What is DHCP ?
DHCP (Dynamic Host Configuration Protocol, Dynamic Host Configuration Protocol) is a local area network network protocol, formerly the BOOTP protocol,
Use UDP protocol to work, commonly used 2 ports: 67 (DHCP server), 68 (DHCP client). DHCP is usually used in a local area network environment, the main role is to
Centralized management and allocation of IP addresses, so that clients can dynamically obtain IP addresses, Gateway addresses, DNS server addresses and other information, and can improve the use of addresses
Rate. Simply put, DHCP is a protocol that automatically assigns information such as IP addresses to intranet machines without requiring account and password login.
Messages in the DHCP protocol:
DHCP DISCOVER : The client broadcasts a DHCP Discover message, which can be received by all hosts in the LAN.
DHCP OFFER : The response made by the server after receiving the DHCP DISCOVER, which includes the IP given to the client, the client's MAC address, the lease expiration time, the server's identifier, and other information
DHCP REQUEST : The client sends a request message in response to the DHCP OFFER sent by the server.
DHCP ACK : The server sends a successful acknowledgment message after receiving the DHCP REQUEST from the client. When establishing a connection, the client will only confirm that the IP and other information assigned to it are allowed to be used after receiving this message.
DHCP workflow:
DHCP message packet:
What is DHCP Snooping?
DHCP Snooping technology is a DHCP security feature. It filters untrusted DHCP information by establishing and maintaining a DHCP snooping binding table.
These messages refer to DHCP messages from untrusted zones. The DHCP Snooping binding table contains user MAC addresses, IP addresses,
Information such as lease period, VLAN-ID interface, etc. Cisco switches support enabling the DHCP snooping feature on a per-VLAN basis. Through this feature, the exchange
The machine can intercept all DHCP packets in the second layer VLAN domain.
Knowledge point: The DHCP Snooping binding table provides important support for the subsequent deployment of IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI).
DHCP Snooping function:
1. Prevent the privately built DHCP Server from assigning IP addresses (main function).
2. Prevent DOS attack of maliciously built DHCP Server, which leads to the exhaustion of IP address resources of trusted DHCP Server (company DHCP server) (main function).
3. Prevent users from manually configuring a fixed IP address, resulting in a conflict with the IP address assigned by the trusted DHCP Server (the company's DHCP server). (It needs to be implemented together with the IPSG function, which will be explained later)
DHCP snooping divides switch ports into two categories:
1. Trusted port: Connect to the trusted DHCP server or the upstream port of the aggregation switch or the downstream port of the core switch.
2. Untrusted port: usually a port connecting terminal devices, such as computers, network printers, notebooks, HUB (uncontrollable switch ports for fools), etc.
Design ideas:
1. 3560 divides 3 VLANs (vlan10 vlan20 vlan50) and assigns IP addresses, gi0/13 ports are configured as trusted ports to connect to trusted DHCP servers and are divided into vlan 50, gi0/24 ports are set as trunk
2. 2960 divides 3 VLANs (vlan10 vlan20 vlan50) and assigns ports, gi1/0/24 port is set as trunk and connected to 3560 gi0/24 port
3. The privately built DHCP server can be connected to the untrusted port of the 3560 switch or 2960 switch for testing
4. PC01 is connected to 2960 vlan10 port gi1/0/1, PC02 is connected to 2960 vlan20 port gi1/0/8
VLAN situation:
vlan 10 192.168.10.1/24 (3650) assign port gi1/0/1-5 (2960)
vlan 20 192.168.20.1/24 (3650) assign port gi1/0/6-10 (2960)
vlan 50 192.168.50.1/24 (3650) assign port gi1/0/11-15 (2960)
Trust DHCP server IP address 192.168.50.254/24 (3650) Assign port gi0/13 (3650)
Network topology diagram:
Tip: The implementation of DHCP Snooping by Cisco Packet Tracer Student, a Cisco simulator, may be abnormal. This tutorial is an experiment using a real Cisco switch.
3650 configuration information:
## Configure vlan
3560(config)#vlan 10
3560(config-vlan)#name VLAN10
3560(config-vlan)#exit
3560(config)#vlan 20
3560(config-vlan)#name VLAN10
3560(config-vlan)#exit
3560(config)#vlan 50
3560(config-vlan)#name VLAN10
3560(config-vlan)#exit
## Configure the IP address of the vlan and set the DHCP server relay agent
3560(config)#interface vlan 10
3560(config-if)#ip address 192.168.10.1 255.255.255.0
3560(config-if)#ip helper-address 192.168.50.254
3560(config-if)#exit
3560(config)#interface vlan 20
3560(config-if)#ip address 192.168.20.1 255.255.255.0
3560(config-if)#ip helper-address 192.168.50.254
3560(config-if)#exit
3560(config)#interface vlan 50
3560(config-if)#ip address 192.168.50.1 255.255.255.0
3560(config-if)#ip helper-address 192.168.50.254
3560(config-if)#exit
## Division gi0/13 port to vlan50 for connecting to DHCP server
3560(config)#interface gigabitEthernet 0/13
3560(config-if)#switchport access vlan 50
3560(config-if)#switchport mode access
3560(config-if)#no shutdown
## Set the gi0/24 port as trunk for connecting to the downlink 2960 switch
3560(config)#interface gigabitEthernet 0/24
3560(config-if)#switchport trunk encapsulation dot1q
3560(config-if)#switchport mode trunk
3560(config-if)#no shutdown
## Enable Layer 3 routing
3560(config)#ip routing
## Enable DHCP Snooping function
3560(config)#ip dhcp snooping
## Set which VLANs the DHCP Snooping function will act on
3560(config)#ip dhcp snooping vlan 10,20,50
## Configure the switch to receive DHCP packets with option 82 from untrusted ports
3560(config)#ip dhcp snooping information option allow-untrusted
## Save the DHCP snooping binding table in flash , the file name is dhcp_snooping.db
3560(config)#ip dhcp snooping database flash:dhcp_snooping.db
## Refers to the DHCP monitoring binding table update, wait 30 seconds, and then write to the file, the default is 300 seconds
3560(config)#ip dhcp snooping database write-delay 30
## Refers to the DHCP snooping binding table if the attempt to write the operation fails, retry the write operation, stop the attempt after 60 seconds, the default is 300 seconds
3560(config)#ip dhcp snooping database timeout 60
## Enable ports that are disabled due to DHCP packet rate limit to automatically recover from err-disable state
3560(config)#errdisable recovery cause dhcp-rate-limit
## Set the automatic recovery time; after the port is set to err-disable state, it will automatically recover after 30 seconds
3560(config)#errdisable recovery interval 30
## Set gi0/13 ports and gi0/24 as trusted ports, other ports automatically default to untrusted ports
3560(config)#interface gigabitEthernet 0/13
3560(config-if)#ip dhcp snooping trust
3560(config-if)#exit
3560(config)#interface gigabitEthernet 0/24
3560(config-if)#ip dhcp snooping trust
3560(config-if)#exit
## Display and maintenance
#View switch configuration
3560#show running-config
#View switch port rate, trusted port, untrusted port and other information
3560#show ip dhcp snooping
#View DHCP snooping binding table
3560#show ip dhcp snooping binding
2960 configuration information:
## create vlan
2960#vlan database
2960(vlan)#vlan 10 name VLAN10
2960(vlan)#vlan 20 name VLAN20
2960(vlan)#vlan 50 name VLAN50
2960(vlan)#exit
## Assign ports to corresponding vlans
2960#configure terminal
2960(config)#interface range gigabitEthernet 1/0/1-5
2960(config-if-range)#switchport access vlan 10
2960(config-if-range)#switchport mode access
2960(config-if-range)#no shutdown
2960(config-if-range)#exit
2960#configure terminal
2960(config)#interface range gigabitEthernet 1/0/6-10
2960(config-if-range)#switchport access vlan 20
2960(config-if-range)#switchport mode access
2960(config-if-range)#no shutdown
2960(config-if-range)#exit
2960#configure terminal
2960(config)#interface range gigabitEthernet 1/0/11-15
2960(config-if-range)#switchport access vlan 50
2960(config-if-range)#switchport mode access
2960(config-if-range)#no shutdown
2960(config-if-range)#exit
## Enable DHCP Snooping function
2960(config)#ip dhcp snooping
2960(config)#ip dhcp snooping vlan 10,20,50
2960(config)#ip dhcp snooping information option allow-untrusted
2960(config)#ip dhcp snooping database flash:dhcp_snooping.db
2960(config)#ip dhcp snooping database write-delay 30
2960(config)#ip dhcp snooping database timeout 60
2960(config)#errdisable recovery cause dhcp-rate-limit
2960(config)#errdisable recovery interval 30
## Set gi0/24 as a trusted port and set it as trunk to connect to the 3650 switch, other ports automatically default to untrusted ports
2960(config)#interface gigabitEthernet 1/0/24
2960(config-if)#switchport mode trunk
2960(config-if)#ip dhcp snooping trust
## Set the DHCP message rate of other untrusted ports belonging to vlan to 100 packets per second (the default port is 15 packets per second)
2960(config)#interface range gigabitEthernet 1/0/1-15
2960(config-if-range)#ip dhcp snooping limit rate 100
## Set as direct forwarding
2960(config-if-range)#spanning-tree portfast
## Display and maintenance
3560#show running-config
3560#show ip dhcp snooping
3560#show ip dhcp snooping binding
What is IPSG ?
IP Source Guard (IPSG for short) is an IP/MAC-based port traffic filtering technology, which can prevent IP address spoofing attacks in a local area network.
IPSG ensures that the IP addresses of end devices in a Layer 2 network cannot be hijacked, and that unauthorized devices cannot be accessed by specifying their own IP addresses
The network or attacking the network causes the network to collapse and paralyze.
IPSG role:
1. Prevent users from manually configuring a fixed IP address, resulting in a conflict with the IP address assigned by the trusted DHCP Server (the company's DHCP server). (It needs to be implemented together with the DHCP Snooping function)
2. Realize static binding of IP+vlan+port, and use it together with HDCP Snooping function to realize dynamic binding.
Note: For IPSG configuration, refer to the above DHCP Snooping configuration unchanged, just add the following configuration:
The 2960 switch adds the following configuration information:
## Trusted ports do not have to be configured
2960(config)#interface range gigabitEthernet 1/0/1-15
2960(config-if-range)#ip verify source port-security
#The switch allows you to manually set the IP address binding command. Generally, it cannot be automatically obtained after binding. Unless your IP and MAC binding information exists on the DHCP server, the IP address cannot be automatically obtained.
2960(config)#ip source binding D8:CB:8A:93:24:E5 vlan 20 192.168.20.120 interface gigabitEthernet 1/0/10
## Display and maintenance
2960#show ip source binding
2960#show ip verify source