DHCP Snooping

1. Thực hiện cấu hình ban đầu, đặt IP cho các thiết bị

2. Cấu hình R1 làm DHCP Sever, cấp phát IP cho tất cả các host thuộc VLAN 11

3. Cấu hình tính năng DHCP Snooping trên VLAN 11 của SW1 đảm bảo ngăn chặn tất cả các hoạt động tấn công giả mạo DHCP Server diễn ra trên VLAN này.

Cấu hình trên Switch1:

Switch#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gig1/0/2, Gig1/0/3, Gig1/0/4, Gig1/0/5

Gig1/0/6, Gig1/0/7, Gig1/0/8, Gig1/0/9

Gig1/0/10, Gig1/0/11, Gig1/0/12, Gig1/0/13

Gig1/0/14, Gig1/0/15, Gig1/0/16, Gig1/0/17

Gig1/0/18, Gig1/0/19, Gig1/0/20, Gig1/0/21

Gig1/0/22, Gig1/1/1, Gig1/1/2, Gig1/1/3

Gig1/1/4

11 KeToan active Gig1/0/23, Gig1/0/24

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

11 enet 100011 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

Switch#show running-config

Building configuration...

Current configuration : 1814 bytes

!

version 16.3.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Switch

!

!

!

!

!

!

!

no ip cef

ip routing

!

no ipv6 cef

!

!

!

!

!

!

!

!

!

!

!

ip dhcp snooping vlan 11

no ip dhcp snooping information option

ip dhcp snooping

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

!

interface GigabitEthernet1/0/1

ip dhcp snooping trust

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

switchport access vlan 11

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/24

switchport access vlan 11

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/1/1

!

interface GigabitEthernet1/1/2

!

interface GigabitEthernet1/1/3

!

interface GigabitEthernet1/1/4

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

interface Vlan11

mac-address 0001.631d.8e01

ip address 192.168.11.1 255.255.255.0

ip helper-address 192.168.1.1

!

ip classless

!

ip flow-export version 9

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

!

end

Switch#

Lưu ý:

SWITCH1(config)# interface range G1/0/23 - 24

SWITCH1(config-if)# no ip dhcp snooping trust

Cấu hình trên Router Router(DHCPServer):

DHCPServer#show running-config

Building configuration...

Current configuration : 901 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname DHCPServer

!

!

!

!

ip dhcp excluded-address 192.168.11.1 192.168.11.100

!

ip dhcp pool vlan11

network 192.168.11.0 255.255.255.0

default-router 192.168.11.1

dns-server 8.8.8.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO2811/K9 sn FTX101762UM-

!

!

!

!

!

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/0.11

description GW cho VLAN 11

encapsulation dot1Q 11

ip address 192.168.11.1 255.255.255.0

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

ip flow-export version 9

!

!

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

DHCPServer# 

 

Cấu hình trên Spurious DHCP Server:

Thông tin IP được cấp trên PCVLAN11:

 

Xem thông tin DHCP Snooping trên Switch1:

Switch# show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

11

DHCP snooping is operational on following VLANs:

none

Smartlog is configured on following VLANs:

none

Smartlog is operational on following VLANs:

none

DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled

   circuit-id default format: vlan-mod-port

   remote-id: 0001.631D.8EA8 (MAC)

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Verification of giaddr field is enabled

DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)

-----------------------    -------    ------------    ----------------

GigabitEthernet1/0/1       yes        yes             unlimited       

  Custom circuit-ids:

GigabitEthernet1/0/24      no         no              unlimited       

  Custom circuit-ids:

GigabitEthernet1/0/23      no         no              unlimited       

  Custom circuit-ids:

Switch#