DHCP 配DHCP 利用DHCPSnoo 在配置完成DHCPSnoo 地址，這有效防止了網(wǎng)絡(luò)中DHCPServer仿冒者。但是在DHCP網(wǎng)絡(luò)環(huán)境中，為使DHCPServer能夠獲取到DHCP用戶的精確物理位置信息，可在DHCP報文中添加為使DHCPServer能夠獲取到DHCPv6用戶的精確物理位置信息，可在DHCPv6報文中DHCP

介紹DHCPSnoo常見的配置錯誤導(dǎo)致的故障問題（如連接DHCP服務(wù)器的接口未配DHCPSnoo簡定DHCPSnoo是DHCP（DynamicHostConfigurationProtocol）的一種安全特性，用于目些針對DHCP的，如DHCPServer仿冒者、DHCPServer的服務(wù)、仿冒DHCP報文等。為了保證網(wǎng)絡(luò)通信業(yè)務(wù)的安全性，可引入DHCPSnoo技術(shù)，在DHCP 受DHCPSnoo的基本原DHCPSnoo分為DHCPv4Snoo和DHCPv6Snoo，兩者實(shí)現(xiàn)原理相似，以下以DHCPv4Snoo為例進(jìn)行描述。使能了DHCPSnoo的設(shè)備將用戶（DHCP客戶端）的DHCP請求報文通過信任接口發(fā)送給合法的DHCP服務(wù)器。之后設(shè)備根據(jù)DHCP服務(wù)器回應(yīng)的DHCPACK報文信息生成DHCPSnoo綁定表。后續(xù)設(shè)備再從使能了DHCPSnoo的接口接收用戶發(fā)來的DHCP報文時，會進(jìn)行匹配檢查，能夠有效防范用戶的。DHCPSnoo信任功DHCPSnoo的信任功能，能夠保證客戶端從合法的服務(wù)器獲取IP（Internet如圖9-1所示，網(wǎng)絡(luò)中如果存在私自架設(shè)的DHCPServer仿冒者，則可能導(dǎo)致DHCP客戶端獲取錯誤的IP地址和網(wǎng)絡(luò)配置參數(shù)，無法正常通信。DHCPSnoo信任功能可以控制DHCP服務(wù)器應(yīng)答報文的來源，以防止網(wǎng)絡(luò)中可能存在的DHCPServer仿冒者為信任接口正常接收DHCP服務(wù)器響應(yīng)的DHCPACK、DHCPNAK和DHCPOffer報在二層網(wǎng)絡(luò)接入設(shè)備使能DHCPSnoo場景中，一般將與合法DHCP服務(wù)器直接或間從而保證DHCP客戶端只能從合法的DHCP服務(wù)器獲取IP地址，私自架設(shè)的DHCPServer圖9-1DHCPSnoo信任功能示意 DHCPServer仿冒

使能DHCPSnoo的接口DHCPSnoo綁定作為DHCP客戶端通過廣播形式發(fā)送DHCP請求報文，使能了DHCPSnoo功能的二息的DHCPACK報文通過單播的方式發(fā)送給PC。在這個過程中，二層接入設(shè)備收到地址、地址租期），并獲取與PC連接的使能了DHCPSnoo功能的接口信息（包括接口編號及該接口所屬的VLAN），根據(jù)這些信息生成DHCPSnoo綁定表。以PC1為例，圖9-2中二層接入設(shè)備會從DHCPACK報文提取到IP地址信息為53，DHCPSnoo綁定表項(xiàng)。獲取的

獲取的

二層接入設(shè) DHCPACK報 --DHCPSnoo綁定表根據(jù)DHCP租期進(jìn)行老化或根據(jù)用戶釋放IP地址時發(fā)出的DHCP由于DHCPSnoo綁定表記錄了DHCP客戶端IP地址與MAC地址等參數(shù)的對應(yīng)關(guān)系，為了保證設(shè)備在生成DHCPSnoo綁定表時能夠獲取到用戶MAC等參數(shù)，DHCPSnoo功能需應(yīng)用于二層網(wǎng)絡(luò)中的接入設(shè)備或第一個DHCPRelay上。在DHCP中繼使能DHCPSnoo場景中，DHCPRelay設(shè)備不需要設(shè)置信任接口。因?yàn)镈HCPRelay收到DHCP請求報文后進(jìn)行源目的IP、MAC轉(zhuǎn)換處理，然后以單播形式發(fā)送給指定的合法DHCP服務(wù)器，所以DHCPRelay收到的DHCPACK報是合法的，生成的DHCPSnoo綁定表也是正確的。DHCPSnoo支持的Option82功概在傳統(tǒng)的DHCP動態(tài)分配IP地址過程中，DHCPServer不能夠根據(jù)DHCP請求報文感知到RFC3046定義了DHCPRelayAgentInformationOption（Option82），該選項(xiàng)記錄了DHCP的位置信息。DHCPSnoo設(shè)備或DHCPRelay通過在DHCP請求報文中添加Option82選項(xiàng)，將DHCP的精確物理位置信息傳遞給DHCPServer，從而使得DHCPServer能夠?yàn)橹鳈C(jī)分配合適的IP地址和其他配置信息，實(shí)現(xiàn)對客戶端的安全控Option82包含兩個常用子選項(xiàng)CircuitID和RemoteID。其中CircuitID子選項(xiàng)主要用來標(biāo)設(shè)備作為DHCPRelay時，使能或未使能DHCPSnoo功能都可支持Option82選項(xiàng)功能，但若設(shè)備在二層網(wǎng)絡(luò)作為接入設(shè)備，則必須使能DHCPSnoo功能方可支持息發(fā)送給DHCPServer。而如果需要對不同的用戶部署不同的地址分配或安全策略，則需DHCPServer支持Option82功能并在其上已配置了IP地址分配或安全策略。Option82選項(xiàng)攜帶的用戶位置信息與DHCPSnoo綁定表記錄的用戶參數(shù)是兩個相互Snoo綁定表是在設(shè)備收到DHCPServer回應(yīng)的DHCPAck報文時（此時已為用戶分配了IP地址），設(shè)備根據(jù)DHCPAck報文信息自動生成。實(shí)設(shè)備作為DHCPRelay或設(shè)備在二層網(wǎng)絡(luò)作為接入設(shè)備并使能DHCPSnoo功能時均應(yīng)報文中的Option82選項(xiàng)，之后轉(zhuǎn)發(fā)給DHCP。DHCP。DHCPv6Snoo支持的LDRA功概RFC6221定義了輕量級DHCPv6中繼 LDRA（LightweightDHCPv6RelayAgent）， 實(shí)LDADHv6DHv6Deay-owrd（Hv6vrHv6Srr能 如圖9-3所示，LDRA詳細(xì)工作交互過程DHCPv6 LDRA DHCPv6(1)DHCPv6(1)DHCPv6message(4)DHCPv6messageV200R010C00配置指南-IP業(yè)務(wù)》DHCPv6配置中的“DHCPv6報文介紹”。DHCPv6Snoo支持的option18與option37功說明設(shè)備必須使能DHCPv6snoo功能方可支持Option18與Option37選項(xiàng)功能，詳見9.10配置在DHCPv6防止DHCPServer仿冒者導(dǎo)致用戶獲取到錯誤的IP地址原由于DHCPServer和DHCP 如圖9-4所示，DHCPDiscover報文是以廣播形式發(fā)送，無論是合法的DHCPServer，還是的DHCPServer都可以接收到DHCP 發(fā)送的DHCPDiscover報文。圖9-4 BogusDHCP DHCPDiscoverfromDHCP如果此時DHCPServer仿冒者回應(yīng)給DHCP仿冒信息，如錯誤的網(wǎng)關(guān)地址、錯誤的DNS（NameSystem）服務(wù)器、錯誤的IP等信息，如圖9-5所示。DHCP BogusDHCP DHCPreplyfromBogusDHCPServerDHCPreplyfromDHCPServer解決方法這樣可以有效防止DHCPServer仿冒者的。如圖9-6所示。BogusDHCPDHCPxx

DHCPReplyfromBogusDHCPServerDHCPReplyfromDHCPServer防止非 用戶導(dǎo)致合法用戶無法正常使用網(wǎng)原在DHCP網(wǎng)絡(luò)中，靜態(tài)獲取IP地址的用戶（非DHCP用戶）對網(wǎng)絡(luò)可能存在多種，譬如仿冒DHCPServer、構(gòu)造虛假DHCPRequest報文等。這將為合法DHCP用戶正常使解決方法為了有效的防止非DHCP用戶，可開啟設(shè)備根據(jù)DHCPSnoo綁定表生成接口的之后，設(shè)備將根據(jù)接口下所有的DHCP用戶對應(yīng)的DHCPSnoo綁定表項(xiàng)自動執(zhí)行命防止 報文泛洪導(dǎo)致設(shè)備無法正常工原解決方法為了有效的防止DHCP報文泛洪，在使能設(shè)備的DHCPSnoo功能時，可同時使防止仿冒DHCP報文導(dǎo)致合法用戶無法獲得IP地址或異原已獲取到IP地址的合法用戶通過向服務(wù)器發(fā)送DHCPRequest或DHCPRelease報文用以續(xù)租或釋放IP地址。如果者冒充合法用戶不斷向DHCPServer發(fā)送DHCPRequest報IP地址；而若者仿冒合法用戶的DHCPRelease報文發(fā)往DHCPServer，將會導(dǎo)致用解決方法為了有效的防止仿冒DHCP報文，可利用DHCPSnoo綁定表的功能。設(shè)備通過將DHCPRequest續(xù)租報文和DHCPRelease報文與綁定表進(jìn)行匹配操作能夠有效的判別防止DHCPServer服務(wù)導(dǎo)致部分用戶無法上原另一方面，DHCPServer通常僅根據(jù)DHCPRequest報文中的CHADDR（ 向DHCPServer申請IP地址，同樣將會導(dǎo)致DHCPServer上的地址池被耗盡，從而無法圖9-7DHCPServer服務(wù)示意DHCPDHCPDHCPDHCP解決方法為了抑制大量DHCP用戶申請IP地址，在使能設(shè)備的DHCPSnoo功能后，可配Option82（DHCPRelayAgentInformationOption）稱為中繼信息選項(xiàng)，該選項(xiàng)記 的位置信息。DHCPSnoo設(shè)備或DHCPRelay通過在DHCP請求報 的位置信息傳遞給DHCPServer，從而使得12DHCP)3如圖9-8所示，用戶通過DHCP方式獲取IP地址。在管理員組建該網(wǎng)絡(luò)時需要控制在傳統(tǒng)的DHCP動態(tài)分配IP地址過程中，DHCPServer是無法區(qū)分同一VLAN內(nèi)的不同為實(shí)現(xiàn)上述目的，管理員在使能SwitchA的DHCPSnoo功能之后可使能其Option82的接等參數(shù)。DHCPServer在接收到攜帶有Option82選項(xiàng)的DHCP請求報文后，即息發(fā)送給DHCPServer。而如果需要對不同的用戶部署不同的地址分配或安全策略，則需DHCPServer支持Option82功能并在其上已配置了IP地址分配或安全策略。通過LDRA功能感知用戶位置信息DHCPv6Server，從而使得DHCPv6Server能夠獲取到用戶詳細(xì)的物理位置信息，以實(shí)DHCPv6DHCPv6 DHCPv6在傳統(tǒng)的DHCPv6動態(tài)分配IPv6地址過程中，DHCPv6Server無法獲取到用戶詳細(xì)的物為解決上述問題，管理員在使能Switch的DHCPSnoo功能之后，可使能其LDRA功能。這樣，Switch既能夠獲取用戶詳細(xì)的位置信息并將其發(fā)送到DHCPv6Server。發(fā)送給DHCPv6Server，對不同的用戶部署諸如地址分配、計費(fèi)、接入控制等策略，由DHCPv6Server實(shí)現(xiàn)。配置注意事項(xiàng)涉及網(wǎng)元License版本支持系產(chǎn)支持版本系產(chǎn)支持版本V100R005C01、V100R006C00、V200R001C00、V200R002C00、系產(chǎn)支持版本說明特性依賴和限制如果需要上線的用戶數(shù)目超過了設(shè)備支持的DHCPSnoo綁定表規(guī)格，超出的用表9-2DHCPSnoo的缺省配參缺省根據(jù)DHCPSnoo綁定表生成接口的靜檢測DHCPRequest報文幀頭MAC與檢測DHCPRequest報文中GIADDR字段配置DHCPSnoo的基本功前置任務(wù)·網(wǎng)絡(luò)中已完成DHCP功能的部署。有關(guān)DHCP配置流程

使能DHCPSnoo功背景信息

DHCPSnoo 使能DHCPSnoo 器。以Switch_1為例，在使能DHCPSnoo功能時需要注意：使能DHCPSnoo功能之前，必須已使用命令dhcpenable使能了設(shè)備的DHCP功說明DHCPSnoo不支持BOOTP協(xié)議，而無盤工作站使用BOOTP協(xié)議，所以無盤工作站不能通過DHCPSnoo生成動態(tài)綁定表。由于IPSG功能和DAI功能是基于綁定表實(shí)現(xiàn)的，如果無盤工作站要使用以上功能，需要執(zhí)行命令user-bindstatic配置靜態(tài)綁定表。if1 DHCP操作步驟

步驟1執(zhí)行命令system-view步驟2執(zhí)行命令dhcpsnooenable[ipv4|ipv6]，全局使能DHCPSnoo功能。缺省情況下，設(shè)備全局未使能DHCPSnoo功能。步驟3（可選）執(zhí)行命令dhcpsnooover-vplsenable，使能設(shè)備在VPLS網(wǎng)絡(luò)中的DHCP說明執(zhí)行命令dhcpsnooenablevlan{vlan-id1[tovlan-id2]}&<1-10>，使能DHCPSnoo功能。執(zhí)行命令dhcpsnooenable，使能接口或VLAN下的DHCPSnoo功能。缺省情況下，設(shè)備未使能DHCPSnoo功能。----結(jié)束配置接口信任狀態(tài)背景信息

如圖9-1HD服務(wù)器獲取H（f0），如圖中的f2）DHHDHPrerH地址。在連接用戶的接口或VLAN下使能DHCPSnoo功能之后，需將連接DHCP服務(wù)器的

DHCP操作步驟

步驟1執(zhí)行命令system-view步驟2配置接口為“信任”狀態(tài)，可在接口視圖或VLAN執(zhí)行命令dhcpsnootrustedinterfaceinterface-typeinterface-number，配置接----結(jié)束（可選）去使能DHCPSnoo用戶位置遷移功背景信息

DHCPDiscover報文申請IP地址。缺省情況下設(shè)備使能DHCPSnoo功能之后將允許該用戶上線，并刷新DHCPSnoo 者仿冒合法用戶發(fā)送DHCPDiscover報文，最終導(dǎo)致DHCPSnoo綁定表被刷新，合法用戶網(wǎng)絡(luò)中斷。此時需要去使能DHCPSnoo用戶位置遷移功能，丟棄DHCPSnoo綁定表中已存在的用戶（用戶MAC信息存在于DHCPSnoo綁定表中）從其他接口發(fā)送來的DHCPDiscover報文。說明操作步驟

步驟1執(zhí)行命令system-view步驟2執(zhí)行命令undodhcpsnoouser-transferenable，去使能DHCPSnoo用戶位置遷----結(jié)束（可選）配置ARP與DHCPSnoo的聯(lián)動功背景信息

DHCPSnoo設(shè)備在收到DHCP用戶發(fā)出的DHCPRelease報文時將會刪除該用戶對應(yīng)的綁定表項(xiàng)，但若用戶發(fā)生了異常下線而無法發(fā)出DHCPRelease報文時，DHCP使能AHPno的聯(lián)動能，如HPnoo項(xiàng)中的地址對應(yīng)的A表項(xiàng)到老化間，DHPno備會該地址進(jìn)行A探，如果規(guī)AA說明操作步驟

步驟1執(zhí)行命令system-view步驟2執(zhí)行命令arpdhcp-snoo-detectenable，使能ARP與DHCPSnoo的聯(lián)動功能。缺省情況下，未使能ARP與DHCPSnoo的聯(lián)動功能。----結(jié)束（可選）配置用戶下線后及時清除對應(yīng) 表項(xiàng)功背景信息

設(shè)備在接收到DHCP用戶下線時發(fā)送DHCPRelease報文后，將會立刻刪除用戶對應(yīng)的DHCPSnoo綁定表項(xiàng)。利用這種特性，使能當(dāng)DHCPSnoo動態(tài)表項(xiàng)清除時移除操作步驟

步驟1執(zhí)行命令system-view步驟2執(zhí)行命令dhcpsnoouser-offlineremovemac-address，使能當(dāng)DHCPSnoo動態(tài)缺省情況下，未使能當(dāng)DHCPSnoo動態(tài)表項(xiàng)清除時移除對應(yīng)用戶的MAC表項(xiàng)功----結(jié)束（可選）GIADDRDHCP背景信息

DHCP報文中的GIADDR（GatewayIpAddress）字段記錄了DHCP報文經(jīng)過的第一個DHCPRelay的IP地址，當(dāng)客戶端發(fā)出DHCP請求時，如果服務(wù)器和客戶端不在同一個網(wǎng)段，那么第一個DHCPRelay在將DHCP請求報文轉(zhuǎn)發(fā)給DHCP服務(wù)器時，會把自己的如圖9-12所示，在為了保證設(shè)備在生成DHCPSnoo綁定表時能夠獲取到用戶MAC（如圖中的DHCPRelay1設(shè)備）。故DHCPSnoo DHCP中繼使能DHCPSnoo場景中，建議配置該功能。DHCP0

DHCP1

DHCP2DHCPDHCP DHCP DHCP操作步驟

步驟1執(zhí)行命令system-view步驟2使能檢測DHCPRequest報文中GIADDR字段是否非零的功能，可在系統(tǒng)視圖、執(zhí)行命令dhcpsnoocheckdhcp-giaddrenablevlan{vlan-id1[tovlan-id2]}&<1-10>，使能檢測DHCPRequest報文中GIADDR字段是否非零的功能。執(zhí)行命令dhcpsnoocheckdhcp-giaddrenable，使能檢測DHCPRequest報文中----結(jié)束檢查配置結(jié)果前提條件

操作步驟

執(zhí)行命令disydhcpsnooconfiguration[vlanvlan-id|執(zhí)行命令disydhcpsnoo[interfaceinterface-typeinterface-number|執(zhí)行命令disydhcpsnoouser-bind{{interfaceinterface-typeinterface-number|ip-addressip-address|mac-addressmac-address|vlanvlan-id*|all}[verbose]，查看DHCPSnoo綁定表信息。執(zhí)行命令disydhcpv6snoouser-bind{{interfaceinterface-typeinterface-number|ipv6-addressipv6-address|all|mac-addressmac-address|vlanvlan-id}*|all}[verbose]，查看DHCPv6Snoo綁定表信息。allverbose]，查看IPv6執(zhí)行命令disydhcpsnoostatistics，查看設(shè)備接收到的各類型DHCP報文的----結(jié)束配置DHCPSnoo的防范功在配置完成DHCPSnoo的基本功能后，設(shè)備能夠保證客戶端從合法的服務(wù)器獲取IP地址，這有效防止了網(wǎng)絡(luò)中DHCPServer仿冒者。但是在DHCP網(wǎng)絡(luò)環(huán)境中，的“步驟2”相關(guān)功能同樣適用于DHCPv6Snoo。前提條件配置DHCPSnoo的防范功能之前，務(wù)必確保已完成DHCPSnoo的基本功能DHCPServer背景信息法的服務(wù)器獲取IP地址，這將能夠有效的防止DHCPServer仿冒者。但是此時卻不能夠定位DHCPServer仿冒者的位置，使得網(wǎng)絡(luò)中仍然存在著安全隱患。通過配置DHCPServer探測功能，DHCPSnoo設(shè)備將會檢查并在日志中記錄所有DHCP回應(yīng)報文中攜帶的DHCPServer地址與接口等信息，此后網(wǎng)絡(luò)管理員可根據(jù)日志來判定網(wǎng)絡(luò)中是否存在偽DHCPServer進(jìn)而對網(wǎng)絡(luò)進(jìn)行。操作步驟步驟1執(zhí)行命令system-view步驟2執(zhí)行命令dhcpserverdetect，使能DHCPServer探測功能。缺省情況下，未使能DHCPServer探測功能。----結(jié)束DHCP報文泛洪背景信息

在DHHH文上送H報文理單的速率行檢測能將夠有效防H報文泛。操作步驟

步驟1執(zhí)行命令system-view執(zhí)行命令dhcpsnoocheckdhcp-raterate，配置DHCP報文上送DHCP報文在系統(tǒng)視圖下執(zhí)行命令dhcpsnoocheckdhcp-rateenablevlan{vlan-[tovlan-id2]}&<1-10>，功能與在VLAN視圖下執(zhí)行命令dhcpsnoocheckdhcp-rateenable相同。執(zhí)行命令dhcpsnoocheckdhcp-raterate，配置DHCP報文上送DHCP報文執(zhí)行命令dhcpsnoocheckdhcp-raterate，配置DHCP報文上送DHCP報文步驟3（可選）執(zhí)行命令dhcpsnooalarmdhcp-rateenable，使能當(dāng)丟棄的DHCP報文數(shù)執(zhí)行命令dhcpsnooalarmdhcp-ratethresholdthreshold，配置接口下被丟執(zhí)行命令dhcpsnooalarmdhcp-rateenable，使能當(dāng)丟棄的DHCP報文數(shù)執(zhí)行命令dhcpsnooalarmdhcp-ratethresholdthreshold，配置接口下被丟----結(jié)束DHCP報文背景信息

在D網(wǎng)絡(luò)環(huán)中，若者仿合法戶的HPeqes報文發(fā)HPre，地址；若者仿冒法用戶HPeae報文DHPre，將會致用戶下線。在生成DHCPSnoo綁定表后，設(shè)備可根據(jù)綁定表項(xiàng)，對DHCPRequest報文或DHCP能有效的防止用戶通過發(fā)送DHCPRequest或DHCPRelease報文冒充合法用戶操作步驟步驟1執(zhí)行命令system-view步驟2使能對DHCP報文進(jìn)行綁定表匹配檢查的功能，可在系統(tǒng)視圖、VLAN視圖或接口視圖執(zhí)行命令dhcpsnoocheckdhcp-requestenablevlan{vlan-id1[to·VLAN視圖或接口視圖下執(zhí)行命令dhcpsnoocheckdhcp-requestenable，使能對DHCP報文進(jìn)行綁定表步驟3使能DHCPSnoo告警功能，可在接口視圖下執(zhí)行執(zhí)行命令dhcpsnooalarmdhcp-requestenable，使能與綁定表不匹配而被丟棄的DHCP報文數(shù)達(dá)到閾值時的DHCPSnoo告警功能。步驟4（可選）配置DHCPSnoo丟棄報文數(shù)量的告警閾值，可在系統(tǒng)視圖或接口視圖下執(zhí) 執(zhí)行命令dhcpsnooalarmthresholdthreshold，配置DHCPSnoo丟棄報文缺省情況下，DHCPSnoo丟棄報文數(shù)量的告警閾值為100packets。執(zhí)行命令dhcpsnooalarmdhcp-requestthresholdthreshold，配置與綁定表不缺省情況下，全局DHCPSnoo丟棄報文數(shù)量的告警閾值為100packets，接口下DHCPSnoo丟棄報文數(shù)量的告警閾值為在系統(tǒng)視圖下使用命令dhcpsnooalarmthreshold配置的值。若在系統(tǒng)視圖、接口視圖下同時進(jìn)行了配置，則接口下DHCPSnoo丟棄報文數(shù)----結(jié)束背景信息致DHCPServer無法為其他合法用戶分配IP地址。另一方面，DHCPServer通常僅根據(jù)CHADDR（hardwareaddress）字段來確認(rèn)客戶端的MAC地址。如果者通過不斷改變DHCPRequest報文中的CHADDR字段向DHCPServer申請IP地址，將會導(dǎo)致DHCPServer上的地址池被耗盡，從而無法為其他正常用戶提供IP地址。用戶將無法通過此接口成功申請到IP地址。為了防止者不斷改變DHCPRequest報文中的CHADDR字段進(jìn)行，可使能檢測DHCPRequest報文幀頭MAC地址與DHCP操作步驟

步驟1執(zhí)行命令system-view步驟2配置接口允許學(xué)習(xí)的DHCPSnoo綁定表項(xiàng)的最大個數(shù)，可在系統(tǒng)視圖、VLAN視圖執(zhí)行命令dhcpsnoomax-user-numbermax-numbervlan{vlan-id1[tovlan-id2]}&<1-10>，配置設(shè)備允許學(xué)習(xí)的DHCPSnoo綁定表項(xiàng)的最大個數(shù)。執(zhí)行該命令后，設(shè)備所有的接口允許學(xué)習(xí)的DHCPSnoo綁定表項(xiàng)之和為該命令缺省情況下，設(shè)備允許學(xué)習(xí)的DHCPSnoo綁定表項(xiàng)的最大個數(shù)如下：（可選）執(zhí)行命令dhcpsnoouser-alarmpercentagepercent-lower-valuepercent-upper-value，配置DHCPSnoo綁定表的告警閾值百分比。缺省情況下，DHCPSnoo綁定表的下限告警閾值百分比為50，上限告警閾值百·VLAN視圖或接口視圖下缺省情況下，設(shè)備允許學(xué)習(xí)的DHCPSnoo綁定表項(xiàng)的最大個數(shù)如下：IPv4網(wǎng)絡(luò)中，對于S1720GFR、S2720、S2750EI設(shè)備，使能DHCPSnoo功能后必須去使能DHCPSnoo功能。步驟3使能對報文的CHADDR字段進(jìn)行檢查功能，可在系統(tǒng)視圖、VLAN視圖或接口視圖下執(zhí)行命令dhcpsnoocheckdhcp-chaddrenablevlan{vlan-id1[tovlan-id2]}（可選）執(zhí)行命令dhcpsnooalarmthresholdthreshold，配置全局DHCP·VLAN視圖或接口視圖下執(zhí)行命令dhcpsnoocheckdhcp-chaddrenable，使能檢測DHCPRequest報文（可選）執(zhí)行命令dhcpsnooalarmdhcp-chaddrenable，使能數(shù)據(jù)幀頭MAC說明（可選）執(zhí)行命令dhcpsnooalarmdhcp-chaddrthresholdthreshold，配置幀缺省情況下，全局DHCPSnoo丟棄報文數(shù)量的告警閾值為100packets，接口下DHCPSnoo丟棄報文數(shù)量的告警閾值為在系統(tǒng)視圖下使用命令dhcpsnooalarmthreshold配置的值。若在系統(tǒng)視圖、接口視圖下同時進(jìn)行了配置，則接口下DHCPSnoo丟棄報文數(shù)說明----結(jié)束檢查配置結(jié)果背景信息

操作步驟

執(zhí)行命令disydhcp [interfaceinterface-typeinterface-number| 執(zhí)行命令disydhcpsnooconfiguration[vlanvlan-id|interfaceinterface-typeinterface-number]，查看DHCPSnoo的配置信息。執(zhí)行命令disymac-addresssnoo [interface-typeinterface-number|vlanvlan-id]*[verbose]，查看根據(jù)DHCPSnoo 執(zhí)行命令disydhcpsnoostatistics，查看設(shè)備接收到的各類型DHCP報文的----結(jié)束配置在DHCP報文中Option82為使DHCPServer能夠獲取到DHCP用戶的精確物理位置信息，可在DHCP報文中添加背景信息

Option82選項(xiàng)記錄了DHCP的位置信息。設(shè)備通過在DHCP請求報文中添加 的位置給DHCPServer，從而使得DHCP 說明DHCPOption82必須配置在設(shè)備的用戶側(cè)，否則設(shè)備向DHCPServer發(fā)出的DHCP報文不會攜帶操作步驟

步驟1執(zhí)行命令system-view步驟2使能在DHCP報文中添加Option82選項(xiàng)功能，可在VLAN視圖或接口視圖下進(jìn)行配置。視操作步驟執(zhí)行命令dhcpoption82{insert|rebuild}enableinterfaceinterface-typeinterface-number1tointerface-number2]，使能執(zhí)行命令dhcpoption82insert|rebuildenable步驟3（可選）Opon2說明視操作步驟執(zhí)行命令dhcpoption82vlanvlan-idce-vlance-vlan-id]circuit-id|remote-idformatdefault|common|extend|執(zhí)行命令dhcpoption82vlanvlan-idce-vlance-vlan-id]circuit-id|remote-idformatdefault|common|extend|步驟4（可選）執(zhí)行命令dhcpoption82subscriber-idformatasciiascii-text|hexhex-text}，步驟5（可選）執(zhí)行命令dhcpoption82vendor-specificformatvendor-sub-optionsub-option-num{asciiascii-text|hexhex-text|ip-addressip-address&<1-8>|sysname}，配置在步驟6（可選）配置插入DHCPOption82選項(xiàng)中的子選項(xiàng)，可在系統(tǒng)視圖、VLAN視圖或接口視操作步驟執(zhí)行命令dhcpoption82encapsulationcircuit-id|remote-id|subscriber-id|vendor-specific-id}*，配置插入DHCP執(zhí)行命令dhcpoption82encapsulationcircuit-id|remote-id|subscriber-id|vendor-specific-id}*，配置插入DHCP執(zhí)行命令dhcpoption82encapsulationcircuit-id|remote-id|subscriber-id|vendor-specific-id}*，配置插入DHCP----結(jié)束檢查配置結(jié)果

執(zhí)行命令disydhcpoption82configuration[vlanvlan-id|interfaceinterface-typeinterface-number]，查看DHCPOption82的配置信息。配置通過LDRA功能感知用戶位置背景信息操作步驟

步驟1執(zhí)行命令system-view步驟2執(zhí)行命令vlanvlan-id，進(jìn)入VLAN步驟3執(zhí)行命令dhcpv6snoorelay-informationenable[trust]，使能DHCPv6Snoo支步驟4執(zhí)行命令quit步驟5（可選）執(zhí)行命令dhcpv6interface-idformatdefault|user-definedtext}，配置在步驟6（可選）執(zhí)行命令dhcpv6remote-idformatdefault|user-definedtext}，配置在步驟7（可選）配置在使能DHCPSnoo功能后，接口不生成用戶綁定表配置維度操作步驟·執(zhí)行命令dhcpsnooenableno-user-bindingvlan{vlan-[tovlan-id2]}&<1-10>，配置在使能DHCPSnoo功能后，接----結(jié)束配置在DHCPv6報文中添加Option18Option37字為使DHCPServer能夠獲取到DHCPv6用戶的精確物理位置信息，可在DHCPv6報文中背景信息

DH6報文的po1Opon7選項(xiàng)能DHv4報文的po82項(xiàng)功能類似，其Opn1選項(xiàng)記了客戶的接信息Opon3選項(xiàng)記了客戶的AC地址信息設(shè)備通在Hv6求報文添Op18Opn3選項(xiàng)，將DH6 的置DHPrer，使得HPSrr能根據(jù)Opn1或po37項(xiàng)的內(nèi)為Hv6 分合適的地址和其他置信息，并實(shí)現(xiàn)對戶端的全控制。操作步驟

步驟1執(zhí)行命令system-view步驟2執(zhí)行命令interfaceinterface-typeinterface-number步驟3執(zhí)行命令dhcpv6option18|option37insert|rebuildenable，使能在DHCPv6說明步驟4執(zhí)行命令quit步驟5（可選）配置在DHCPv6報文中添加的Option18選項(xiàng)的格式，可在系統(tǒng)視圖、VLAN視執(zhí)行命令（可選）執(zhí)行命令dhcpv6option18[vlanvlan-id][ce-vlance-vlan-idformatuser-definedtext，配置在DHCPv6報文中添加的Option18選項(xiàng)的格（可選）執(zhí)行命令dhcpv6option18vlanvlan-idce-vlance-vlan-idformatuser-definedtext，配置在DHCPv6報文中添加的Option18選項(xiàng)的格式。（可選）執(zhí)行命令dhcpv6option18vlanvlan-idce-vlance-vlan-idformatuser-definedtext，配置在DHCPv6報文中添加的Option18選項(xiàng)的格式。說明步驟6（可選）配置在DHCPv6報文中添加的Option37選項(xiàng)的格式，可在系統(tǒng)視圖、VLAN視執(zhí)行命令dhcpv6option37vlanvlan-idce-vlance-vlan-idformatuser-definedtext，配置在DHCPv6報文中添加的Option37選項(xiàng)的格式。執(zhí)行命令dhcpv6option37vlanvlan-idce-vlance-vlan-idformatuser-definedtext，配置在DHCPv6報文中添加的Option37選項(xiàng)的格式。執(zhí)行命令dhcpv6option37vlanvlan-idce-vlance-vlan-idformatuser-definedtext，配置在DHCPv6報文中添加的Option37選項(xiàng)的格式。說明----結(jié)束DHCPSnoo設(shè)備支持清除DHCPSnoo的統(tǒng)計信息、動態(tài)綁定表或備份DHCPSnoo動態(tài)綁定清除DHCPSnoo的統(tǒng)計信背景信息注注操作操作步驟在用戶視圖下執(zhí)行命令resetdhcpsnoostatisticsglobal，清除全局的報文丟棄在用戶視圖下執(zhí)行命令resetdhcpsnoostatisticsinterfaceinterface-typeinterface-number[vlanvlan-id]，清除接口下的報文丟棄統(tǒng)計計數(shù)。在用戶視圖下執(zhí)行命令resetdhcpsnoostatisticsvlanvlan-id[----結(jié)束清除DHCPSnoo綁定背景信息

由于在組網(wǎng)環(huán)境變化之后，DHCPSnoo綁定表不會立即老化，而DHCPSnoo綁所以，請在變更組網(wǎng)環(huán)境之前手動清除所有DHCPSnoo綁定表項(xiàng)，使得設(shè)備根據(jù)新的網(wǎng)絡(luò)環(huán)境生成新的DHCPSnoo綁定表。注注清除DHCPSnoo綁定表后，設(shè)備下所連接的所有DHCP用戶均需重新上線生成綁定操作步驟

resetdhcpsnoouser-bind[vlanvlan-id|interfaceinterface-typeinterface-number]*[ipv4|ipv6]resetdhcpsnoouser-bind[ip-address[ip-address]|ipv6-address[ipv6-address]|vplsvpls-name]resetdhcpsnoouser-bind[ipv6-prefix[prefix/prefix-length]----結(jié)束

說備份DHCPSnoo綁定背景信息

如果沒有備份綁定表，設(shè)備重啟后DHCPSnoo綁定表將丟失，這將導(dǎo)致DHCP用戶必須重新進(jìn)行上線以生成DHCPSnoo綁定表項(xiàng)才能正常通信。在備份DHCPSnoo綁定表后，設(shè)備重啟后恢復(fù)DHCPSnoo綁定表，即可避免上述問題。步驟1執(zhí)行命令system-view步驟2使能DHCPSnoo綁定表的自動備份功能，可分為本地備份和遠(yuǎn)端ftp、sftp和tftp服務(wù)執(zhí)行命令dhcpsnoouser-bindautosavefile-name[write-delaydelay-time]，使能DHCPSnoo綁定表的本地自動備份功能。執(zhí)行命令dhcpsnoouser-bindftpremotefilenamefilenamehost-ipip-addressusernameusernamepasswordpassword[write-delaydelay-time]，使能DHCP執(zhí)行命令dhcpsnoouser-bindsftpremotefilenamefilenamehost-ipip-addressusernameusernamepasswordpassword[write-delaydelay-time]，使能DHCP執(zhí)行命令dhcpsnoouser-bindtftpremotefilenamefilenamehost-ipip-[write-delaydelay-time]，使能DHCPSnoo綁定表在遠(yuǎn)端tftp服務(wù)器上的自動備說明設(shè)備不支持多種DHCPSnoo綁定表的自動備份方式同時生效，即以上四種方式只能選擇一----結(jié)束恢復(fù)DHCPSnoo綁定背景信息

在遠(yuǎn)端ftp、tftp或者sftp服務(wù)器上備份DHCPSnoo綁定表后，即可對備份的綁定表項(xiàng)操作步驟

步驟1執(zhí)行命令system-view步驟2從遠(yuǎn)端ftp、sftp或tftp服務(wù)器上獲取并恢復(fù)DHCPSnoo綁定表執(zhí)行命令dhcpsnoouser-bindftploadremotefilenamefilenamehost-ipip-addressusernameusernamepasswordpassword，配置從遠(yuǎn)端ftp服務(wù)器上獲取并恢復(fù)已備份的DHCPSnoo綁定表項(xiàng)。執(zhí)行命令dhcpsnoouser-bindsftploadremotefilenamefilenamehost-ipip-addressusernameusernamepasswordpassword，配置從遠(yuǎn)端sftp服務(wù)器上獲取并恢復(fù)已備份的DHCPSnoo綁定表項(xiàng)。執(zhí)行命令dhcpsnoouser-bindtftploadremotefilenamefilenamehost-ipip-address，配置從遠(yuǎn)端tftp服務(wù)器上獲取并恢復(fù)已備份的DHCPSnoo綁定表項(xiàng)。說明----結(jié)束配置舉例配置DHCPSnoo的防范功能示組網(wǎng)需求

DHCPServer仿冒者：在網(wǎng)絡(luò)上隨意添加一臺DHCP服務(wù)器，它可以為客戶端DHCP報文泛洪：若者短時間內(nèi)向設(shè)備發(fā)送大量的DHCP報文，將會對設(shè)仿冒H報文：如者充合用戶不向DPre發(fā)送HPeque獲得地址；而若者仿合法用DHPease文發(fā)DHPevrDHCPServer服務(wù)：當(dāng)存在大量者申請IP地址或者某一者通過不斷改變CHADDR字段向DHCPServer申請IP地址，會導(dǎo)致DHCPServer中IP地為了為DHCP用戶提供更優(yōu)質(zhì)的服務(wù)，網(wǎng)絡(luò)管理員可以通過配置DHCPSnoo功能，圖9-13配置DHCPSnoo的防范功能組網(wǎng)DHCPVLAN

DHCPDHCP

配置思路

配置DHCPSnoo的基本功能，防止DHCPServer仿冒者。同時可以使能ARP與DHCPSnoo的聯(lián)動功能，保證DHCP用戶在異常下線時實(shí)時更新綁定配置允許接入的最大用戶數(shù)以及使能檢測DHCPRequest報文幀頭MAC與DHCP數(shù)操作步驟

步驟1配置DHCP#<<[>system-]sysname[SwitchC]dhcpservergroup[SwitchC-dhcp-server-group-dhcpgroup1]dhcp-server[SwitchC-dhcp-server-group-dhcpgroup1]quit[SwitchC]vlanbatch10[SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/1]portlink-typeaccess[SwitchC-GigabitEthernet0/0/1]portdefaultvlan10[SwitchC-GigabitEthernet0/0/1]quit[SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/2]portlink-typeaccess[SwitchC-GigabitEthernet0/0/2]portdefaultvlan10[SwitchC-GigabitEthernet0/0/2]quit[SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/3]portlink-typeaccess[SwitchC-GigabitEthernet0/0/3]portdefaultvlan100[SwitchC-GigabitEthernet0/0/3]quit[SwitchC]dhcpenable[SwitchC]interfacevlanif10[SwitchC-Vlanif10]ipaddress[SwitchC-Vlanif10]dhcpselectrelay[SwitchC-Vlanif10]dhcprelayserver-selectdhcpgroup1[SwitchC-Vlanif10]quit[SwitchC]interfacevlanif[SwitchC-Vlanif100]ipaddress[SwitchC-Vlanif100]quit[SwitchC]iproute-staticDHCP服務(wù)器IP地址配置為/24，同時配置一個IP地址范圍為/24的地步驟2使能DHCPSnoo基本功能[SwitchC]dhcpenable[SwitchC][SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/1]dhcpsnoo [SwitchC-GigabitEthernet0/0/1]quit[SwitchC]arpdhcp--detect使能檢測DHCPRequest報文中GIADDR字段是否非零的功能。以GE0/0/1接口為例，[SwitchC][SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/1]dhcpsnoo checkdhcp-giaddrenable[SwitchC-GigabitEthernet0/0/1]quit#[SwitchC][SwitchC]dhcpsnoo checkdhcp-rateenable [SwitchC]dhcp checkdhcp-rate90 [SwitchC]dhcpalarmdhcp-rate[SwitchC]dhcpalarmdhcp-ratethreshold步驟4使能對DHCP報文進(jìn)行綁定表匹配檢查的功能并使能與綁定表不匹配而被丟棄的DHCP在用戶側(cè)接口進(jìn)行配置。以GE0/0/1接口為例，GE0/0/2的配置與GE0/0/1接口相同，[SwitchC][SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/1]dhcpsnoo checkdhcp-requestenable[SwitchC-GigabitEthernet0/0/1]dhcpsnoo alarmdhcp-requestenable[SwitchC-GigabitEthernet0/0/1]dhcpsnoo alarmdhcp-requestthreshold120[SwitchC-GigabitEthernet0/0/1]quit步驟5配置接口允許接入的最大用戶數(shù)并使能對CHADDR字段檢查功能，同時使能數(shù)據(jù)幀頭在用戶側(cè)接口進(jìn)行配置。以GE0/0/1接口為例，GE0/0/2的配置與GE0/0/1接口相同，[SwitchC][SwitchC]interfacegigabitethernet[SwitchC-GigabitEthernet0/0/1]dhcpsnoo max-user-number20[SwitchC-GigabitEthernet0/0/1]dhcpsnoo checkdhcp-chaddrenable[SwitchC-GigabitEthernet0/0/1]dhcp alarmdhcp-chaddr[SwitchC-GigabitEthernet0/0/1]dhcpsnoo alarmdhcp-chaddrthreshold120[SwitchC-GigabitEthernet0/0/1]quit步驟6[SwitchC][SwitchC] ydhcp dhcpsnoodhcpsnoodhcpsnoodhcpdhcpenablecheckdhcp-rateenablecheckdhcp-rate90alarmdhcp-rateenablealarmdhcp-ratethresholdarpdhcp--detect#interfacedhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpdhcpcheckdhcp-giaddrenablecheckdhcp-requestenablealarmdhcp-requestalarmdhcp-requestthreshold120checkdhcp-chaddrenablealarmdhcp-chaddralarmdhcp-chaddrthresholdmax-user-number#interfacedhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpdhcpcheckdhcp-giaddrenablecheckdhcp-requestenablealarmdhcp-requestalarmdhcp-requestthreshold120checkdhcp-chaddrenablealarmdhcp-chaddralarmdhcp-chaddrthresholdmax-user-number##執(zhí)行命令disydhcpsnoointerface，查看接口下的DHCPSnoo運(yùn)行信息?？梢钥吹紺heckdhcp-giaddr、Checkdhcp-chaddr和Checkdhcp-request字段都為[SwitchC][SwitchC]disDHCPsnooDHCPydhcpinterfacegigabitethernetrunninginformationforinterfaceGigabitEthernet0/0/1:Trusted :Dhcpusermax :Currentdhcpandnduser :Checkdhcp- :Checkdhcp- :Alarmdhcp- :Alarmdhcp-chaddrthreshold :120Discardeddhcppacketsforcheckchaddr:0Checkdhcp- :Alarmdhcp- :Alarmdhcp-request Discardeddhcppacketsforcheckrequest:Checkdhcp-Alarmdhcp-Alarmdhcp-rateDiscardeddhcppacketsforratelimitAlarmdhcp-reply:Disable::::Disable----結(jié)束配置文件

##vlanbatch10100dhcpdhcpdhcp enabledhcpsnoo checkdhcp-rateenabledhcpsnoo checkdhcp-rate90dhcpsnoo alarmdhcp-rateenabledhcpsnoo alarmdhcp-ratethreshold500arpdhcp-snoo -detectenable#dhcpservergroupdhcpgroup1dhcp-server0#interfaceipaddressdhcpselectdhcprelayserver-select#interfaceipaddress#portlink-typeaccessportdefaultvlan10dhcp dhcpsnoocheckdhcp-giaddrenabledhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestdhcpsnoo alarmdhcp-requestthreshold120dhcpsnoo checkdhcp-chaddrenabledhcp alarmdhcp-chaddrdhcpsnoo alarmdhcp-chaddrthreshold120dhcpsnoo max-user-number20#portlink-typeaccessportdefaultvlan10dhcp dhcpsnoocheckdhcp-giaddrenabledhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestdhcpsnoo alarmdhcp-requestthreshold120dhcpsnoo checkdhcp-chaddrenabledhcp alarmdhcp-chaddrdhcpsnoo alarmdhcp-chaddrthreshold120dhcpsnoo max-user-number20#portlink-typeaccessportdefaultvlan#iproute-static配置在VPLS網(wǎng)絡(luò)中應(yīng)用DHCPSnoo示組網(wǎng)需求

DHCPDHCPDHCP說明配置思路

使能檢測DHCPRequest報文中GIADDR字段是否非零的功能，防止GIADDR字段非零的DHCPRequest報文。據(jù)區(qū)中CHADDR字段是否一致功能，防止DHCPServer服務(wù)。操作步驟

步驟1使能DHCPSnoo功能<<[>system-]sysname[PE1]dhcp[PE1]dhcp enable步驟2使能設(shè)備在VPLS網(wǎng)絡(luò)中的DHCPSnoo功能[PE1]dhcpover-vpls步驟3使能接口下的DHCPSnoo功能[PE1][PE1]interfacegigabitethernet[PE1-GigabitEthernet0/0/1]dhcpsnoo [PE1-GigabitEthernet0/0/1]quit步驟4配置接口的信任狀態(tài)：將連接DHCPServer的接口狀態(tài)配置為“Trusted[PE1][PE1]interfacegigabitethernet[PE1-GigabitEthernet0/0/3]dhcpsnoo [PE1-GigabitEthernet0/0/3]quit步驟5使能對DHCP在用戶側(cè)接口進(jìn)行配置。以GE0/0/1接口為例，GE0/0/2的配置與GE0/0/1接口相同，[PE1][PE1]interfacegigabitethernet[PE1-GigabitEthernet0/0/1]dhcpsnoo checkdhcp-requestenable[PE1-GigabitEthernet0/0/1]quit步驟6配置DHCP報文上送DHCP報文處理單元的最大允許速率為90pps[PE1]dhcpcheckdhcp-rate[PE1]dhcp checkdhcp-rate90 步驟7使能檢測DHCPRequest報文中GIADDR在用戶側(cè)接口進(jìn)行配置。以GE0/0/1接口為例，GE0/0/2的配置與GE0/0/1接口相同，[PE1][PE1]interfacegigabitethernet[PE1-GigabitEthernet0/0/1]dhcpsnoo checkdhcp-giaddrenable[PE1-GigabitEthernet0/0/1]quit步驟8配置接口允許接入的最大用戶數(shù)并使能對CHADDR在用戶側(cè)接口進(jìn)行配置。以GE0/0/1接口為例，GE0/0/2的配置與GE0/0/1接口相同，[PE1][PE1]interfacegigabitethernet[PE1-GigabitEthernet0/0/1]dhcp max-user-number[PE1-GigabitEthernet0/0/1]dhcpsnoo checkdhcp-chaddrenable[PE1-GigabitEthernet0/0/1]quit步驟9[PE1][PE1]interfacegigabitethernet[PE1-GigabitEthernet0/0/1]dhcpsnooalarmdhcp-chaddrenable[PE1-GigabitEthernet0/0/1]dhcpsnooalarmdhcp-requestenable[PE1-GigabitEthernet0/0/1]dhcpsnooalarmdhcp-replyenable[PE1-GigabitEthernet0/0/1]dhcpsnoo alarmdhcp-chaddrthreshold120[PE1-GigabitEthernet0/0/1]dhcpsnoo alarmdhcp-requestthreshold120[PE1-GigabitEthernet0/0/1]dhcpsnoo alarmdhcp-replythreshold120[PE1-GigabitEthernet0/0/1]quit[PE1]dhcpalarmdhcp-rate[PE1]dhcpalarmdhcp-ratethreshold步驟10[PE1][PE1]#dhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnoodhcpsnooydhcp enablecheckdhcp-rateenablecheckdhcp-rate90alarmdhcp-rateenablealarmdhcp-ratethreshold80over-vplsenableinterfacedhcpsnoodhcpsnoocheckdhcp-giaddrenabledhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestdhcpsnoo alarmdhcp-requestthreshold120dhcpsnoo checkdhcp-chaddrenabledhcp alarmdhcp-chaddrdhcpsnoo alarmdhcp-chaddrthreshold120dhcpsnoo alarmdhcp-replyenabledhcpsnoo alarmdhcp-replythreshold120dhcpsnoo max-user-number20#dhcpsnoo dhcpsnoocheckdhcp-giaddrenabledhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestdhcpsnoo alarmdhcp-requestthreshold120dhcpsnoo checkdhcp-chaddrenabledhcp alarmdhcp-chaddrdhcpsnoo alarmdhcp-chaddrthreshold120dhcpsnoo alarmdhcp-replyenabledhcpsnoo alarmdhcp-replythreshold120dhcpsnoo max-user-number20#dhcpsnoo ##執(zhí)行命令disydhcpsnoointerface查看接口下的DHCPSnoo運(yùn)行信息[PE1][PE1]DHCPsnooDHCPydhcpinterfacegigabitethernetrunninginformationforinterfaceGigabitEthernet0/0/1:Trusted :Dhcpusermax :Currentdhcpandnduser :Checkdhcp- :Checkdhcp- :Alarmdhcp- :Alarmdhcp-chaddr :Discardeddhcppacketsforcheckchaddr Checkdhcp- :Alarmdhcp- :Alarmdhcp-request Discardeddhcppacketsforcheckrequest:Checkdhcp- :DisableAlarmdhcp- :DisableAlarmdhcp-ratethreshold :80Discardeddhcppacketsforratelimit :0Alarmdhcp-reply Alarmdhcp-reply Discardeddhcppacketsforcheck :[PE1]disDHCPsnooDHCPydhcpinterfacegigabitethernetrunninginformationforinterfaceGigabitEthernet0/0/3:DisableTrustedDhcpusermaxCurrentdhcpandnduserCheckdhcp-::::DisableCheckCheckdhcp-chaddrAlarmdhcp-Checkdhcp-rateAlarmdhcp-rateAlarmdhcp-rateDiscardeddhcppacketsforratelimitAlarmdhcp-reply:::::::::----結(jié)束配置文件

##dhcp enabledhcpsnoo checkdhcp-rateenabledhcpsnoo checkdhcp-rate90dhcpsnoo alarmdhcp-rateenabledhcpsnoo alarmdhcp-ratethreshold80dhcpsnoo#dhcpsnoo dhcpsnoocheckdhcp-giaddrenabledhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestdhcpsnoo alarmdhcp-requestthreshold120dhcpsnoo checkdhcp-chaddrenabledhcp alarmdhcp-chaddrdhcpsnoo alarmdhcp-chaddrthreshold120dhcpsnoo alarmdhcp-replyenabledhcpsnoo alarmdhcp-replythreshold120dhcpsnoo max-user-number20#dhcpsnoo dhcpsnoocheckdhcp-giaddrenabledhcpsnoocheckdhcp-requestenabledhcpsnooalarmdhcp-requestdhcpsnoo alarmdhcp-requestthreshold120dhcpsnoo checkdhcp-chaddrenabledhcp alarmdhcp-chaddrdhcpsnoo alarmdhcp-chaddrthreshold120dhcpsnoo alarmdhcp-replyenabledhcpsnoo alarmdhcp-replythreshold120dhcpsnoo max-user-number20#dhcpsnoo #配置通過LDRA功能感知用戶位置示例組網(wǎng)需求

如圖9-15所示，某公司研發(fā)部與市場部通過Switch接入網(wǎng)絡(luò)并通過DHCPv6方式獲DHCPv6DHCPv6 DHCPv6配置思路

戶詳細(xì)的位置信息上送至DHCPv6Server，滿足DHCPv6Server根據(jù)用戶詳細(xì)位置操作步驟

步驟1創(chuàng)建VLAN#<<[>system-]sysname[Switch]vlanbatch[Switch][Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/1]portlink-typeaccess[Switch-GigabitEthernet0/0/1]portdefaultvlan10[Switch-GigabitEthernet0/0/1]quit[Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/2]portlink-typeaccess[Switch-GigabitEthernet0/0/2]portdefaultvlan10[Switch-GigabitEthernet0/0/2]quit[Switch]interfacegigabitethernet[Switch-GigabitEthernet0/0/3]portlink-type[Switch-GigabitEthernet0/0/3]porttrunkallow-passvlan10[Switch-GigabitEthe