华为DHCPSnooping配置实例.docx
- 文档编号:5201314
- 上传时间:2022-12-13
- 格式:DOCX
- 页数:12
- 大小:16.50KB
华为DHCPSnooping配置实例.docx
《华为DHCPSnooping配置实例.docx》由会员分享,可在线阅读,更多相关《华为DHCPSnooping配置实例.docx(12页珍藏版)》请在冰豆网上搜索。
华为DHCPSnooping配置实例
DHCPSnooping配置
时间:
2021.03.12
创作:
欧阳文
介绍DHCPSnooping的原理和配置办法,并给出配置举例。
配置DHCPSnooping的攻击防备功能示例
组网需求
如图913所示,SwitchA与SwitchB为接入设备,SwitchC为DHCPRelavoClientl与Client2辨别通过GE0/0/1与GE0/0/2接入SwitchA,Client3通过GE0/0/1接入SwitchB,其中Clientl与Client3通过DHCP方法获取IPv4地址,而Client2使用静态配置的IPv4地址。
网络屮存在不法用户的攻击招致合法用户不克不及正常获取IP地址,管理员希望能够避免网络中针对DHCP的攻击,为DHCP用户提供更优质的办事。
图913配置DHCPSnooping的攻击防备功能组网图
配置思路采取如下的思路在SwitchC上进行配置。
1•使能DHCPSnooping功能并配置设备仅处理DHCPv4报文。
2.配置接口的信任状态,以包管客户端从合法的办事器获
取IP地址。
3.使能ARP与DHCPSnooping的联动功能,包管DHCP用
户在异常下线时实时更新绑定表。
4.使能根据DHCPSnooping绑定表生成接口的静态MAC表
项功能,以避免非DHCP用户攻击。
5.使能对DHCP报文进行绑定表匹配检查的功能,避免仿
冒DHCP报文攻击。
6.配置DHCP报文上送DHCP报文处理单位的最年夜允许速
率,避免DHCP报文泛洪攻击。
7.配置允许接入的最年夜用户数以及使能检测DHCP
Request报文帧头MAC与DHCP数据区屮CHADDR字段是否一致功能,避免DHCPServer办事拒绝攻击。
操纵步调
1.使能DHCPSnooping功能。
#使能全局DHCPSnooping功能并配置设备仅处理
DHCPv4报文。
[HUAWEI]sysnameSwitchC
[SwitchC]dhcpenable
[SwitchC]dhcpsnoopingenableipv4
#使能用户侧接口的DHCPSnooping功能。
以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1
[SwitchCGigabitEthernetO/0/1]dhcpsnoopingenable
[SwitchCGigabitEthernetO/O/1]quit
2.配置接口的信任状态:
将连接DHCPServer的接口状态
配置为"Trusted”。
3.[SwitchC]interfacegigabitethernet0/0/3
4.[SwitchCGigabitEthernet0/0/3]dhcpsnooping
trusted
[SwitchCGigabitEthernetO/0/3]quit
5.使能ARP与DHCPSnooping的联动功能。
[SwitchC]arpdhcpsnoopingdetectenable
6.使能根据DHCPSnooping绑定表生成接口的静态MAC表
项功能。
#在用户侧接口进行配置。
以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1[SwitchCGigabitEthernetO/0/1]dhcpsnoopingstickymac
[SwitchCGigabitEthernetO/0/1]quit
7.使能对DHCP报文进行绑定表匹配检查的功能。
#在用户侧接口进行配置。
以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1
[SwitchCGigabitEthernetO/0/1]dhcpsnoopingcheckdhcprequestenable
[SwitchCGigabitEthernetO/0/1]quit
8.配置DHCP报文上送DHCP报文处理单位的最年夜允许速
率为90ppso
9.[SwitchC]dhcpsnoopingcheckdhcprateenable[SwitchC]dhcpsnoopingcheckdhcprate90
10.
11.
使能检测DHCPRequest报文屮GIADDR字段是否非零的功能。
#在用户侧接口进行配置。
以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1[SwitchCGigabitEthernetO/0/1]dhcpsnoopingcheckdhcpgiaddrenable[SwitchCGigabitEthernetO/O/1]quit
配置接口允许接入的最年夜用户数并使能对CHADDR字段检查功能。
#在用户侧接口进行配置。
以GE0/0/1接口为例,
GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1[SwitchCGigabitEthernetO/0/1]dhcpsnoopingmaxusernumber20
[SwitchCGigabitEthernetO/0/1]dhcpsnoopingcheckdhcpchaddrenable
[SwitchCGigabitEthernetO/0/1]quit
12.
配置抛弃报文告警和报文限速告警功能。
#使能抛弃报文告警功能,并配置抛弃报文告警阈值。
以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1
LSwitchCGigabitEthernetO/O/1]
dhcpsnooping
alarmdhcpchaddrenable
LSwitchCGigabitEthernetO/O/1]
dhcpsnooping
alarmdhcprequestenable
[SwitchCGigabitEthernetO/0/1]
dhcpsnooping
alarmdhcpreplyenable
[SwitchCGigabitEthernetO/0/1]
dhcpsnooping
alarmdhcpchaddrthreshold120
[SwitchCGigabitEthernetO/0/1]dhcpsnooping
alarmdhcprequestthreshold120
[SwitchCGigabitEthernetO/0/1]dhcpsnooping
alarmdhcpreplythreshold120[SwitchCGigabitEthernetO/0/1]quit
#使能报文限速告警功能,并配置报文限速告警阈值。
[SwitchC]dhcpsnoopingalarmdhcprateenable
[SwitchC]dhcpsnoopingalarmdhcpratethreshold
13.验证配置结果
#执行命令displaydhcpsnoopingconfiguration检查DHCPSnooping的配置信息。
[SwitchC]displaydhcpsnoopingconfiguration
dhcpsnoopingdhcpsnoopingdhcpsnoopingdhcpsnoopingdhcpsnooping
enableipv4checkdhcpratecheckdhcpratealarmdhcpratealarmdhcprate
enable
90
enable
threshold500
arpdhcpsnoopingdetectenable
interfaceGigabitEthernetO/0/1
dhcp
snooping
enable
dhcp
snooping
check
dhcpgiaddrenable
dhcp
snooping
check
dhcprequestenable
dhcp
snooping
alarm
dhcprequestenable
dhcp
snooping
alarm
dhcprequestthreshold120
dhcp
snooping
check
dhcpchaddrenable
dhcp
snooping
alarm
dhcpchaddrenable
dhcp
snooping
alarm
dhcpchaddrthreshold120
dhcp
snoopingalarmdhcpreplyenable
dhcp
snoopingalarmdhcpreplythreshold120
dhcp
snoopingmaxusernumber20
interfaceGigabitEthernetO/0/2
dhcp
snooping
enable
dhcp
snooping
check
dhcpgiaddrenable
dhcp
snooping
check
dhcprequestenable
dhcp
snooping
alarm
dhcprequestenable
dhcp
snooping
alarm
dhcprequestthreshold120
dhcp
snooping
check
dhcpchaddrenable
dhcp
snooping
alarm
dhcpchaddrenable
dhcp
snooping
alarm
dhcpchaddrthreshold120
dhcp
snooping
alarm
dhcpreplyenable
dhcp
snooping
alarm
dhcpreplythreshold120
dhcp
snoopingmaxusernumber20interfaceGigabitEthernetO/0/3
dhcpsnoopingtrusted
#执行命令displaydhcpsnoopinginterface检查接口下的DHCPSnooping运行信息。
[SwitchC]displaydhcpsnoopinginterfacegigabitethernet0/0/1
DHCPsnoopingrunninginformationforinterface
GigabitEthernetO/0/1:
DHCPsnooping:
Enable
:
No
Trustedinterface
Dhcpusermaxnumber:
20
Currentdhcpandndusernumber:
0
Checkdhcpgiaddr:
Enable
Checkdhcpchaddr:
Enable
Alarmdhcpchaddr:
Enable
Alarmdhcpchaddrthreshold:
120
Discardeddhcppacketsforcheckchaddr:
0
Checkdhcprequest:
Enable
Alarmdhcprequest
Enable
Alarmdhcprequestthreshold:
120
Discardeddhcppacketsforcheckrequest:
0
Checkdhcprate:
Disable(defauIt)
Alarmdhcprate:
Disable(defauIt)
Alarmdhcpratethreshold:
500
Discardeddhcppacketsforratelimit:
0
Alarmdhcpreply:
Enable
Alarmdhcpreplythreshold:
120
Discardeddhcppacketsforcheckreply:
0[SwitchC]displaydhcpsnoopinginterfacegigabitethernet0/0/3
DHCPsnoopingrunninginformationforinterface
GigabitEthernetO/O/3:
DHCPsnooping:
Disable(defauIt)
:
Yes
Trustedinterface
Dhcpusermaxnumber
(defauIt)
Currentdhcpandndusernumber
Checkdhcpgiaddr
Disable(defauIt)
Checkdhcpchaddr
Disable(defauIt)
Alarmdhcpchaddr
Disable(defauIt)
Checkdhcprequest
Disable(defauIt)
Alarmdhcprequest
Disable(defauIt)
Checkdhcprate
Disable(defauIt)
Alarmdhcprate
Disable(defauIt)
Alarmdhcpratethreshold
Discardeddhcppacketsfor:
ratelimit
Alarmdhcpreply
:
1024
:
0
500
:
0
Disable(default)
配置文件
#SwitchC的配置文件
#
sysnameSwitchC
#dhcpenable
#dhcpsnoopingenableipv4
dhcpsnoopingcheckdhcprateenable
dhcpsnoopingcheckdhcprate90
dhcpsnoopingalarmdhcprateenable
dhcpsnoopingalarmdhcpratethreshold500
arpdhcpsnoopingdetectenable
#interfaceGigabitEthernetO/0/1
dhcp
snooping
stickymac
dhcp
snooping
enable
dhcp
snooping
checkdhcpgiaddrenable
dhcp
snooping
checkdhcprequestenable
dhcp
dhcp
snoopingalarmdhcprequestenable
snoopingalarmdhcprequestthreshold120
dhcp
snooping
checkdhcpchaddrenable
dhcp
snooping
alarmdhcpchaddrenable
dhcp
snooping
alarmdhcpchaddrthreshold120
dhcp
snooping
alarmdhcpreplyenable
dhcp
snoopingalarmdhcpreplythreshold120
dhcp
snoopingmaxusernumber20
interfaceGigabitEthernetO/0/2
dhcp
snooping
stickymac
dhcp
snooping
enable
dhcp
snooping
check
dhcprequest
enable
dhcp
snooping
alarm
dhcprequest
enable
dhcp
snooping
alarm
dhcprequest
threshold120
dhcp
snooping
check
dhcpchaddrenable
dhcp
snooping
alarm
dhcpchaddrenable
dhcp
snooping
alarm
dhcpchaddrthreshold120
dhcp
snooping
alarm
dhcpreplyenable
dhcp
snooping
alarm
dhcpreplythreshold120
dhcp
snoopingmaxusernumber20
interfaceGigabitEthernetO/0/3
dhcpsnoopingtrusted
#
:
return
时间:
2021.03.12
创作:
欧阳文
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 华为 DHCPSnooping 配置 实例
![提示](https://static.bdocx.com/images/bang_tan.gif)