Operation Manual – DHCP
H3C S3100 Series Ethernet Switches Chapter 2 DHCP Snooping Configuration
2-17
2.5.2 Unauthorized DHCP Server Detection Configuration Example
I. Network requirements
As shown in Figure 2-7, Ethernet 1/0/1 of the switch (S3100-SI) is connected to the
DHCP server, and Ethernet 1/0/2 and Ethernet 1/0/3 are respectively connected to
Client A, Client B.
z Enable DHCP snooping on the switch.
z Enable unauthorized DHCP server detection on Ethernet 1/0/2 and Ethernet 1/0/3.
When an authorized DHCP server is detected on Ethernet 1/0/2, a trap message
will be sent; when an authorized DHCP server is detected on Ethernet 1/0/3, the
interface is shut down administratively.
z To prevent attackers from filtering the detecting DHCP-DISCOVER packets,
specify the source MAC address for such packets as 000f-e200-1111 (different
from the bridge MAC address of the switch) on the switch.
II. Network diagram
Eth1/0/1
DHCP server
Switch
Eth1/0/2 Eth1/0/3
ClientA ClientB
Figure 2-7 Network diagram for unauthorized DHCP server detection
III. Configuration procedure
# Enable DHCP snooping.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] dhcp-snooping
# Specify the source MAC address for the DHCP-DISCOVER messages as
000f-e200-1111.
[Sysname] dhcp-snooping server-guard source-mac 000f-e200-1111
# Enable unauthorized DHCP server detection on Ethernet 1/0/2.
[Sysname] interface ethernet1/0/2
To Next Page
Loading...
