Ip dhcp snooping settings

We have learned a lot about the network protocol, and we have come into contact with a lot of DHCP. Next we will mainly analyze the configuration of ip dhcp snooping on the cisco device. In a cisco network environment, when a device with dhcp snooping enabled is configured for a boot request, option 82 is inserted into the DHCP packet. For details, see RFC3046 ). In this case, the gateway ip address in the packet in the boot request is 0, so once the dhcp relay device detects such a packet, it will discard it.

Although dhcp snooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer. When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface. This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests. The table created in the previous dhcp snooping is the legal standard. The table is created when the dhcp server responds normally, including the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet. In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts.

 
 

  
  
Ip dhcp excluded-address 10.63.150.100 10.63.150.120 address not allocated by dhcp
  
  
 
  
  
!
  
  
Ip dhcp pool main defines the address pool
  
  
 
  
  
Network 10.63.144.0 255.255.255.0 defines the network segment and address range used by the address pool.
  
  
Default-router 10.63.144.1 defines the default gateway of the Client
  
  
Domain-name nbyzzj.cn defines the domain of the Client
  
  
Dns-server 10.60.12.11 defines the dns of the Client
  
  
Lease 7 defines the address lease time as 7 days
  
  
 
  
  
Ip dhcp snooping enable dhcp snooping
  
  
 
  
  
Ip dhcp snooping vlan 10-12,101-108,315 defines the vlan used by snooping
  
  
Ip dhcp snooping database flash: The dhcp-snooping.db saves the binding table in flash, avoid restarting the device, re-binding
 
 

 
 

  
  
Ip arp inspection vlan 10-12,101-108,315 defines the vlan used by arp inspection. It is determined based on the dhcp snooping binding table.
  
  
Ip arp inspection validate src-mac dst-mac ip detection valid client must meet the src-mac dst-mac ip no error
  
  
Ip arp inspection log-buffer entries 1024 inspection log Size
  
  
Ip arp inspection log-buffer logs 1024 interval 300 inspection log refresh time, interval is too small will occupy a lot of cpu time
  
  
!
  
  
!
  
  
!
  
  
Errdisable recovery cause udld
  
  
Errdisable recovery cause bpduguard
  
  
Errdisable recovery cause security-violation
  
  
Errdisable recovery cause channel-misconfig
  
  
Errdisable recovery cause pagp-flap
  
  
Errdisable recovery cause dtp-flap
  
  
Errdisable recovery cause link-flap
  
  
Errdisable recovery cause gbic-invalid
  
  
Errdisable recovery cause l2ptguard
  
  
Errdisable recovery cause vulnerability cure-violation
  
  
Errdisable recovery cause dhcp-rate-limit
  
  
Errdisable recovery cause unicast-flood
  
  
Errdisable recovery cause vmps
  
  
Errdisable recovery cause arp-inspection
  
  
Errdisable recovery interval 30
 
 

When the application of Dynamic ARP Inspection is started, the switch records a large number of data packets. when too many data packets pass through the port, the switch will consider it to be under DoS attack, thus automatically disable the port and cause communication interruption. To solve this problem, we need to add the command errdisable recovery cause arp-inspection.

 
 

  
  
No file verify auto
  
  
 
  
  
Logging on: When logging is disabled, it will occupy a large amount of cpu resources. Do not forget to enable it.
  
  
 
  
  
No spanning-tree loopguard default should not be enabled
  
  
 
  
  
Ip source binding 0004.76f6.e3e9 vlan 315 10.63.150.100 interface Gi1/0/11 manually add static address entries
  
  
!
 
 

 
 

  
  
interface GigabitEthernet1/0/11  
  
  
switchport trunk encapsulation dot1q  
  
  
switchport mode trunk  
  
  
ip arp inspection limit none  
  
  
arp timeout 2  
  
  
ip dhcp snooping limit rate 100 
 
 

Due to the downlink device, in order to prevent inspection from making the port errdisable, there is no restriction on arp detection. If it is an access device directly, ip arp inspection limit rate 100 can be used.

Related commands:

 
 

  
  
Sh logging check whether Dymatic Arp Inspection (DAI) takes effect.
  
  
Sh ip dhcp snooping binding check whether snooping takes effect
  
  
Sh ip dhcp binding check whether the dhcp server takes effect.
  
  
Sh arp check if arp information is consistent with dhcp snooping binding table
 
 

If a sub-device supports dhcp snooping, you can configure it as follows:

 
 

  
  
Ip dhcp snooping
  
  
Int g0/1 upstream Port
  
  
Switchport trunk encapsulation dot1q
  
  
Switchport mode trunk
  
  
Ip dhcp snooping trust defines this port as a trusted port. The dhcp server data from this port is valid and prevents other dhcp servers from sending dhcp data.
 
 

After the experiment, for hosts that already have a relationship between mac and ip addresses in the binding table, whether obtained through dhcp or statically specified, you only need to comply with this table. If the table does not exist, the corresponding traffic will be blocked.

If the dhcp relay service is used, enter the following command on the Gateway Switch:

Method 1:

 
 

  
  
inter vlan10  
  
  
ip dhcp relay information trusted 
 
 

Method 2:

 
 

  
  
switchconfig）# ip dhcp relay information trust-all