CCNP experiment: layer-3 switch enables DHCP relay proxy between VLANs

[Experimental environment] veryhuo.com

Cisco Packet Tracer 5.3.2 veryhuo.com

[Tutorial Objective] veryhuo.com

The layer-3 Switch + DHCP relay proxy technology is used to solve the problem that multiple VLANs share the same DHCP server. Lie-fire-network

VLAN Division can effectively reduce the impact of ARP spoofing and broadcast storms. If we use DAI and other technologies, we can minimize the harm of ARP spoofing attacks. Here, because the simulator cannot do DAI, the lab will be performed on a real machine later. Multiple VLANs use the same DHCP server, which is not only a prerequisite for future DAI, but also solves the problem of address conflicts caused by random IP address modification. Strong & fire & Network

[Experiment topology]

Liehuo.net

Veryhuo.com

[Lab environment]

Veryhuo.com

Simulate a school lab, use a DHCP server (8.8.8.8 in VLAN 100), a 3560 layer-3 Switch, Connect Four C2950 access layer switches, and divide four VLANs on 3560, add the access layer switch ports to VLANs respectively. Each host uses DHCP to automatically obtain the IP address. Veryhuo.com

[Experiment step] huoxian.com

1. Configure the DHCP server, set the IP address to 8.8.8.8/24, and the gateway address to 8.8.8.254. Dhcp ip address pools are divided as follows:

Powerful fireworks

The default address pool cannot be renamed due to problems of the PT simulator itself. In a real machine environment, the default address pool is the address pool of VLAN 10, the Gateways of each VLAN are 192.168.10.254, 192.168.255.254, 192.168.30.254, and 192.168.40.254, respectively. The starting IP address is changed to different, which will be verified easily. Liehuo.net

2. configure a layer-3 Switch, create a VLAN, and add the port to the corresponding VLAN. The port where the DHCP server is located is added to VLAN 100 (if VLAN 1 is not selected, it is considered as a security concern ).

Interface FastEthernet0/1
Switchport access vlan 10
Switchport mode access
!
Interface FastEthernet0/2
Switchport access vlan 20
Switchport mode access
!
Interface FastEthernet0/3
Switchport access vlan 30
Switchport mode access
!
Interface FastEthernet0/4
Switchport access vlan 40
Switchport mode access
!
Interface FastEthernet0/24
Switchport access vlan 100
Switchport mode access
! Liehuo.net

3. Enable the layer-3 Switch routing function and configure the corresponding Vlan port and DHCP relay. Fire net

DHCP relay configuration is very simple. You only need to use "ip helper-address" in each VLAN to specify the ip address of the DHCP server, because we have configured Multiple Address pools (DHCP scopes) on the DHCP server, the addresses in the gateway IP field (GIADDR) in the relay packet will identify which DHCP scope provides the IP address lease, the scope of the gateway address is usually the same. Lie # fire # Network

Ip routing liehuo.net

Interface Vlan10
Ip address 192.168.10.254 255.255.255.0
Ip helper-address 8.8.8.8
!
Interface Vlan20
Ip address 192.168.255.254 255.255.255.0
Ip helper-address 8.8.8.8
!
Interface Vlan30
Ip address 192.168.30.254 255.255.255.0
Ip helper-address 8.8.8.8
!
Interface Vlan40
Ip address 192.168.40.254 255.255.255.0
Ip helper-address 8.8.8.8
!
// Based on the principle of DHCP relay, the layer-3 switch must have routing information to the DHCP server
Interface Vlan100
Ip address 8.8.8.254 255.255.255.0
!

Veryhuo.com

4. view layer-3 switching routing information

Fire Network

Switch # sh ip ro
8.0.0.0/24 is subnetted, 1 subnets
C 8.8.8.0 is directly connected, Vlan100
C 192.168.10.0/24 is directly connected, Vlan10
C 192.168.20.0/24 is directly connected, Vlan20
C 192.168.30.0/24 is directly connected, Vlan30
C 192.168.40.0/24 is directly connected, Vlan40 veryhuo.com

5. Verify DHCP allocation

Liehuo.net

PC0: 192.168.10.1/24 liehuo.net

Strong/fire/Network

PC1: 192.168.20.2/24 liehuo.net

Fire net

PC2: 192.168.30.50/24 veryhuo.com

Lie-fire-network

PC3: 192.168.40.100/24 veryhuo.com

Veryhuo.com