一、DHCPSnooping的攻击防范功能配置(路由器)
1.启动设备
2.将pc设为DHCP获取IP地址
3.配置DHCP
[AR1]dhcp enable //启动DHCP服务
[AR1]ip pool aaa //设置地址池
[AR1-ip-pool-aaa]network 192.168.10.0 mask 24 //设置地址范围
[AR1-ip-pool-aaa]gateway-list 192.168.10.1 //设置网关地址
[AR1-ip-pool-aaa]q
[AR1]int g0/0/0
[AR1-GigabitEthernet0/0/0]dhcp select global //开启全局模式
[AR1-GigabitEthernet0/0/0]ip add 192.168.10.1 24
[AR2]dhcp enable //启动DHCP服务
[AR2]ip pool bbb //设置地址池
[AR2-ip-pool-bbb]network 192.168.20.0 mask 24 //设置地址范围
[AR2-ip-pool-bbb]gateway-list 192.168.20.1 //设置网关地址
[AR2-ip-pool-bbb]q
[AR2]int g0/0/0
[AR2-GigabitEthernet0/0/0]dhcp select global //开启全局模式
[AR2-GigabitEthernet0/0/0]ip add 192.168.20.1 24
4.查看pc的IP地址
pc1和pc2获得的IP可能是AR1分配的或者AR2分配,会发生混乱
5.配置DHCPSnooping功能(全局使用和在接口上使用)
[SW1]dhcp enable //启动DHCP功能
[SW1]dhcp snooping enable //启动DHCPSnooping功能
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]dhcp snooping enable
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]dhcp snooping enable
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]dhcp snooping enable
配置接口的信任状态
[SW1-GigabitEthernet0/0/3]int g0/0/4
[SW1-GigabitEthernet0/0/4]dhcp snooping trusted
验证:
pc1和pc2重新应用DHCP获取IP,获取的IP都是由AR2分配的
二、DHCPSnooping的攻击防范功能配置(CentOS)
1.启动设备
2.将pc设为DHCP获取IP地址
3.配置DHCP服务器
开启两台CentOS
安装DHCP服务
yum -y install dhcp
Cloud1:
选择网卡8
IP设为192.168.10.1
systemctl restart network
修改配置文件
vim /etc/dhcp/dhcpd.conf
:r /usr/share/doc/dhcp*/dhcpd.conf.example
修改以下内容
systemctl start dhcpd
Cloud2:
选择网卡1
IP设为192.168.20.1
systemctl restart network
修改配置文件
vim /etc/dhcp/dhcpd.conf
:r /usr/share/doc/dhcp*/dhcpd.conf.example
修改以下内容
systemctl start dhcpd
4.查看pc的IP地址
pc1和pc2获得的IP可能是Cloud1分配的或者Cloud2分配,会发生混乱
5.配置DHCPSnooping功能(全局使用和在接口上使用)
[SW1]dhcp enable
[SW1]dhcp snooping enable
[SW1]int g0/0/1
[SW1-GigabitEthernet0/0/1]dhcp snooping enable
[SW1-GigabitEthernet0/0/1]int g0/0/2
[SW1-GigabitEthernet0/0/2]dhcp snooping enable
[SW1-GigabitEthernet0/0/2]int g0/0/3
[SW1-GigabitEthernet0/0/3]dhcp snooping enable
配置接口的信任状态
[SW1-GigabitEthernet0/0/3]int g0/0/4
[SW1-GigabitEthernet0/0/4]dhcp snooping trusted
验证:
pc1和pc2重新应用DHCP获取IP,获取的IP都是由Cloud2分配的