华为DHCPSnooping配置实例Word文档下载推荐.docx
《华为DHCPSnooping配置实例Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《华为DHCPSnooping配置实例Word文档下载推荐.docx(8页珍藏版)》请在冰豆网上搜索。
2.配置接口的信任状态,以包管客户端从合法的办事器获取IP地址。
3.使能ARP与DHCPSnooping的联动功能,包管DHCP用户在异常下线时实时更新绑定表。
4.使能根据DHCPSnooping绑定表生成接口的静态MAC表项功能,以避免非DHCP用户攻击。
5.使能对DHCP报文进行绑定表匹配检查的功能,避免仿冒DHCP报文攻击。
6.配置DHCP报文上送DHCP报文处理单位的最年夜允许速率,避免DHCP报文泛洪攻击。
7.配置允许接入的最年夜用户数以及使能检测DHCPRequest报文帧头MAC与DHCP数据区中CHADDR字段是否一致功能,避免DHCPServer办事拒绝攻击。
操纵步调
1.使能DHCPSnooping功能。
#使能全局DHCPSnooping功能并配置设备仅处理DHCPv4报文。
<
HUAWEI>
systemview
[HUAWEI]sysnameSwitchC
[SwitchC]dhcpenable
[SwitchC]dhcpsnoopingenableipv4
#使能用户侧接口的DHCPSnooping功能。
以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。
[SwitchC]interfacegigabitethernet0/0/1
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingenable
[SwitchCGigabitEthernet0/0/1]quit
2.配置接口的信任状态:
将连接DHCPServer的接口状态配置为“Trusted”。
3.[SwitchC]interfacegigabitethernet0/0/3
4.[SwitchCGigabitEthernet0/0/3]dhcpsnoopingtrusted
[SwitchCGigabitEthernet0/0/3]quit
5.使能ARP与DHCPSnooping的联动功能。
[SwitchC]arpdhcpsnoopingdetectenable
6.使能根据DHCPSnooping绑定表生成接口的静态MAC表项功能。
#在用户侧接口进行配置。
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingstickymac
7.使能对DHCP报文进行绑定表匹配检查的功能。
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingcheckdhcprequestenable
8.配置DHCP报文上送DHCP报文处理单位的最年夜允许速率为90pps。
9.[SwitchC]dhcpsnoopingcheckdhcprateenable
[SwitchC]dhcpsnoopingcheckdhcprate90
10.使能检测DHCPRequest报文中GIADDR字段是否非零的功能。
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingcheckdhcpgiaddrenable
11.配置接口允许接入的最年夜用户数并使能对CHADDR字段检查功能。
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingmaxusernumber20
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingcheckdhcpchaddrenable
12.配置抛弃报文告警和报文限速告警功能。
#使能抛弃报文告警功能,并配置抛弃报文告警阈值。
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingalarmdhcpchaddrenable
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingalarmdhcprequestenable
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingalarmdhcpreplyenable
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingalarmdhcpchaddrthreshold120
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingalarmdhcprequestthreshold120
[SwitchCGigabitEthernet0/0/1]dhcpsnoopingalarmdhcpreplythreshold120
#使能报文限速告警功能,并配置报文限速告警阈值。
[SwitchC]dhcpsnoopingalarmdhcprateenable
[SwitchC]dhcpsnoopingalarmdhcpratethreshold500
13.验证配置结果
#执行命令displaydhcpsnoopingconfiguration检查DHCPSnooping的配置信息。
[SwitchC]displaydhcpsnoopingconfiguration
#
dhcpsnoopingenableipv4
dhcpsnoopingcheckdhcprateenable
dhcpsnoopingcheckdhcprate90
dhcpsnoopingalarmdhcprateenable
dhcpsnoopingalarmdhcpratethreshold500
arpdhcpsnoopingdetectenable
interfaceGigabitEthernet0/0/1
dhcpsnoopingenable
dhcpsnoopingcheckdhcpgiaddrenable
dhcpsnoopingcheckdhcprequestenable
dhcpsnoopingalarmdhcprequestenable
dhcpsnoopingalarmdhcprequestthreshold120
dhcpsnoopingcheckdhcpchaddrenable
dhcpsnoopingalarmdhcpchaddrenable
dhcpsnoopingalarmdhcpchaddrthreshold120
dhcpsnoopingalarmdhcpreplyenable
dhcpsnoopingalarmdhcpreplythreshold120
dhcpsnoopingmaxusernumber20
interfaceGigabitEthernet0/0/2
interfaceGigabitEthernet0/0/3
dhcpsnoopingtrusted
#执行命令displaydhcpsnoopinginterface检查接口下的DHCPSnooping运行信息。
[SwitchC]displaydhcpsnoopinginterfacegigabitethernet0/0/1
DHCPsnoopingrunninginformationforinterfaceGigabitEthernet0/0/1:
DHCPsnooping:
Enable
Trustedinterface:
No
Dhcpusermaxnumber:
20
Currentdhcpandndusernumber:
0
Checkdhcpgiaddr:
Checkdhcpchaddr:
Alarmdhcpchaddr:
Alarmdhcpchaddrthreshold:
120
Discardeddhcppacketsforcheckchaddr:
Checkdhcprequest:
Alarmdhcprequest:
Alarmdhcprequestthreshold:
Discardeddhcppacketsforcheckrequest:
Checkdhcprate:
Disable(default)
Alarmdhcprate:
Alarmdhcpratethreshold:
500
Discardeddhcppacketsforratelimit:
Alarmdhcpreply:
Alarmdhcpreplythreshold:
Discardeddhcppacketsforcheckreply:
[SwitchC]displaydhcpsnoopinginterfacegigabitethernet0/0/3
DHCPsnoopingrunninginformationforinterfaceGigabitEthernet0/0/3:
Yes
1024(default)
配置文件
#SwitchC的配置文件
sysnameSwitchC
dhcpenable
dhcpsnoopingcheckdhcprateenable
#
interfaceGigabitEthernet0/0/1
dhcpsnoopingstickymac
dhcpsnoopingmaxusernumber20
interfaceGigabitEthernet0/0/2
dhcpsnoopingalarmdhcpreplythreshold120
interfaceGigabitEthernet0/0/3
dhcpsnoopingtrusted
return
升级会员 