We have learned a lot about the network protocol, and we have come into contact with a lot of DHCP. Next we will mainly analyze the configuration of ip dhcp snooping on the cisco device. In a cisco network environment, when a device with dhcp snooping enabled is configured for a boot request, option 82 is inserted into the DHCP packet. For details, see RFC3046 ). In this case, the gateway ip address in the packet in the boot request is 0, so once the dhcp relay device detects such a packet, it will discard it.
Although dhcp snooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer. When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface. This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests. The table created in the previous dhcp snooping is the legal standard. The table is created when the dhcp server responds normally, including the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet. In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts.
- Ip dhcp excluded-address 10.63.150.100 10.63.150.120 address not allocated by dhcp
-
- !
- Ip dhcp pool main defines the address pool
-
- Network 10.63.144.0 255.255.255.0 defines the network segment and address range used by the address pool.
- Default-router 10.63.144.1 defines the default gateway of the Client
- Domain-name nbyzzj.cn defines the domain of the Client
- Dns-server 10.60.12.11 defines the dns of the Client
- Lease 7 defines the address lease time as 7 days
-
- Ip dhcp snooping enable dhcp snooping
-
- Ip dhcp snooping vlan 10-12,101-108,315 defines the vlan used by snooping
- Ip dhcp snooping database flash: The dhcp-snooping.db saves the binding table in flash, avoid restarting the device, re-binding
- Ip arp inspection vlan 10-12,101-108,315 defines the vlan used by arp inspection. It is determined based on the dhcp snooping binding table.
- Ip arp inspection validate src-mac dst-mac ip detection valid client must meet the src-mac dst-mac ip no error
- Ip arp inspection log-buffer entries 1024 inspection log Size
- Ip arp inspection log-buffer logs 1024 interval 300 inspection log refresh time, interval is too small will occupy a lot of cpu time
- !
- !
- !
- Errdisable recovery cause udld
- Errdisable recovery cause bpduguard
- Errdisable recovery cause security-violation
- Errdisable recovery cause channel-misconfig
- Errdisable recovery cause pagp-flap
- Errdisable recovery cause dtp-flap
- Errdisable recovery cause link-flap
- Errdisable recovery cause gbic-invalid
- Errdisable recovery cause l2ptguard
- Errdisable recovery cause vulnerability cure-violation
- Errdisable recovery cause dhcp-rate-limit
- Errdisable recovery cause unicast-flood
- Errdisable recovery cause vmps
- Errdisable recovery cause arp-inspection
- Errdisable recovery interval 30
When the application of Dynamic ARP Inspection is started, the switch records a large number of data packets. when too many data packets pass through the port, the switch will consider it to be under DoS attack, thus automatically disable the port and cause communication interruption. To solve this problem, we need to add the command errdisable recovery cause arp-inspection.
- No file verify auto
-
- Logging on: When logging is disabled, it will occupy a large amount of cpu resources. Do not forget to enable it.
-
- No spanning-tree loopguard default should not be enabled
-
- Ip source binding 0004.76f6.e3e9 vlan 315 10.63.150.100 interface Gi1/0/11 manually add static address entries
- !
- interface GigabitEthernet1/0/11
- switchport trunk encapsulation dot1q
- switchport mode trunk
- ip arp inspection limit none
- arp timeout 2
- ip dhcp snooping limit rate 100
Due to the downlink device, in order to prevent inspection from making the port errdisable, there is no restriction on arp detection. If it is an access device directly, ip arp inspection limit rate 100 can be used.
Related commands:
- Sh logging check whether Dymatic Arp Inspection (DAI) takes effect.
- Sh ip dhcp snooping binding check whether snooping takes effect
- Sh ip dhcp binding check whether the dhcp server takes effect.
- Sh arp check if arp information is consistent with dhcp snooping binding table
If a sub-device supports dhcp snooping, you can configure it as follows:
- Ip dhcp snooping
- Int g0/1 upstream Port
- Switchport trunk encapsulation dot1q
- Switchport mode trunk
- Ip dhcp snooping trust defines this port as a trusted port. The dhcp server data from this port is valid and prevents other dhcp servers from sending dhcp data.
After the experiment, for hosts that already have a relationship between mac and ip addresses in the binding table, whether obtained through dhcp or statically specified, you only need to comply with this table. If the table does not exist, the corresponding traffic will be blocked.
If the dhcp relay service is used, enter the following command on the Gateway Switch:
Method 1:
- inter vlan10
- ip dhcp relay information trusted
Method 2:
- switchconfig)# ip dhcp relay information trust-all