In-depth analysis of dhcp snooping settings

 

In a cisco network environment, when a device with dhcp snooping enabled is configured for a boot request, option 82 is inserted into the DHCP packet (for details, see RFC3046 ). In this case, the gateway ip address in the packet in the boot request is 0, so once the dhcp relay device detects such a packet, it will discard it.

Although dhcp snooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer. When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface. This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests. The table created in the previous dhcp snooping is the legal standard. The table is created when the dhcp server responds normally, including the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet. In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts.

 

Ip dhcp excluded-address 10.63.150.100 10.63.150.120 address not allocated by dhcp

 

!

Ip dhcp pool main defines the address pool

 

Network 10.63.144.0 255.255.255.0 defines the network segment and address range used by the address pool.

Default-router 10.63.144.1 defines the default gateway of the Client

Domain-name nbyzzj.cn defines the domain of the Client

Dns-server 10.60.12.11 defines the dns of the Client

Lease 7 defines the address lease time as 7 days

 

Ip dhcp snooping enable dhcp snooping

 

Ip dhcp snooping vlan 10-12,101-108,315 defines the vlan used by snooping

Ip dhcp snooping database flash: The dhcp-snooping.db saves the binding table in flash, avoid restarting the device, re-binding

 

Ip arp inspection vlan 10-12,101-108,315 defines the vlan used by arp inspection. It is determined based on the dhcp snooping binding table.

Ip arp inspection validate src-mac dst-mac ip detection valid client must meet the src-mac dst-mac ip no error

Ip arp inspection log-buffer entries 1024 inspection log Size

Ip arp inspection log-buffer logs 1024 interval 300 inspection log refresh time, interval is too small will occupy a lot of cpu time

!

!

!

Errdisable recovery cause udld

Errdisable recovery cause bpduguard

Errdisable recovery cause security-violation

Errdisable recovery cause channel-misconfig

Errdisable recovery cause pagp-flap

Errdisable recovery cause dtp-flap

Errdisable recovery cause link-flap

Errdisable recovery cause gbic-invalid

Errdisable recovery cause l2ptguard

Errdisable recovery cause vulnerability cure-violation

Errdisable recovery cause dhcp-rate-limit

Errdisable recovery cause unicast-flood

Errdisable recovery cause vmps

Errdisable recovery cause arp-inspection

Errdisable recovery interval 30

When the application of Dynamic ARP Inspection is started, the switch records a large number of data packets. when too many data packets pass through the port, the switch will consider it to be under DoS attack, thus automatically disable the port and cause communication interruption. To solve this problem, we need to add the command errdisable recovery cause arp-inspection.

 

No file verify auto

 

Logging on: When logging is disabled, it will occupy a large amount of cpu resources. Do not forget to enable it.

 

No spanning-tree loopguard default should not be enabled

 

Ip source binding 0004.76f6.e3e9 vlan 315 10.63.150.100 interface Gi1/0/11 manually add static address entries

!

 

Interface GigabitEthernet1/0/11

Switchport trunk encapsulation dot1q

Switchport mode trunk

Ip arp inspection limit none

Arp timeout 2

Ip dhcp snooping limit rate: 100

Due to the downlink device, in order to prevent inspection from making the port errdisable, there is no restriction on arp detection. If it is an access device directly, ip arp inspection limit rate 100 can be used.

Related commands:

 

Sh logging check whether Dymatic Arp Inspection (DAI) takes effect.

Sh ip dhcp snooping binding check whether snooping takes effect

Sh ip dhcp binding check whether the dhcp server takes effect.

Sh arp check if arp information is consistent with dhcp snooping binding table

If a sub-device supports dhcp snooping, you can configure it as follows:

 

Ip dhcp snooping

Int g0/1 upstream Port

Switchport trunk encapsulation dot1q

Switchport mode trunk

Ip dhcp snooping trust defines this port as a trusted port. The dhcp server data from this port is valid and prevents other dhcp servers from sending dhcp data.

After the experiment, for hosts that already have a relationship between mac and ip addresses in the binding table, whether obtained through dhcp or statically specified, you only need to comply with this table. If the table does not exist, the corresponding traffic will be blocked.

If the dhcp relay service is used, enter the following command on the Gateway Switch:

Method 1:

 

Inter vlan10

Ip dhcp relay information trusted

Method 2:

 

Switch (config) # ip dhcp relay information trust-all