3-14
# Set the circuit ID sub-option in DHCP packets from VLAN 1 to “abcd” on Ethernet 1/0/3.
[Switch] interface Ethernet1/0/3
[Switch-Ethernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd
Unauthorized DHCP Server Detection Configuration Example
Network requirements
As shown in Figure 3-9, Ethernet 1/0/1 of the switch (S3100-SI) is connected to the DHCP server, and
Ethernet 1/0/2 and Ethernet 1/0/3 are respectively connected to Client A, Client B.
z Enable DHCP snooping on the switch.
z Enable unauthorized DHCP server detection on Ethernet 1/0/2 and Ethernet 1/0/3. When an
authorized DHCP server is detected on Ethernet 1/0/2, a trap message will be sent; when an
authorized DHCP server is detected on Ethernet 1/0/3, the interface is shut down administratively.
z To prevent attackers from filtering the detecting DHCP-DISCOVER packets, specify the source
MAC address for such packets as 000f-e200-1111 (different from the bridge MAC address of the
switch) on the switch.
Network diagram
Figure 3-9 Network diagram for unauthorized DHCP server detection
Eth1/0/1
DHCP server
Switch
Eth1/0/2 Eth1/0/3
ClientA ClientB
Configuration procedure
# Enable DHCP snooping.
<Sysname> system-view
Enter system view, return to user view with Ctrl+Z.
[Sysname] dhcp-snooping
# Specify the source MAC address for the DHCP-DISCOVER messages as 000f-e200-1111.
[Sysname] dhcp-snooping server-guard source-mac 000f-e200-1111
# Enable unauthorized DHCP server detection on Ethernet 1/0/2.
[Sysname] interface ethernet1/0/2
[Sysname-Ethernet1/0/2] dhcp-snooping server-guard enable
# Specify the method for handling unauthorized DHCP servers as trap on Ethernet 1/0/2.
[Sysname-Ethernet1/0/2] dhcp-snooping server-guard method trap
To Next Page
Loading...
Need help?
General