0/1]dhcp relay server-ip 10.0.12.1
[AR2_DHCP_RELAY-GigabitEthernet0/0/1]quit
[AR2_DHCP_RELAY]interface gigabitethernet 0/0/0
[AR2_DHCP_RELAY-GigabitEthernet0/0/0]ip address 172.16.40.1 26
[AR2_DHCP_RELAY-GigabitEthernet0/0/0]dhcp select relay
[AR2_DHCP_RELAY-GigabitEthernet0/0/0]dhcp relay server-ip 10.0.12.1
[AR2_DHCP_RELAY-GigabitEthernet0/0/0]quit
[AR2_DHCP_RELAY]interface gigabitethernet 0/0/2
[AR2_DHCP_RELAY-GigabitEthernet0/0/2]ip address 10.0.12.2 30

PC30和PC40获得的IP地址

PC30>ipconfig
 
Link local IPv6 address...........: fe80::5689:98ff:fe11:5bc3
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 172.16.30.62
Subnet mask.......................: 255.255.255.192
Gateway...........................: 172.16.30.1
Physical address..................: 54-89-98-11-5B-C3
DNS server........................:

PC40>ipconfig
 
Link local IPv6 address...........: fe80::5689:98ff:fef2:14a
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 172.16.40.62
Subnet mask.......................: 255.255.255.192
Gateway...........................: 172.16.40.1
Physical address..................: 54-89-98-F2-01-4A
DNS server........................:

配置VLAN10

[AR1_DHCP_SERVER]ip pool Pool_AR2_VLAN10
Info: It's successful to create an IP address pool.
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN10]network 10.0.10.0 mask 27
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN10]gateway-list 10.0.10.1
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN10]lease day 30
[AR1_DHCP_SERVER-ip-pool-Pool_AR2_VLAN10]quit
[AR1_DHCP_SERVER]interface g0/0/1
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]dhcp select global
[AR1_DHCP_SERVER-GigabitEthernet0/0/1]ip address 10.0.10.1 27

DHCP snooping

dhcp snooping工作原理：一旦针对某vlan开启了dhcp snooping,那么该vlan的所有接口默认都是非信任接口。非信任接口收到dhcp的offer报文会直接丢弃。
实验拓扑:

AR1:

[AR1]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[AR1-GigabitEthernet0/0/0]dhcp select interface 
[AR1-GigabitEthernet0/0/0]dhcp server dns-list 8.8.8.8

AR2:

[AR2]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]ip address 192.168.31.1 24
[AR2-GigabitEthernet0/0/0]dhcp select interface 
[AR2-GigabitEthernet0/0/0]dhcp server dns-list 9.9.9.9

SW1:

[SW1]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW1]dhcp snooping enable vlan 1
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]dhcp snooping trusted