Shulou(Shulou.com)06/01 Report--

Allocation idea

1. Enable DHCP Snooping function.

two。 Configure the trust status of the interface to ensure that the client obtains an IP address from a legitimate server.

3. Enable the linkage function of ARP and DHCPSnooping to ensure that DHCP users update the binding table in real time when they are offline abnormally.

4. Enables the static MAC entry function of the interface to be generated based on the DHCP Snooping binding table to prevent non-DHCP users.

5. Enables the function of binding table matching check on DHCP messages to prevent counterfeiting of DHCP messages.

6. Configure the maximum allowable rate of sending DHCP messages to the DHCP message processing unit to prevent DHCP packets from flooding.

7. Configure the maximum number of users allowed to access and enable DHCP Request detection

Operation steps

1. Enable DHCP Snooping function.

[SwitchC] dhcp enable

[SwitchC] dhcp snooping enable

two。 Enable the DHCP Snooping function of the user side interface.

[SwitchC] dhcp snooping enable vlan 1 to 100 (or directly enable the following on the interface)

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping enable

3. Configure the trust status of the interface: configure the interface status that connects to the DHCP Server to "Trusted". The port connected to dhcp and the switch cascade port need to be configured

[SwitchC] interface gigabitethernet 0/0/3

[SwitchC-GigabitEthernet0/0/3] dhcp snooping trusted

4. Enable the linkage function of ARP and DHCPSnooping.

[SwitchC] arp dhcp-snooping-detect enable

5. Enables the function of binding table matching checking on DHCP messages.

[SwitchC] interface gigabitethernet0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable

6. Configure the maximum allowable rate of the DHCP message processing unit for sending DHCP messages to 10pps.

[SwitchC] dhcp snooping check dhcp-rate enable

[SwitchC] dhcp snooping check dhcp-rate 10

7. Configure the maximum number of users allowed to access the interface.

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping max-user-number 2

8. Configure discarding message alarm and message speed limit alarm function.

# enables the discarding message alarm function and configures the discarding message alarm threshold. Take the GE0/0/1 interface as an example, the configuration of GE0/0/2 is the same

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC] dhcp snooping alarm dhcp-rate enable

[SwitchC] dhcp snooping alarm dhcp-rate threshold 10

[SwitchC] dhcp snooping check user-bind enable

[SwitchC] the function of dhcp snooping check mac-address enable to check the MAC address in the DHCPRequest header

Verify the configuration result

Display dhcp snooping configuration views the configuration information for DHCP Snooping.

Display dhcp snooping interface views the running information of DHCP Snooping under the API.

Reset dhcpsnooping user-bind vlan | interface | * reset the DHCPSnooping binding table

Dhcp snoopinguser-bind autosave file-name backs up the DHCPSnooping binding table.

Arp anti-attackcheck user-bind enable

Arp anti-attackcheck user-bind alarm enable

Arp anti-attackcheck user-bind alarm threshold 10

Arp anti-attackcheck user-bind check-item mac-address

Ip source checkuser-bind enable enables ip source guard

Ip source checkuser-bind check-item {ip-address | mac-address | vlan} * configure IP message check item

Ip source checkuser-bind alarm enable enables IP message check alarm function.

Ip source checkuser-bind alarm threshold threshold configures the IP message check alarm threshold of 100 by default.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.