The DHCP method is used to assign IP addresses to users, and then restrict these users to use dynamic IP addresses only. If they are changed to static IP addresses, they cannot connect to the network; that is, dhcp snooping is used.
Example:
Version 12.1:
No service pad
Service timestamps debug uptime
Service timestamps log uptime
No service password-encryption
Service compress-config
!
Hostname C4-2_4506
!
Enable password xxxxxxx!
Clock timezone GMT 8
Ip subnet-zero
No ip domain-lookup
!
Ip dhcp snooping vlan 180-181 // which VLANs are restricted
Ip dhcp snooping
Ip arp inspection vlan 180-181
Ip arp inspection validate src-mac dst-mac ip
Errdisable recovery cause udld
Errdisable recovery cause bpduguard
Errdisable recovery cause security-violation
Errdisable recovery cause channel-misconfig
Errdisable recovery cause pagp-flap
Errdisable recovery cause dtp-flap
Errdisable recovery cause link-flap
Errdisable recovery cause l2ptguard
Errdisable recovery cause vulnerability cure-violation
Errdisable recovery cause gbic-invalid
Errdisable recovery cause dhcp-rate-limit
Errdisable recovery cause unicast-flood
Errdisable recovery cause vmps
Errdisable recovery cause arp-inspection
Errdisable recovery interval 30
Spanning-tree extend system-id
!
!
Interface GigabitEthernet2/1 // restrict the users connected to this port. You can subscribe to a vswitch.
Ip arp inspection limit rate 100
Arp timeout 2
Ip dhcp snooping limit rate: 100
!
Interface GigabitEthernet2/2
Ip arp inspection limit rate 100
Arp timeout 2
Ip dhcp snooping limit rate: 100
!
Interface GigabitEthernet2/3
Ip arp inspection limit rate 100
Arp timeout 2
Ip dhcp snooping limit rate: 100
!
Interface GigabitEthernet2/4
Ip arp inspection limit rate 100
Arp timeout 2
Ip dhcp snooping limit rate: 100
Note: DHCP Snooping
DAI, Dynamic ARP Inspection
IP Source Guard
DHCP Interface Tracker (Option 82)
The device is very limited and can be used between the 3550---4000 series to prevent layer-2 internal attacks. The same VLAN prevents unauthorized establishment of DHCP SERVER