开启Cisco交换机DHCP Snooping功能

5、多交换机环境(DHCP服务器和DHCP客户端位于同一VLAN)

  

  环境:3560交换机自身作为DHCP服务器;PC1和PC2都位于vlan 10;PC1接3560的fa0/1口,PC2接2960的fa0/1口;两交换机互连口都是gi0/1

  3560交换机相关配置:

  ip dhcp excluded-address 192.168.10.1

  !

  ip dhcp pool test

  network 192.168.10.0 255.255.255.0

  default-router 192.168.10.1

  lease 8

  !

  ip dhcp snooping vlan 10

  ip dhcp snooping information option allow-untrusted

  ip dhcp snooping

  !

  interface FastEthernet0/1

  description : Connect to PC1

  switchport access vlan 10

  switchport mode access

  spanning-tree portfast

  ip dhcp snooping limit rate 15

  !

  interface GigabitEthernet0/1

  description : Connect to C2960_Gi0/1

  switchport trunk encapsulation dot1q

  switchport mode trunk

  ip dhcp snooping limit rate 360

  2960交换机相关配置:

  ip dhcp snooping vlan 10

  ip dhcp snooping

  interface FastEthernet0/1

  description : Connect to PC2

  switchport access vlan 10

  switchport mode access

  spanning-tree portfast

  ip dhcp snooping limit rate 15

  !

  interface GigabitEthernet0/1

  description : Connect to C3560_Gi0/1

  switchport mode trunk

  ip dhcp snooping trust

  说明:

  本例中3560和2960同时开启了DHCP监听功能。从2960过来的DHCP请求报文是已经被插入了选项82信息,如果将3560的Gi0/1设置为信任端口,那么插入了82选项的DHCP请求报文是允许通过的,但不会为其建立DHCP监听绑定表。即3560上只有PC1的绑定条目,而没有PC2的绑定条目。

  如果此时同时部署DAI,IPSG,由于2960不支持这两项功能,对于3560来说,从2960上过来的数据可能存在IP欺骗和ARP欺骗等攻击,是不安全的。另一方面,由于3560没有PC2的绑定条目,而DAI和IPSG必须依赖DHCP监听绑定表。因此如果需要在3560上再部署DAI或者IPSG,就不能将3560的Gi0/1设置为信任端口。

  但是将3560的Gi0/1口设置为非信任端口以后,默认情况下,非信任端口将会丢弃收到的插入了82选项的DHCP请求报文。而从2960过来的DHCP请求报文又正好是被插入了选项82信息的。因此必须配置ip dhcp snooping information option allow-untrusted命令,否则3560将丢弃这些DHCP请求报文,接在2960上的PC2将得不到IP地址。只有配置了该命令以后,3560才会接收从2960发送的插入了选项82的DHCP报文,并为这些信息建立绑定条目。

  3560下联的Gi0/1口由于是非信任端口,默认限速为每秒15个DHCP请求报文,如果2960上的所有PC都同时发起DHCP请求,可能此端口会被errdisable掉。这里假设2960为24口,因此简单的设置限速为24*15=360。

  2960上联的Gi0/1口必须被配置为信任端口,否则将丢弃从3560过来的DHCP应答报文,PC2将无法得到IP地址。

  C3560#show ip dhcp snooping

  Switch DHCP snooping is enabled

  DHCP snooping is configured on following VLANs:

  10

  DHCP snooping is operational on following VLANs:

  10

  DHCP snooping is configured on the following L3 Interfaces:

  Insertion of option 82 is enabled

  circuit-id format: vlan-mod-port

  remote-id format: MAC

  Option 82 on untrusted port is allowed

  Verification of hwaddr field is enabled

  DHCP snooping trust/rate is configured on the following Interfaces:

  Interface       Trusted    Rate limit (pps)

  ------------------------   -------    ----------------

  FastEthernet0/1     no       15

  GigabitEthernet0/1    no       360

  C3560#show ip dhcp snooping binding

  MacAddress    IpAddress   Lease(sec)   Type    VLAN    Interface

  ------------------   ---------------   ----------   -------------   ----   --------------------

  00:0F:1F:C5:10:08 192.168.10.2  685618  dhcp-snooping  10    FastEthernet0/1

  00:0B:DB:08:21:E0 192.168.10.3  688023  dhcp-snooping  10    GigabitEthernet0/1

  C2960#show ip dhcp snooping

  Switch DHCP snooping is enabled

  DHCP snooping is configured on following VLANs:

  10

  Insertion of option 82 is enabled

  circuit-id format: vlan-mod-port

  remote-id format: MAC

  Option 82 on untrusted port is not allowed

  Verification of hwaddr field is enabled

  Interface       Trusted    Rate limit (pps)

  ------------------------   -------     ----------------

  FastEthernet0/1     no        15

  GigabitEthernet0/1    yes      unlimited

  C2960#show ip dhcp snooping binding

  MacAddress   IpAddress   Lease(sec)   Type   VLAN I  nterface

  ------------------  ---------------   ----------   -------------  ----   --------------------

  00:0B:DB:08:21:E0 192.168.10.3 688023  dhcp-snooping  10   FastEthernet0/1

  6、多交换机环境(DHCP服务器和DHCP客户端位于同一VLAN)

  

  环境:4503交换机自身作为DHCP服务器;PC1和PC2都位于vlan 10;PC1接4503的gi2/1口,PC2接3560的fa0/1口;两交换机互连口是4503 gi1/1 -- 3560 gi0/1

  4503交换机相关配置:

  ip dhcp excluded-address 192.168.10.1

  !

  ip dhcp pool test

  network 192.168.10.0 255.255.255.0

  default-router 192.168.10.1

  lease 8

  !

  ip dhcp snooping vlan 10

  ip dhcp snooping

  !

  interface GigabitEthernet2/1

  description : Connect to PC1

  switchport access vlan 10

  switchport mode access

  spanning-tree portfast

  ip dhcp snooping limit rate 15

  !

  interface GigabitEthernet1/1

  description : Connect to C3560_Gi0/1

  switchport trunk encapsulation dot1q

  switchport mode trunk

  ip dhcp snooping trust

  3560交换机相关配置:

  ip dhcp snooping vlan 10

  ip dhcp snooping

  interface FastEthernet0/1

  description : Connect to PC2

  switchport access vlan 10

  switchport mode access

  spanning-tree portfast

  ip dhcp snooping limit rate 15

  !

  interface GigabitEthernet0/1

  description : Connect to C4503_Gi1/1

  switchport trunk encapsulation dot1q

  switchport mode trunk

  ip dhcp snooping trust

  说明:

  本例中4503和3560同时开启了DHCP监听功能。由于4503的下联口被设置为信任端口,所以从3560过来的DHCP请求报文即使已经被插入了选项82信息,也允许通过的,但不会为其建立DHCP监听绑定表。所以4503上只有PC1的绑定条目,而没有PC2的绑定条目。

  作为接入层交换机的3560支持DAI,IPSG,如果同时配置这两项功能,那么有理由相信从3560过来的数据是已经经过检验的安全数据,因此将4503的下联口设置为信任端口是可行的。另外,4503没有PC2的绑定条目,也减少了系统运行时所需的内存空间。

  C4503#show ip dhcp snooping binding

  MacAddress   I pAddress   Lease(sec)   Type    VLAN   Interface

  ------------------   ---------------   ----------   -------------   ----   --------------------

  00:0F:1F:C5:10:08 192.168.10.2  685618  dhcp-snooping  10   GigabitEthernet2/1

  C3560#show ip dhcp snooping binding

  MacAddress      IpAddress  Lease(sec)   Type     VLAN    Interface

  ------------------    ---------------   ----------   -------------    ----   --------------------

  00:0B:DB:08:21:E0 192.168.10.3   688023   dhcp-snooping  10   FastEthernet0

你可能感兴趣的:(职场,DHCP,休闲,Snooping)