一、工作原理

二、全局配置

<HUAWEI> system-view[HUAWEI] system-name SwitchA[SwitchA] dhcp enable[SwitchA] ip pool pool1[SwitchA-ip-pool-pool1] network 10.1.1.0 mask 24[SwitchA-ip-pool-pool1] gateway-list 10.1.1.1[SwitchA-ip-pool-pool1] excluded-ip-address 10.1.1.100 10.1.1.200[SwitchA-ip-pool-pool1] dns-list 8.8.8.8[SwitchA-ip-pool-pool1] static-bind ip-address 10.1.1.100 mac-address  0000-1111-2222#为客户端分配固定的IP地址三、接口配置[SwitchA] interface vlanif 100[SwitchA-Vlanif100] ip address 10.1.1.1 24[SwitchA-Vlanif100] dhcp select interface #接口模式的DHCP服务[SwitchA-Vlanif100]dhcp server dns-list 8.8.8.8 配置DNS地址[SwitchA-Vlanif100] dhcp server excluded-ip-address 10.1.1.100 10.1.1.200 #排除地址[SwitchA-Vlanif100] dhcp server lease day 10 #修改租期[SwitchA-Vlanif100] dhcp server static-bind ip-address 10.1.1.100 mac-address dcd2-fc96-e4c0 为客户端分配固定的IP地址

IPSG技术：防止源IP地址欺骗（手动和动态）

基于绑定表（DHCP动态和静态绑定表）对IP报文进行匹配检查IP MAC Interface VLAN[SwitchA-Vlanif100]ip source check user-bind enable [SwitchA-Vlanif100]ip source check user-bind check-item interface ip-address mac-address

<SwitchA> display ip pool name ip-pool-name #查看全局地址池中IP地址使用情况

    Start           End     Total  Used  Idle(Expired)  Conflict  Disable  -----------------------------------------------------------------------------      10.1.1.1  10.1.1.254   253     1        252(0)         0        0  如果Idle（Expired）值等于零，说明地址池中的IP地址已经用尽，如果确认正常使用地址池不够，可调整地址池掩码长度如果Conflict值较大，说明IP地址产生大量冲突，可通过命令reset ip pool重置地址池来手动回收IP地址（该命令会导致客户端释放IP地址并重新获取，在获取成功前客户端将无法访问网络，请谨慎使用）

四、配置DHCP 中继1、配置指定接口工作在DHCP中继模式2、配置DHCP中继转发的目的服务器组3、配置DHCP中继接口绑定DHCP服务器组4、（可选）配置DHCP中继请求DHCP服务器释放客户端的IP地址5、（可选）配置DHCP中继对Option82信息的处理策略[SwitchA]dhcp relay server group 1 #DHCP服务器组的组名 server 172.16.20.5 #DHCP服务器IP地址[SwitchA] interface vlanif 100[SwitchA-Vlanif100] dhcp select relay #启动DHCP Relay功能的接口编号及接口的IP地址[SwitchA-Vlanif100] dhcp relay binding server group 1 #中继绑定服务组1display ip pool name dhcp 查看配置的ip地址池中的参数五、安全联动机制[SwitchA] dhcp snooping enable ipv4  配置设备仅处理IPv4报文，节约设备的CPU利用率[SwitchA] interface gigabitethernet 2/0/1 配置接口GE2/0/1为DHCP Snooping信任接口[SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted [SwitchA-GigabitEthernet2/0/1] quit[SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface gigabitethernet 1/0/3 vlan 10 静态绑定[SwitchA] interface gigabitethernet 1/0/1[SwitchA-GigabitEthernet1/0/1] arp anti-attack check user-bind enable  即对ARP报文进行绑定表匹配检查功能[SwitchA-GigabitEthernet1/0/1] quit[SwitchA] interface gigabitethernet 0/0/2[SwitchA-GigabitEthernet0/0/2] dhcp snooping enable  用户侧接口的DHCP Snooping功能[SwitchA-GigabitEthernet0/0/2] quit[SwitchA] interface gigabitethernet 0/0/3[SwitchA-GigabitEthernet0/0/3] dhcp snooping enable[SwitchA-GigabitEthernet0/0/3] quit[SwitchA] vlan 10[SwitchA-vlan10] dhcp snooping enable  #开启DHCP Snooping功能，默认所有接口都是不信任接口

[SwitchA-vlan10] ip source check user-bind enable  #开启IPSG功能

[SwitchA-vlan10] ip source check user-bind check-item interface ip mac-address #组合检查[SwitchA-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/4  #配置信任接口

[SwitchA] interface ethernet 2/0/2

[SwitchA-Ethernet2/0/2] dhcp snooping trusted[SwitchA-Ethernet2/0/2] quit[SwitchA] arp dhcp-snooping-detect enable #使能ARP与DHCP Snooping的联动功能[SwitchA] interface ethernet 0/0/1[SwitchA-Ethernet0/0/1] dhcp snooping check user-bind enable #使能对DHCP报文进行绑定表匹配检查的功能[SwitchA-Ethernet0/0/1] dhcp snooping check dhcp-giaddr enable #使能检测DHCP Request报文中GIADDR字段是否非零的功能[SwitchA-Ethernet0/0/1] dhcp snooping max-user-number 20 #配置接口允许接入的最大用户数并使能对CHADDR字段检查功能[SwitchA-Ethernet0/0/1] dhcp snooping check mac-address enable

配置DHCP中继（DHCP中继做在靠近客户端设备上）[access] dhcp enable[access] interface vlan 20[access-Vlanif20] dhcp select relay  配置DHCP中继[access-Vlanif20] dhcp relay server-ip 10.20.1.1  配置DHCP中继代理的DHCP服务器的IP地址[access-Vlanif20] quit[Switch] port-group portgroup1   创建永久端口组portgroup1[Switch-port-group-portgroup1] group-member  GE1/0/1 to  GE1/0/3 物理端口加入portgroup1中[Switch-port-group-portgroup1] undo negotiation auto 批量配置接口工作在非自协商模式[Switch-port-group-portgroup1] duplex full 批量配置接口为全双工模式[Switch-port-group-portgroup1] speed 100 批量配置接口速率为100Mbit/s[Switch-port-group-portgroup1] undo portswitch 配置单个接口切换到三层模式[Switch-port-group-portgroup1]combo-port copper 修改为电口模式[Switch] mac-address static 4-4-4 gigabitethernet 1/0/2 vlan 2 在Switch上添加服务器对应的静态MAC地址表项[Switch] mac-address blackhole 非法PC的MAC地址 其对应vlan  防止非法MAC地址***[Switch] vlan 2 最多可以学习100个MAC地址，超过最大MAC地址学习数量的报文丢弃并进行告警提示[Switch-vlan2] mac-limit maximum 100 action discard[Switch] interface gigabitethernet 1/0/1[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discarddisplay ip pool interface vlanif100 used  查看dhcp使用多少地址reset ip pool name pool1 conflict #如在IP地址重复分配导致地址冲突时，重置冲突的IP地址display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1 查看接口下ARP报文丢弃计数display dhcp static user-bind all 查看静态绑定表信息display mac-address static vlan 2 查看静态MAC表是否添加成功display mac-address blackhole命令，查看黑洞MAC表是否添加成功