Use dhcp snooping to prevent the internal corporate network from privately accessing the dhcp server;
enable IP source guard to prevent internal users from manually configuring IP addresses.
Cisco dhcp protection:
Access layer dhcp snooping configuration:
(config)#ip dhcp snooping
(config)# ip dhcp snooping vlan 67
(config)#interface GigabitEthernet1/0/47
(config-if)#ip dhcp snooping trust
The core layer requires the following configuration: (otherwise the client cannot obtain the IP address)
(config)#interface vlan 67
(config)# ip dhcp relay information trusted
Take a look at the effect:
#sh ip dhcp snooping
#sh ip dhcp snooping binding
IP Source Guard configuration:
Before configuring ip source guard, dhcp snooping must be enabled. Just enable it on the corresponding interface:
(config)#interface gigabitEthernet 1/0/10
(config-if)#switchport port-security
(config-if)#ip verify source port-securityTake a look at the effect:
#sh ip ver sourceFilter mode: Normally in the Active state,
in the IP address column, the normal IP can be used to access the Internet normally, and the deny-all may be a manually configured IP address.
Ruijie dhcp protection:
Access switch configuration:
Ruijie(config)#ip dhcp snooping //Enable DHCP snooping function
Ruijie(config)#interface gigabitEthernet 0/49 //Configure the interface connecting to the DHCP server as a trusted port
Ruijie(config-GigabitEthernet 0/49)#ip dhcp snooping trust
//All interfaces of the switch that enable DHCP snooping are untrust interfaces by default, and the switch only forwards DHCP response messages (offer, ACK) received from the trust interface.
Cisco anti-loop: 1. Enable portfast spanning-tree portfast default
globally2. Enable BPDU protection under the interfacespanning-tree bpduguard enable3. You can also enable BPDU protection for all ports globallyC3560G-1(config)#spanning -tree portfast defaultC3560G-1(config)#spanning-tree portfast bpduguard default
H3C anti-loop:
1. Enable loopback detection globally and set the detection interval
loopback-detection enable
loopback-detection interval-time 5
2. Enable loopback detection also under the interface
[H3C-S5120-GigabitEthernet1/0/12 ]loopback-detection enable
Note: loopback-detection per-vlan enable //Perform network loopback monitoring in all VLANs under the port. Only Trunk ports or Hybrid ports are valid.
When a loop does occur in the network, you can use the following command to check which port the loop comes from
[H3C-S5120-GigabitEthernet1/0/12]dis loopback-detection
Loopback-detection is running
Detection interval time is 5 seconds
Following port(s) has(have) loopback link:
GigabitEthernet1/0/12 //The loop comes from this port
RuiJie anti-ring:
method one:
(config)#spanning-tree //Enable spanning tree protocol
(config)#spanning-tree mode stp //Specify the spanning tree type optional mode stp, rstp, mstp (config)#spanning-tree priority 4096 //Set the switch Priority defaults to 32768
Method Two:
rldp enable //Globally enable anti-loop
errdisable recovery interval 300 //When the port is detected by RLDP and shut down, it will recover after 300 seconds.
interface range g0/1-8
rldp port loop-detect shutdown-port