DHCP Snooping技术

需求：客户机只能从合法的DHCP服务器获取IP进行上网，其它DHCP服务器发送的DHCP Offer报文直接丢弃，模拟实验，网络拓扑如下：

 

SW4配置命令【只配置VLAN，DHCP Snooping还未配置】：

<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname sw4
[sw4]vlan 100
[sw4-vlan100]quit
[sw4]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/6
[sw4-port-group]port link-type access
[sw4-port-group]port default vlan 100
[sw4-port-group]quit

 

合法DHCP Server上配置命令：

<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname DHCP
[DHCP]dhcp enable 
[DHCP]interface GigabitEthernet 0/0/0
[DHCP-GigabitEthernet0/0/0]ip address 1.1.1.1 24
[DHCP-GigabitEthernet0/0/0]dhcp select interface
[DHCP-GigabitEthernet0/0/0]dhcp server dns-list 8.8.8.8

 

非法DHCP上配置命令：

<Huawei>system-view
[Huawei]undo info-center enable
[Huawei]sysname feifa
[feifa]dhcp enable
[feifa]interface GigabitEthernet 0/0/0
[feifa-GigabitEthernet0/0/0]ip address 2.2.2.2 24
[feifa-GigabitEthernet0/0/0]dhcp select interface
[feifa-GigabitEthernet0/0/0]dhcp server dns-list 9.9.9.9

 

现在在客户机上自动获取IP试试能拿到谁下发的IP，客户机上拿到了非法服务器分配的IP，违背了我们的需求。。。

 

我们在接入层交换机SW4上再加几条命令，已实现我们想要的功能

[sw4]dhcp enable        #开启DHCP功能
[sw4]dhcp snooping enable        #开启DHCP Snooping功能
[sw4]dhcp snooping enable vlan 100        #VLAN 100中的端口都开启Snooping功能
[sw4]interface Ethernet0/0/1        #进入信任接口下
[sw4-Ethernet0/0/1]dhcp snooping trusted         #将从此接口获取的DHCP报文信任