需求:客户机只能从合法的DHCP服务器获取IP进行上网,其它DHCP服务器发送的DHCP Offer报文直接丢弃,模拟实验,网络拓扑如下:
SW4配置命令【只配置VLAN,DHCP Snooping还未配置】:
<Huawei>system-view [Huawei]undo info-center enable [Huawei]sysname sw4 [sw4]vlan 100 [sw4-vlan100]quit [sw4]port-group group-member Ethernet 0/0/1 to Ethernet 0/0/6 [sw4-port-group]port link-type access [sw4-port-group]port default vlan 100 [sw4-port-group]quit
合法DHCP Server上配置命令:
<Huawei>system-view [Huawei]undo info-center enable [Huawei]sysname DHCP [DHCP]dhcp enable [DHCP]interface GigabitEthernet 0/0/0 [DHCP-GigabitEthernet0/0/0]ip address 1.1.1.1 24 [DHCP-GigabitEthernet0/0/0]dhcp select interface [DHCP-GigabitEthernet0/0/0]dhcp server dns-list 8.8.8.8
非法DHCP上配置命令:
<Huawei>system-view [Huawei]undo info-center enable [Huawei]sysname feifa [feifa]dhcp enable [feifa]interface GigabitEthernet 0/0/0 [feifa-GigabitEthernet0/0/0]ip address 2.2.2.2 24 [feifa-GigabitEthernet0/0/0]dhcp select interface [feifa-GigabitEthernet0/0/0]dhcp server dns-list 9.9.9.9
现在在客户机上自动获取IP试试能拿到谁下发的IP,客户机上拿到了非法服务器分配的IP,违背了我们的需求。。。
我们在接入层交换机SW4上再加几条命令,已实现我们想要的功能
[sw4]dhcp enable #开启DHCP功能 [sw4]dhcp snooping enable #开启DHCP Snooping功能 [sw4]dhcp snooping enable vlan 100 #VLAN 100中的端口都开启Snooping功能 [sw4]interface Ethernet0/0/1 #进入信任接口下 [sw4-Ethernet0/0/1]dhcp snooping trusted #将从此接口获取的DHCP报文信任