由于ACL资源有限,S3100-SI系列以太网交换机不支持DHCP Snooping信任端口功能。但为了防御因私自架设DHCP服务器,而导致的网络混乱;或者攻击者恶意冒充DHCP服务器,为客户端分配IP地址等配置参数等情况,S3100-SI系列以太网交换机提供了防DHCP服务器仿冒功能。
在开启DHCP Snooping功能的交换机的下游端口(与DHCP客户端直接或间接相连的端口)上配置防DHCP服务器仿冒功能后,交换机会从该端口向外发送DHCP-DISCOVER报文,用于探测连接到该端口的DHCP服务器,如果接收到回应报文(DHCP-OFFER报文),则认为该端口连接了仿冒的DHCP服务器,交换机会根据配置的处理策略进行处理,例如仅发送告警信息,或发送告警信息的同时将相应端口进行管理Down操作。
[3100]display ver
H3C Comware Platform Software
Comware Software, Version 3.10, Release 2211P04
Copyright (c) 2004-2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
H3C S3100-16TP-SI uptime is 0 week, 0 day, 0 hour, 31 minutes
H3C S3100-16TP-SI with 1 Processor
64M bytes SDRAM
8M bytes Flash Memory
Config Register points to FLASH
Hardware Version is REV.D
Bootrom Version is 555
[Subslot 0] 16FE Hardware Version is REV.D
[Subslot 1] 1GE Hardware Version is REV.D
[Subslot 2] 1GE Hardware Version is REV.D
[3100]int vlan 1
[3100-Vlan-interface1]ip address dhcp-alloc
[3100-Vlan-interface1]un shutdown
[3100]display ip int b
*down: administratively down
(l): loopback
(s): spoofing
Interface IP Address Physical Protocol Description
Vlan-interface1 192.168.1.189 up up Vlan-inte...
DHCP client statistic information:
Vlan-interface1:
Current machine state: BOUND
Allocated IP: 192.168.1.189 255.255.255.0
Allocated lease: 72000 seconds, T1: 36000 seconds, T2: 63000 seconds
Server IP: 192.168.1.188
[3100-Ethernet1/0/1]dhcp-snooping server-guard enable
[3100-Ethernet1/0/1]dhcp-snooping server-guard method shutdown
#Apr 2 00:29:07:389 2000 3100 DHCP-SNP/2/DHCPSNOOPING SERVER GUARD:- 1 -
Trap 1.3.6.1.4.1.2011.10.2.36.2.0.1(h3cDhcpSnoopSpoofServerDetected): portIndex 4227626 detect DHCP server in VLAN 1 MAC is f0.4d.a2.21.2f.b6 IP is 192.168.1.188
%Apr 2 00:29:07:690 2000 3100 DHCP-SNP/5/dhcp-snooping server guard:- 1 -
Port 1 detect DHCP server in VLAN 1 MAC is f04d-a221-2fb6 IP is 192.168.1.188
#Apr 2 00:29:08:147 2000 3100 L2INF/2/PORT LINK STATUS CHANGE:- 1 -
Trap 1.3.6.1.6.3.1.1.5.3(linkDown): portIndex is 4227626, ifAdminStatus is 2, ifOperStatus is 2
%Apr 2 00:29:08:358 2000 3100 L2INF/5/PORT LINK STATUS CHANGE:- 1 -
Ethernet1/0/1 is DOWN
%Apr 2 00:29:08:479 2000 3100 L2INF/5/VLANIF LINK STATUS CHANGE:- 1 -
Vlan-interface1 is DOWN
%Apr 2 00:29:08:599 2000 3100 IFNET/5/UPDOWN:- 1 -Line protocol on the interface Vlan-interface1 is DOWN
[3100-Ethernet1/0/1]display dhcp-snooping server-guard
DHCP-Snooping is enabled.
DHCP-Snooping server guard become effective.
Interface Status Find Time
================================================================
Ethernet1/0/1 Server detected and shutdown 2047