华为DHCPSnooping配置实例

1、DHCP Snooping 配置时间：2021.03. 12创作：欧阳文介绍DHCP Snooping的原理和配置办法，并给出配置举例。配置DHCP Snooping的攻击防备功能示例组网需求如图913所示,SwitchA与SwitchB为接入设备，SwitchC为 DHCP RelavoClientl 与 Client2 辨别通过 GE0/0/1 与 GE0/0/2 接入 SwitchA, Client3 通过 GE0/0/1 接入 SwitchB,其中 Clientl与Client3通过DHCP方法获取IPv4地址，而Client2 使用静态配置的IPv4地址。网络屮存在不法用户的攻击招致

2、 合法用户不克不及正常获取IP地址，管理员希望能够避免网 络中针对DHCP的攻击，为DHCP用户提供更优质的办事。图913配置DHCP Snooping的攻击防备功能组网图配置思路 采取如下的思路在SwitchC上进行配置。1使能DHCP Snooping功能并配置设备仅处理DHCPv4报 文。2. 配置接口的信任状态，以包管客户端从合法的办事器获取IP地址。3. 使能ARP与DHCP Snooping的联动功能，包管DHCP用户在异常下线时实时更新绑定表。4. 使能根据DHCP Snooping绑定表生成接口的静态MAC表项功能，以避免非DHCP用户攻击。5. 使能对DHCP报文进行绑定表匹

3、配检查的功能，避免仿冒DHCP报文攻击。6. 配置DHCP报文上送DHCP报文处理单位的最年夜允许速率，避免DHCP报文泛洪攻击。7. 配置允许接入的最年夜用户数以及使能检测DHCPRequest报文帧头MAC与DHCP数据区屮CHADDR字段 是否一致功能，避免DHCP Server办事拒绝攻击。操纵步调1. 使能 DHCP Snooping 功能。#使能全局DHCP Snooping功能并配置设备仅处理DHCPv4 报文。<HUAWEI> systemviewHUAWEI sysname SwitchCSwitchC dhcp enableSwitchC dhcp snoopi

4、ng enable ipv4#使能用户侧接口的DHCP Snooping功能。以GE0/0/1 接口为例，GE0/0/2的配置相同，此处省略。SwitchC interface gigabitethernet 0/0/1SwitchCGigabitEthernetO/0/1 dhcp snooping enableSwitchCGigabitEthernetO/O/1 quit2. 配置接口的信任状态：将连接DHCP Server的接口状态配置为"Trusted”。3. SwitchC interface gigabitethernet 0/0/34. SwitchCGigabitE

5、thernet0/0/3 dhcp snoopingtrustedSwitchCGigabitEthernetO/0/3 quit5. 使能ARP与DHCP Snooping的联动功能。SwitchC arp dhcpsnoopingdetect enable6. 使能根据DHCP Snooping绑定表生成接口的静态MAC表项功能。#在用户侧接口进行配置。以GE0/0/1接口为例， GE0/0/2的配置相同，此处省略。SwitchC interface gigabitethernet 0/0/1 SwitchCGigabitEthernetO/0/1 dhcp snooping sticky

6、macSwitchCGigabitEthernetO/0/1 quit7. 使能对DHCP报文进行绑定表匹配检查的功能。#在用户侧接口进行配置。以GE0/0/1接口为例， GE0/0/2的配置相同，此处省略。SwitchC interface gigabitethernet 0/0/1SwitchCGigabitEthernetO/0/1 dhcp snooping check dhcprequest enableSwitchCGigabitEthernetO/0/1 quit8. 配置DHCP报文上送DHCP报文处理单位的最年夜允许速率为90ppso9. SwitchC dhcp snoop

7、ing check dhcprate enable SwitchC dhcp snooping check dhcprate 9010.11.使能检测DHCP Request报文屮GIADDR字段是否非零 的功能。#在用户侧接口进行配置。以GE0/0/1接口为例， GE0/0/2的配置相同，此处省略。SwitchC interface gigabitethernet 0/0/1 SwitchCGigabitEthernetO/0/1 dhcp snooping check dhcpgiaddr enable SwitchCGigabitEthernetO/O/1 quit配置接口允许接入的最年

8、夜用户数并使能对CHADDR 字段检查功能。#在用户侧接口进行配置。以GE0/0/1接口为例,GE0/0/2的配置相同，此处省略。SwitchC interface gigabitethernet 0/0/1 SwitchCGigabitEthernetO/0/1 dhcp snooping maxusernumber 20SwitchCGigabitEthernetO/0/1 dhcp snooping check dhcpchaddr enableSwitchCGigabitEthernetO/0/1 quit12.配置抛弃报文告警和报文限速告警功能。#使能抛弃报文告警功能，并配置抛弃报文

9、告警阈值。 以GE0/0/1接口为例，GE0/0/2的配置相同，此处省 略。SwitchC interface gigabitethernet 0/0/1LSwitchCGigabitEthernetO/O/1dhcp snoopingalarm dhcpchaddr enableLSwitchCGigabitEthernetO/O/1dhcp snoopingalarm dhcprequest enableSwitchCGigabitEthernetO/0/1dhcp snoopingalarm dhcpreply enableSwitchCGigabitEthernetO/0/1dhcp

10、snoopingalarm dhcpchaddr threshold 120SwitchCGigabitEthernetO/0/1 dhcp snoopingalarm dhcprequest threshold 120SwitchCGigabitEthernetO/0/1 dhcp snoopingalarm dhcpreply threshold 120 SwitchCGigabitEthernetO/0/1 quit#使能报文限速告警功能，并配置报文限速告警阈值。SwitchC dhcp snooping alarm dhcprate enableSwitchC dhcp snoopin

11、g alarm dhcprate threshold13.验证配置结果# 执行命令 display dhcp snooping configuration 检查DHCP Snooping的配置信息。SwitchC display dhcp snooping configurationdhcp snooping dhcp snooping dhcp snooping dhcp snooping dhcp snoopingenable ipv4 check dhcprate check dhcprate alarm dhcprate alarm dhcprateenable90enablethre

12、shold 500arp dhcpsnoopingdetect enableinterface GigabitEthernetO/0/1dhcpsnoopingenabledhcpsnoopingcheckdhcpgiaddr enabledhcpsnoopingcheckdhcprequest enabledhcpsnoopingalarmdhcprequest enabledhcpsnoopingalarmdhcprequest threshold 120dhcpsnoopingcheckdhcpchaddr enabledhcpsnoopingalarmdhcpchaddr enable

13、dhcpsnoopingalarmdhcpchaddr threshold 120dhcpsnooping alarm dhcpreply enabledhcpsnooping alarm dhcpreply threshold 120dhcpsnooping maxusernumber 20interface GigabitEthernetO/0/2dhcpsnoopingenabledhcpsnoopingcheckdhcpgiaddr enabledhcpsnoopingcheckdhcprequest enabledhcpsnoopingalarmdhcprequest enabled

14、hcpsnoopingalarmdhcprequest threshold 120dhcpsnoopingcheckdhcpchaddr enabledhcpsnoopingalarmdhcpchaddr enabledhcpsnoopingalarmdhcpchaddr threshold 120dhcpsnoopingalarmdhcpreply enabledhcpsnoopingalarmdhcpreply threshold 120dhcpsnooping maxusernumber 20 interface GigabitEthernetO/0/3dhcp snooping tru

15、sted# 执行命令 display dhcp snooping interface 检查 接口下的DHCP Snooping运行信息。SwitchC display dhcp snooping interface gigabitethernet 0/0/1DHCP snooping running informa tion for int erf aceGigabitEthernetO/0/1 :DHCP snooping:Enable:NoTrusted interfaceDhcp user max number: 20Current dhcp and nd user number: 0C

16、heck dhcpgiaddr:EnableCheck dhcpchaddr:EnableAlarm dhcpchaddr:EnableAlarm dhcpchaddr threshold: 120Discarded dhcp packets for check chaddr : 0Check dhcprequest:EnableAlarm dhcprequestEnableAlarm dhcprequest threshold: 120Discarded dhcp packets for check request : 0Check dhcprate:Disable (defauIt)Ala

17、rm dhcprate:Disable (defauIt)Alarm dhcprate threshold: 500Discarded dhcp packets for rate limit : 0Alarm dhcpreply:EnableAlarm dhcpreply threshold: 120Discarded dhcp packets for check reply : 0 SwitchC display dhcp snooping interface gigabitethernet 0/0/3DHCP snooping running information for interfa

18、ceGigabitEthernetO/O/3 :DHCP snooping:Disable (defauIt):YesTrusted interfaceDhcp user max number(defauIt)Current dhcp and nd user numberCheck dhcpgiaddrDisable (defauIt)Check dhcpchaddrDisable (defauIt)Alarm dhcpchaddrDisable (defauIt)Check dhcprequestDisable (defauIt)Alarm dhcprequestDisable (defau

19、It)Check dhcprateDisable (defauIt)Alarm dhcprateDisable (defauIt)Alarm dhcprate thresholdDiscarded dhcp packets for :rate limitAlarm dhcpreply:1024:0500:0Disable (default)配置文件# SwitchC的配置文件#sysname SwitchC# dhcp enable# dhcp snooping enable ipv4dhcp snooping check dhcprate enabledhcp snooping check

20、dhcprate 90dhcp snooping alarm dhcprate enabledhcp snooping alarm dhcprate threshold 500arp dhcpsnoopingdetect enable# interface GigabitEthernetO/0/1dhcpsnoopingstickymacdhcpsnoopingenabledhcpsnoopingcheck dhcpgiaddr enabledhcpsnoopingcheck dhcprequest enabledhcpdhcpsnooping alarm dhcprequest enablesnooping alarm dhcprequest threshold 120dhcpsnooping