"Configuring DHCP Snooping Experiment: Protecting DHCP Services in the Network and Preventing Spoofing Attacks"
【Purpose】
- Deploy a DHCP server.
- Familiar with the configuration method of DHCP snooping.
- Verify topology.
【Experimental Topology】
The experimental topology is shown in the figure.
The device parameters are shown in the table below.
| equipment |
interface |
IP address |
subnet mask |
default gateway |
| R1 |
F0/0 |
192.168.10.1 |
255.255.255.0 |
N/A |
| R2 |
F0/0 |
192.168.20.1 |
255.255.255.0 |
N/A |
【Experimental content】
- Configure basic configuration
- Basic configuration of R1
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface f0/0
R1(config-if)#ip address 192.168.10.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#
R1(config)#ip dhcp pool dhcp1
R1(dhcp-config)#network 192.168.10.0 255.255.255.0
R1(dhcp-config)#default-router 192.168.10.1
R1(dhcp-config)#dns-server 8.8.8.8
R1(dhcp-config)#domain-name cisco.com
R1(dhcp-config)#
- Basic configuration of R2
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface f0/0
R2(config-if)#ip address 192.168.20.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#
R2(config)#ip dhcp pool dhcp2
R2(dhcp-config)#network 192.168.20.0 255.255.255.0
R2(dhcp-config)#default-router 192.168.20.1
R2(dhcp-config)#dns-server 8.8.8.8
- PC1 tests the DHCP server
- When R1 serves as the DHCP server to provide addresses
//PC1 can obtain the IP address provided by R1
- R2 serves as a DHCP server to provide addresses
//PC1 can obtain the IP address provided by R2
- Configuring DHCP Snooping
Access layer switch S1 enables DHCP snooping:
Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#ip dhcp snooping
//Enable the DHCP monitoring function of S1
S1(config)#ip dhcp snooping vlan 1
S1(config)#no ip dhcp snooping information option
//Prohibit switch S1 from inserting option 82 in the DHCP message, option 82 is a DHCP relay agent
S1(config)#interface f0/1
S1(config-if)#switchport mode access
S1(config-if)#ip dhcp snooping trust
//Configure DHCP Snooping, set Fa0/1 as a trusted port, and R1 as a legal DHCP server
- PC1 obtains IP address test
- Check DHCP server R1 information
- View DHCP snooping information
S1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
//DHCP configuration monitor VLAN
Insertion of option 82 is disabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
----------------------- ------- ----------------
FastEthernet0/1 yes unlimited
//F0/1 is a trusted interface, and there is no limit to the number of DHCP messages on the interface
FastEthernet0/2 no unlimited
FastEthernet0/3 no unlimited
S1#
- View DHCP snooping binding information
S1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- -----------------
00:30:F2:85:D4:ED 192.168.10.4 86400 dhcp-snooping 1 FastEthernet0/3
Total number of bindings: 1
S1#
The meanings of the fields in the above output are as follows:
MacAddress: MAC address of the DHCP client.
IpAddress : The IP address of the DHCP client.
Lease(sec): The lease time of the IP address.
Type : record type, the dhcp-snooping description is a dynamically generated record.
VLAN: The number of the VLAN.
Interface: access interface.
【Experimental Knowledge Points】
This experiment involves knowledge of:
- DHCP (Dynamic Host Configuration Protocol): Understand and configure the concept, function and operation method of DHCP server, including setting IP address range, default gateway, DNS server, lease time and other parameters.
- DHCP Snooping: Understand the concept and function of DHCP Snooping, which is a network security mechanism used to detect and prevent spoofing attacks of illegal DHCP servers and DHCP messages. Understand the configuration method and related commands of DHCP Snooping, including enabling DHCP Snooping, specifying the VLAN to monitor, setting trusted ports, and prohibiting the insertion of option 82, etc.
- Network topology and device configuration: understand the experimental topology diagram, including the connection mode and interface configuration of the three devices R1, R2 and S1. Learn how to configure the device's hostname, interface IP address, subnet mask, and default gateway.
- VLAN (Virtual Local Area Network): Understand the concept and function of VLAN. In the experiment, you need to specify VLAN for DHCP Snooping monitoring.
- IP address allocation and lease: understand the process of IP address allocation and the concept of lease time, including the process of the client requesting an IP address from the DHCP server, the server assigning an IP address, and specifying the lease time.
- MAC address binding and port trust: Learn about the association between MAC addresses and IP addresses in DHCP Snooping binding information, and how to configure trusted ports on switches to ensure that legitimate DHCP servers can work normally.
- Command line configuration: Familiar with basic command line configuration, including entering global configuration mode, configuring interfaces, setting IP addresses, enabling interfaces, etc.
- View commands: Familiar with the commands for viewing device configuration and status information, such as viewing DHCP Snooping configuration, monitoring information, and binding information.
These knowledge will help the experimenter understand and configure the DHCP server and implement the DHCP Snooping mechanism to improve the security and stability of the network.