8.DHCP
什么是DHCP
DHCP(Dynamic Host Configuration Protocol 动态主机配置协议)来动态的分配IP地址等网络参数,可以减少管理员的工作量,避免用户手工配置网络参数时造成的地址冲突。
DHCP实验(Router启用DHCP)
上网参数:IP地址、子网掩码、网关、DNS
拓扑图
这里R1路由器做DHCP服务器,R2、PC1、PC2做为DHCP客户端,SW1不做任何配置,仅透明转发。
配置
DHCP服务端配置
R1上开启全局DHCP功能
[R1]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[R1]
创建DHCP地址池
[R1]ip pool qq #创建地址池qq
Info: It's successful to create an IP address pool.
[R1-ip-pool-qq]network 192.168.1.0 mask 255.255.255.0 #分配ip和掩码
[R1-ip-pool-qq]gateway-list 192.168.1.1 #分配网关
[R1-ip-pool-qq]dns-list 192.168.1.1 #分配DNS
[R1-ip-pool-qq]lease day 0 hour 20 #修改租期:(可选)
[R1-ip-pool-qq]q
[R1]
[R1]ip pool qq2
Info: It's successful to create an IP address pool.
[R1-ip-pool-qq2]network 192.168.2.0 mask 255.255.255.0
[R1-ip-pool-qq2]gateway-list 192.168.2.1
[R1-ip-pool-qq2]dns-list 192.168.2.1
[R1-ip-pool-qq2]lease day 0 hour 20
[R1-ip-pool-qq2]q
[R1]
static-bind ip-address 192.168.1.200 mac-address 5489-987a-575e #绑定固定mac对应IP(可选)
excluded-ip-address 192.168.1.250 192.168.1.254 #排除地址段(可选)
在接口上配置IP地址,并启用全局地址池方式的DHCP
[R1]inter gi 0/0/0 #和用户相连的接口
[R1-GigabitEthernet0/0/0]ip address 192.168.1.1 24 #配置接口IP(也就是网关)
[R1-GigabitEthernet0/0/0]dhcp select global #使用本地全局配置的地址池分配ip地址
[R1-GigabitEthernet0/0/0]inter gi 0/0/1
[R1-GigabitEthernet0/0/1]dhcp select global
[R1-GigabitEthernet0/0/1]ip add 192.168.2.1 24
[R1-GigabitEthernet0/0/1]q
[R1]
接口在选择地址池的时候是根据接口ip去选择的。
dhcp select global (应该叫设置DHCP模式)华为华三需要这条这条指令、思科不需要
- global 直接在路由器上使用DHCP地址池分ip
- interface 使用接口来分
- relay 直接指定DHCP服务器的地址
DHCP客户端的配置
PC1、PC2:这里选择DHCP,点击确定。
查看获取到的IP
AR2在接口上配置DHCP客户端
[R2]dhcp enable #同样需要开启全局DHCP功能
Info: The operation may take a few seconds. Please wait for a moment.done.
[R2]inter GigabitEthernet 0/0/0
[R2-GigabitEthernet0/0/0]ip address dhcp-alloc #设置接口为DHCP客户端
[R2-GigabitEthernet0/0/0]q
[R2]d
Sep 24 2023 18:46:14-08:00 R2 %%01IFNET/4/LINK_STATE(l)[0]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R2]
查看接口获取到的IP
[R2]dis ip interface brief
ping测
PC2 ping R2的IP地址
查看DHCP分配记录
[R1]dis ip pool name qq used #显示DHCP ip地址的分配情况
重置分配记录
<R1>reset ip pool name qq used #重置分配记录
Warning: If the IP addresses that are being used are reclaimed, may influence no
rmal user in the network. Are you sure to continue?[Y/N]:Y
<R1>
基于接口的DHCP
[R1-GigabitEthernet0/0/0]undo dhcp select global
[R1-GigabitEthernet0/0/0]q
[R1]undo ip pool qq
Warning: There are IP addresses allocated in the pool. Are you sure to delete the pool ?[Y/N]:Y
[R1]inter gi 0/0/0
[R1-GigabitEthernet0/0/0]dhcp select interface
[R1-GigabitEthernet0/0/0]dhcp server dns-list 192.168.1.1
[R1-GigabitEthernet0/0/0]dhcp server lease day 3
[R1-GigabitEthernet0/0/0]dis ip pool
dhcp server excluded-ip-address 192.168.1.1 #排除IP地址
dhcp server lease day 3 #修改dhcp租期
PC重新获取IP地址:
方式1. 执行cmd:ipconfig /renew
方式2. 这里PC获取地址的方式要先关闭DHCP方式设置为静态,然后重新设置为DHCP方式,才能重洗获取IP地址
两种方式的优缺:
使用基于接口的DHCP分配的地址和接口IP处于同一网段,不灵活,但方便。
使用全局地址池的DHCP分配的地址和接口可以不处于同一网段,更灵活,但配置稍微麻烦。
DHCP中继(dhcp relay)
DHCP服务器在同一LAN中
R1上设置DHCP中继
[R1]inter gi 0/0/0
[R1-GigabitEthernet0/0/0]dis this
[V200R003C00]
#
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
dhcp select interface
dhcp server lease day 3 hour 0 minute 0
dhcp server dns-list 192.168.1.1
#
return
[R1-GigabitEthernet0/0/0]undo dhcp select interface
Warning: There are IP addresses allocated in the pool. Are you sure to delete th
e pool?[Y/N]:Y
[R1-GigabitEthernet0/0/0]dhcp select relay
[R1-GigabitEthernet0/0/0]dhcp relay server-ip 192.168.1.2
[R1-GigabitEthernet0/0/0]q
[R1]
AR3上配置DHCP Server
[R3]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[R3]ip pool qq #创建地址池
Info: It's successful to create an IP address pool.
[R3-ip-pool-qq]network 192.168.1.0 mask 255.255.255.0
[R3-ip-pool-qq]gateway-list 192.168.1.1
[R3-ip-pool-qq]dns-list 192.168.1.1
[R3-ip-pool-qq]q
[R3]
[R3]inter gi 0/0/0
[R3-GigabitEthernet0/0/0]ip add 192.168.1.2 24 #设置接口地址
Sep 24 2023 22:06:40-08:00 R3 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
on the interface GigabitEthernet0/0/0 has entered the UP state.
[R3-GigabitEthernet0/0/0]dhcp select global #接口使能DHCP
[R3-GigabitEthernet0/0/0]q
[R3]
ping测
DHCP服务器不在同一LAN中
修改DHCP Ser的接口IP
[R3-GigabitEthernet0/0/0]ip address 192.168.3.1 24
R1修改DHCP服务器的地址
[R1-GigabitEthernet0/0/2]ip add 192.168.3.2 24 #设置接口IP
[R1-GigabitEthernet0/0/0]dhcp relay server-ip 192.168.3.1 #修改DHCP服务器地址
这个时候还需要再DHCP Ser上配置一条静态路由,否则没有回包路由。
[R3]ip route-static 192.168.1.0 24 192.168.3.2
Switch中启用DHCP
在SW2上开启DHCP Ser
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys SW2
[SW2]dhcp enable
[SW2]ip pool qq
[SW2-ip-pool-qq]network 192.168.1.0 mask 255.255.255.0
[SW2-ip-pool-qq]gateway-list 192.168.1.1
[SW2-ip-pool-qq]dns-list 192.168.1.1
[SW2-ip-pool-qq]q
[SW2]ip pool qq2
[SW2-ip-pool-qq2]network 192.168.2.0 mask 255.255.255.0
[SW2-ip-pool-qq2]gateway-list 192.168.2.1
[SW2-ip-pool-qq2]dns-list 192.168.2.1
[SW2-ip-pool-qq2]q
[SW2]inter Vlanif 1
[SW2-Vlanif1]ip add 192.168.3.1 24
[SW2-Vlanif1]dhcp select global
[SW2-Vlanif1]q
[SW2]
另一种方式,也可以将gi 0/0/1端口模式设置为trunk,透传vlan30,在vlan30中起vlanif配置ip地址,然后开启全局DHCP。
在SW1(核心交换机)上配置DHCP中继
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]sys SW1
[SW1]vlan ba
[SW1]vlan batch 10 20 30
[SW1]inter gi 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
Sep 24 2023 23:44:44-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 6, the c
hange loop count is 0, and the maximum number of records is 4095.
Error: The interface is already a L2 interface.
[SW1-GigabitEthernet0/0/1]port default vlan 30
[SW1]inter gi 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type trunk
[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[SW1]inter gi 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type trunk
[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 20
[SW1-GigabitEthernet0/0/3]
[SW1]inter vlan 10
[SW1-Vlanif10]ip add 192.168.1.1 24
[SW1-Vlanif10]dhcp select relay
[SW1-Vlanif10]dhcp relay server-ip 192.168.3.1
[SW1-Vlanif10]
[SW1-Vlanif10]inter vlan 20
[SW1-Vlanif20]ip add 192.168.2.1 24
[SW1-Vlanif20]dhcp select relay
[SW1-Vlanif20]dhcp relay server-ip 192.168.3.1
[SW1-Vlanif20]
[SW1-Vlanif20]inter vlan 30
[SW1-Vlanif30]q
SW3和SW4上配置接口(trunk和vlan)
[SW3]vlan 10
[SW3-vlan10]
[SW3-vlan10]q
[SW3]
[SW3]inter gi 0/0/2
[SW3-GigabitEthernet0/0/2]port link-type trunk
[SW3-GigabitEthernet0/0/2]port trunk allow-pass vlan 10
[SW3-GigabitEthernet0/0/2]q
[SW3-GigabitEthernet0/0/2]inter gi 0/0/1
[SW3-GigabitEthernet0/0/1]port link-type access
[SW3-GigabitEthernet0/0/1]port default vlan 10
[SW3-GigabitEthernet0/0/1]
<Huawei>sys
[Huawei]sys SW4
[SW4]vlan 20
[SW4-vlan20]q
[SW4]inter gi 0/0/1
[SW4-GigabitEthernet0/0/1]port link-type access
[SW4-GigabitEthernet0/0/1]port default vlan 20
[SW4-GigabitEthernet0/0/1]inter gi 0/0/2
[SW4-GigabitEthernet0/0/2]port link-type trunk
[SW4-GigabitEthernet0/0/2]port trunk allow-pass vlan 20
[SW4-GigabitEthernet0/0/2]q
[SW4]
SW2 也就是DHCP Ser上要加一条回包路由,哦是两条
[SW2]ip route-static 192.168.1.0 24 192.168.3.2
[SW2]ip route-static 192.168.2.0 24 192.168.3.2
地址获取成功,ping测
DHCP监听(dhcp snooping)
dhcp snooping 作用:防范非授权的DHCP服务器干扰局域网内的主机。一旦启用dhcp snooping,默认是非信任接口,非信任接口收到dhcp 的offer 报文会直接丢弃。
在SW4上开启DHCP监听
第一种方式:针对接口启用
[SW4]dhcp enable
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW4]dhcp snooping enable #全局使能DHCP监听
[SW4]
[SW4]interface gi 0/0/2
[SW4-GigabitEthernet0/0/2]dhcp snooping enable #针对接口使能
[SW4-GigabitEthernet0/0/2]inter gi 0/0/1
[SW4-GigabitEthernet0/0/1]dhcp snooping enable
默认情况下,开启DHCP Snooping的接口处于untrust状态,即不信任状态
[SW4-GigabitEthernet0/0/1]display dhcp snooping
DHCP snooping global running information :
DHCP snooping : Enable DHCP snooping状态为开启
Static user max number : 1024
Current static user number : 0
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Arp dhcp-snooping detect : Disable (default)
Alarm threshold : 100 (default)
Check dhcp-rate : Disable (default)
Dhcp-rate limit(pps) : 100 (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100 (default)
Discarded dhcp packets for rate limit : 0
Bind-table autosave : Disable (default)
Offline remove mac-address : Disable (default)
Client position transfer allowed : Enable (default)
DHCP snooping running information for interface GigabitEthernet0/0/1 :
DHCP snooping : Enable
Trusted interface : No 信任接口:不
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)
DHCP snooping running information for interface GigabitEthernet0/0/2 :
DHCP snooping : Enable
Trusted interface : No 信任接口:不
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)
[SW4-GigabitEthernet0/0/1]
在PC4上释放IP地址重新获取,提示找不到DHCP Ser。
配置接口为信任接口
[SW4-GigabitEthernet0/0/1]dhcp snooping trusted
[SW4-GigabitEthernet0/0/1]inter gi 0/0/2
[SW4-GigabitEthernet0/0/2]dhcp snooping trusted
[SW4-GigabitEthernet0/0/2]dis this
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
dhcp snooping enable #有没有无所谓
dhcp snooping trusted
#
return
[SW4-GigabitEthernet0/0/2]
查看DHCP snooping状态
第二种方式:针对vlan启用
一旦针对某vlan 开启了dhcp snooping ,那么该vlan的所有接口默认都是非信任接口。
[SW4]dis this
dhcp enable
#
dhcp snooping enable
#
return
[SW4]dhcp snooping enable vlan 20
[SW4]dis dhcp snooping
DHCP snooping global running information :
DHCP snooping : Enable
Static user max number : 1024
Current static user number : 0
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Arp dhcp-snooping detect : Disable (default)
Alarm threshold : 100 (default)
Check dhcp-rate : Disable (default)
Dhcp-rate limit(pps) : 100 (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100 (default)
Discarded dhcp packets for rate limit : 0
Bind-table autosave : Disable (default)
Offline remove mac-address : Disable (default)
Client position transfer allowed : Enable (default)
DHCP snooping running information for VLAN 20 :
DHCP snooping : Enable
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
[SW4]
在PC4上释放IP地址重新获取,提示找不到DHCP Ser。
配置信任接口之后恢复正常
[SW4-GigabitEthernet0/0/1]dhcp snooping trusted
[SW4-GigabitEthernet0/0/1]inter gi 0/0/2
[SW4-GigabitEthernet0/0/2]dhcp snooping trusted
[SW4-GigabitEthernet0/0/2]dis dhcp snooping
针对vlan开启DHCP监听的两种方式
[SW4]dhcp snooping enable vlan 20
等同于
[SW4]vlan 20
[SW4-vlan20]dhcp snooping enable
------------------------------------------------
[SW4-vlan20]dis this
#
vlan 20
dhcp snooping enable
#
return
[SW4-vlan20]
