3 dhcp snooping typical application, Dhcp, Nooping – PLANET XGS3-24042 User Manual

33-6

option subscriber-id {standard |

<circuit-id>}

no ip dhcp snooping information

option subscriber-id

option 82 added by DHCP request packets (they

are received by the port). The no command sets

the additive suboption1 (circuit ID option) format

of option 82 as standard.

33.3 DHCP Snooping Typical Application

Figure 33-1 Sketch Map of TRUNK

As showed in the above chart, Mac-AA device is the normal user, connected to the non-trusted port 1/1 of the

switch. It operates via DHCP Client, IP 1.1.1.5; DHCP Server and GateWay are connected to the trusted ports

1/11 and 1/12 of the switch; the malicious user Mac-BB is connected to the non-trusted port 1/10, trying to

fake a DHCP Server（by sending DHCPACK）. Setting DHCP Snooping on the switch will effectively detect

and block this kind of network attack.

Configuration sequence is:

switch#

switch#config

switch(config)#ip dhcp snooping enable

switch(config)#interface ethernet 1/0/11

switch(Config-If-Ethernet1/0/11)#ip dhcp snooping trust

switch(Config-If-Ethernet1/0/11)#exit

switch(config)#interface ethernet 1/0/12

switch(Config-If-Ethernet1/0/12)#ip dhcp snooping trust

switch(Config-If-Ethernet1/0/12)#exit

switch(config)#interface ethernet 1/0/1-10

switch(Config-Port-Range)#ip dhcp snooping action shutdown

switch(Config-Port-Range)#