Prevent unauthorized IP address (DHCP) in LAN

Application examples

My school is a student apartment, PC owns about 1000 units. Using DHCP assigned IP address, with 4 C class addresses, the actual number of addresses available is about 1000. Because of the frequent presence of private DHCP servers in the building, a large number of hosts cannot be assigned to legitimate IP addresses, and because a significant number of hosts specify IP addresses, conflicts with DHCP-assigned IP addresses are caused. The above two aspects, all caused the apartment building a large number of hosts can not normally access the network.

After a period of analysis and experimentation, we decided to deploy DHCP snooping and dynamic ARP inspection to the apartment building to ensure the normal operation of the network.

The use of the apartment network equipment is as follows, the access layer for the XX 2950 switch to the stack of 4 3750, and then through the fiber to the convergence layer of 3750 switches. At the same time, the 3750 switch of the convergence layer is also a DHCP server.

Deployment process

The DHCP snooping is configured first by the following procedure

1 Configure terminal

2 IP DHCP snooping enable DHCP snooping in global mode

3 IP DHCP snooping VLAN 103 enables DHCP snooping in VLAN 103

4 IP DHCP snooping information option Enable the switch to insert and remove DHCP relay information (option-82 field) in fo rwarded DHCP request messages to the DHCP server. The default is enabled.

5 interface Gigabitethernet1/0/28, entering the 28th port of the switch

6 IP DHCP snooping trust to set the 28th port as trusted

7 IP DHCP snooping limit rate 500 sets the maximum number of DHCP packets handled per second

9 End Exit

After the configuration is complete, you can observe the DHCP snooping health by using the following command:

Show ip DHCP snooping

Get the following information:

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

Zebian: Bean Technology Application