Filtering illegal DHCP server
Method One: Use DHCP Snoonping. If the DHCP server on the core switch, you can directly start the DHCP Snooping globally to reject all interfaces illegal DHCP.
[H3C] dhcp snooping enable
1, if the trust DHCP server in the core GE 1/0/1 port, the interface can be configured to trust
[H3C] interface of GigabitEthernet 1/0/1
[H3C-GigabitEthernet / 0/1] DHCP Snooping Trust
[H3C-GigabitEthernet / 0/1] quit
2, so that the access to acquire the address from the core layer switch uplink port access layer is also required that DHCP trusted interface
[SW] DHCP Snooping enable
[SW] interface of GigabitEthernet 1/0/1
[SW-GigabitEthernet / 0 /. 1 ] DHCP Snooping Trust
[SW-GigabitEthernet / 0 /. 1] quit
3, you can also specify a particular vlan:
[SW-VLAN1] dhcp Snooping Trust interface GigabitEthernet 1/0/1
Method two: the mating interface using the ACL to filter more trouble.
First packet capture what you want to filter?
It found that filtering illegal DHCP source port is UDP: 67 can be.
1, the configuration:
[H3C] advanced ACL 3000
[ACL-H3C-IPv4-ADV-3000] the deny rule. 5 UDP Source Port EQ-67
[ACL-H3C-IPv4-ADV-3000] quit
[H3C] interface range GigabitEthernet 1/0/2 to GigabitEthernet 1/0/24 #GE 1/0/1 port is not filtered, trust
[H3C-if-range] packet -filter 3000 inbound # return offer message server, enter direction
[H3C-if-range] quit
2, if the access layer, a similar configuration:
[SW] advanced ACL 3000
[SW-IPv4-ACL-ADV-3000] the deny rule. 5 UDP Source Port EQ-67
[SW-IPv4-ACL-ADV-3000] quit
[SW] interface range GigabitEthernet 1/0/2 to GigabitEthernet 1/0/24 #GE 1/0/1 port is not filtered, trust
[SW-if-range] packet -filter 3000 inbound # return offer message server, enter direction
[SW-if-range] quit
--------------------------------------------------------------------------------------------------------------------------------------------