Dhcp snooping Summary
Configuration on a cisco device
In a cisco network environment, when a device with the dhcp snooping feature enabled, the boot request inserts option 82 in the DHCP packet. For details, see RFC3046, the gateway ip address in the packet in the boot request is 0, so once the dhcp relay device detects such a packet, it will discard it.
Although dhcp s nooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer.
When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface.
This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests.
The table created in the previous dhcp snooping is the legal standard. Because the tables are created when the dhcp server responds normally,
Which contains the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet.
In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts.
Ip dhcp excluded-address 10.63.150.100 10.63.150.120 address not allocated by dhcp
!
Ip dhcp pool main defines the address pool
Network 10.63.144.0 255.255.255.0 defines the network segment and address range used by the address pool.
Default-router 10.63.144.1 defines the default gateway of the Client
Domain-name nbyzzj.cn defines the domain of the Client
Netbios-node-type h-node
// Configuring the node mode for the client affects the smoothness of name interpretation. For example, if the h-node mode is equal to the one explained by the wins server)
Dns-server 10.60.12.11 defines the dns of the Client
Lease 7 defines the address lease time as 7 days
Ip dhcp snooping enable dhcp snooping
Ip dhcp snooping vlan 10-12,101-108,315 defines the vlan used by snooping
Ip dhcp snooping database flash: The dhcp-snooping.db saves the binding table in flash, avoid restarting the device, re-binding
Ip arp inspection vlan 10-12,101-108,315 defines the vlan used by arp inspection. It is determined based on the dhcp snooping binding table.
Ip arp inspection validate src-mac dst-mac ip detection valid client must meet the src-mac dst-mac ip no error
Ip arp inspection log-buffer entries 1024 inspection log Size
Ip arp inspection log-buffer logs 1024 interval 300 inspection log refresh time, interval is too small will occupy a lot of cpu time
!
!
!
Errdisable recovery cause udld
Errdisable recovery cause bpduguard
Errdisable recovery cause security-violation
Errdisable recovery cause channel-misconfig
Errdisable recovery cause pagp-flap
Errdisable recovery cause dtp-flap
Errdisable recovery cause link-flap
Errdisable recovery cause gbic-invalid
Errdisable recovery cause l2ptguard
Errdisable recovery cause vulnerability cure-violation
Errdisable recovery cause dhcp-rate-limit
Errdisable recovery cause unicast-flood
Errdisable recovery cause vmps
Errdisable recovery cause arp-inspection
Errdisable recovery interval 30
When Dynamic ARP Inspection is applied, the switch records a large number of data packets. when too many data packets pass through the port,
The switch is deemed to be under DoS attack, and thus the port is automatically errdisable, resulting in communication interruption. To solve this problem,
We need to add the command errdisable recovery cause arp-inspection
No file verify auto
Logging on: When logging is disabled, it will occupy a large amount of cpu resources. Do not forget to enable it.
No spanning-tree loopguard default should not be enabled
Ip source binding 0004.76f6.e3e9 vlan 315 10.63.150.100 interface Gi1/0/11 manually add static address entries
!
Interface GigabitEthernet1/0/11
Switchport trunk encapsulation dot1q
Switchport mode trunk
Ip arp inspection limit none
Arp timeout 2
Ip dhcp snooping limit rate: 100
Due to the downlink device, in order to prevent inspection from making the port errdisable, arp detection is not limited. If it is directly an access device,
Ip arp inspection limit rate 100 is available
Related commands:
Sh logging check whether Dymatic Arp Inspection (DAI) takes effect.
Sh ip dhcp snooping binding check whether snooping takes effect
Sh ip dhcp binding check whether the dhcp server takes effect.
Sh arp check if arp information is consistent with dhcp snooping binding table
If a sub-device supports dhcp snooping, you can configure it as follows:
Ip dhcp snooping
Int g0/1 upstream Port
Switchport trunk encapsulation dot1q
Switchport mode trunk
Ip dhcp snooping trust defines this port as a trusted port. The dhcp server data from this port is valid and prevents other dhcp servers from sending dhcp data.
After the experiment, whether obtained by dhcp or statically specified,
You only need to match the table. If the table does not exist, the corresponding traffic will be blocked.
If the dhcp relay service is used, enter the following command on the Gateway Switch:
Method 1:
Inter vlan10
Ip dhcp relay information trusted
Method 2:
Switchconfig) # ip dhcp relay information trust-all