Configuration procedure

# Enable DHCP snooping on Switch.

<Switch> system-view

[Switch] dhcp-snooping

# Specify GigabitEthernet 1/0/5 as the trusted port.

[Switch] interface gigabitethernet 1/0/5

[Switch-GigabitEthernet1/0/5] dhcp-snooping trust

[Switch-GigabitEthernet1/0/5] quit

# Enable DHCP-snooping Option 82 support.

[Switch] dhcp-snooping information enable

#Set the remote ID sub-option in Option 82 to the system name (sysname) of the DHCP snooping device.

[Switch] dhcp-snooping information remote-id sysname

# Set the circuit ID sub-option in DHCP packets from VLAN 1 to “abcd” on GigabitEthernet 1/0/3.

[Switch] interface gigabitethernet 1/0/3

[Switch-GigabitEthernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd

IP Filtering Configuration Example

Network requirements

As shown in Figure 3-7, GigabitEthernet 1/0/1 of Switch is connected to DHCP server and GigabitEthernet 1/0/2 is connected to Host A. The IP address and MAC address of Host A are 1.1.1.1 and 0001-0001-0001 respectively. GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 is connected to DHCP Client B and Client C.

z

z

z

Enable DHCP snooping on Switch, and specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port to prevent attacks from unauthorized DHCP servers.

Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to prevent attacks to the server from clients using fake source IP addresses.

Create static binding entries on Switch, so that Host A using a fixed IP address can access the external network.

3-11

Page 337
Image 337
3Com WX3000 IP Filtering Configuration Example, # Enable Dhcp snooping on Switch, # Enable DHCP-snooping Option 82 support