1 實(shí)驗(yàn)拓?fù)鋱D

   

專注于為中小企業(yè)提供成都做網(wǎng)站、網(wǎng)站制作服務(wù),電腦端+手機(jī)端+微信端的三站合一,更高效的管理,為中小企業(yè)西市免費(fèi)做網(wǎng)站提供優(yōu)質(zhì)的服務(wù)。我們立足成都，凝聚了一批互聯(lián)網(wǎng)行業(yè)人才，有力地推動(dòng)了超過千家企業(yè)的穩(wěn)健成長(zhǎng)，幫助中小企業(yè)通過網(wǎng)站建設(shè)實(shí)現(xiàn)規(guī)模擴(kuò)充和轉(zhuǎn)變。

2 DHCP Snooping

2.1 基本DHCP Snooping配置：

C2960#show running-config

Building configuration...

!

ipdhcp snooping vlan 10

ipdhcp snooping

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcp snoopingtrust

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 spanning-treeportfast

 spanning-treebpduguard enable

!

2.2 驗(yàn)證DHCP Snooping效果：

一、首先，PC能夠正常通過DHCP獲取到IP地址：

 

二、C2960上驗(yàn)證DHCP Snooping效果：

C2960#showip dhcp snooping

 

C2960#showip dhcp snooping binding

注：此綁定表非常關(guān)鍵，是后續(xù)IPSG和DAI的基礎(chǔ)。

2.3 擴(kuò)展DHCP Snooping配置：

（一）指定DHCP Snooping綁定數(shù)據(jù)庫(kù)的位置

注：如果想寫到外部數(shù)據(jù)庫(kù)，必須先寫到本地，否則不成功。

C2960(config)#ip dhcp snooping databaseflash:/dhcp-snooping.db

01:00:28: %DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING:Saving DHCP snooping bindings to flash can fill up your device causing thewrites of bindings to device, to fail.

01:00:29: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is notrunning; reloaded binding lease expiration times are incorrect.

01:00:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED:DHCP snooping database Write succeeded.

 

（二）限制端口接收DHCP包的速率

C2960(config)#interface f0/10

C2960(config-if)#ip dhcp snooping limit rate 20

（三）DHCP 選項(xiàng)82的處理

1、關(guān)閉82選項(xiàng)

C2960(config)#no ip dhcp snooping information option

C2960#showip dhcp snooping

 

2、允許從untrust接口接收插入了82選項(xiàng)的DHCP報(bào)文

C2960(config)#ip dhcp snooping information optionallow-untrusted

C2960#showip dhcp snooping

 

3 IP Source Guard

2.1 基本IPSG配置：

C2960#show running-config interface f0/10

Building configuration...

Current configuration : 423 bytes

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 switchportport-security maximum 10

 switchportport-security

 switchportport-security mac-address sticky

 switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

 spanning-treeportfast

 spanning-treebpduguard enable

 ip verify sourceport-security

 ip dhcpsnooping limit rate 20

end

2.2 驗(yàn)證IPSG效果：

一、交換機(jī)上形成了IPSG綁定表

C2960#showip verify source

C2960#showip source binding

二、此時(shí)PC能夠和外界正常通信

注：經(jīng)過實(shí)驗(yàn)，此時(shí)如果將PC1改為手動(dòng)設(shè)置IP（仍為10.1.10.11），則2960的DHCP Snooping綁定表馬上消失，IPSG綁定表也隨之消失，導(dǎo)致此時(shí)PC1無法和外界通信。

2.3 擴(kuò)展IPSG配置：

（一）手工配置IPSG綁定表

C2960(config)#ip source bindingAAAA.BBBB.CCCC vlan 10 10.1.10.100 interface Fa0/5

C2960#showip source binding

3 Dynamic ARP Inspection

2.1 基本DAI配置：

C2960#show running-config

Building configuration...

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 ip arp inspectiontrust

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcpsnooping trust

!

iparp inspection vlan 10

iparp inspection validate src-mac dst-mac ip

!

2.2 驗(yàn)證DAI效果：

C2960#show ip arp inspection

C2960#showip arp inspection interface f0/1

 

2.3 擴(kuò)展DAI配置：

（一）限制端口接收ARP報(bào)文的速率

C2960(config)#interface fastEthernet 0/10

C2960(config-if)#ip arp inspection limit rate 20

（二）配置ARP訪問控制列表，主要是為了靜態(tài)配置IP地址的主機(jī)，相當(dāng)于做了手動(dòng)的映射

C2960(config)#arp access-list TEST

C2960(config-arp-nacl)#permit ip host 10.1.10.20 machost aaaa.bbbb.cccc

C2960(config)#ip arp inspection filter TEST vlan 10

C2960#showip arp inspection vlan 10

 

（三）配置由于DAI導(dǎo)致err-disable的端口自動(dòng)恢復(fù)

C2960(config)#errdisable recovery cause arp-inspection

C2960(config)#errdisable recovery interval 60

C2960#showerrdisable recovery

 

 C2960最終配置：

C2960#show running-config

Building configuration...

Current configuration : 3001 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname C2960

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

system mtu routing 1500

!

!

ip dhcp snooping vlan 10

ip dhcp snooping

ip arp inspection vlan 10

ip arp inspection validate src-mac dst-mac ip

ip arp inspection filter TEST vlan 10

!

!

errdisable recovery cause arp-inspection

errdisable recovery interval 60

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 ip arpinspection trust

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcp snoopingtrust

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 switchportport-security maximum 10

 switchportport-security

 switchportport-security mac-address sticky

 switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

 ip arpinspection limit rate 20

 spanning-treeportfast

 spanning-treebpduguard enable

 ip verifysource port-security

 ip dhcpsnooping limit rate 20

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface FastEthernet0/27

!

interface FastEthernet0/28

!

interface FastEthernet0/29

!

interface FastEthernet0/30

!

interface FastEthernet0/31

!

interface FastEthernet0/32

!

interface FastEthernet0/33

!

interface FastEthernet0/34

!

interface FastEthernet0/35

!

interface FastEthernet0/36

!

interface FastEthernet0/37

!

interface FastEthernet0/38

!

interface FastEthernet0/39

!

interface FastEthernet0/40

!

interface FastEthernet0/41

!

interface FastEthernet0/42

!

interface FastEthernet0/43

!

interface FastEthernet0/44

!

interface FastEthernet0/45

!

interface FastEthernet0/46

!

interface FastEthernet0/47

!

interface FastEthernet0/48

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

 no ip address

 no iproute-cache

!

interface Vlan10

 ip address10.1.10.254 255.255.255.0

!

ip http server

ip http secure-server

ip source binding AAAA.BBBB.CCCC vlan 10 10.1.10.100interface Fa0/5

!

arp access-list TEST

 permit ip host10.1.10.20 mac host aaaa.bbbb.cccc

!

line con 0

line vty 0 4

 login

line vty 5 15

 login

!

end

C2960#

另外有需要云服務(wù)器可以了解下創(chuàng)新互聯(lián)scvps.cn，海內(nèi)外云服務(wù)器15元起步，三天無理由+7*72小時(shí)售后在線，公司持有idc許可證，提供“云服務(wù)器、裸金屬服務(wù)器、高防服務(wù)器、香港服務(wù)器、美國(guó)服務(wù)器、虛擬主機(jī)、免備案服務(wù)器”等云主機(jī)租用服務(wù)以及企業(yè)上云的綜合解決方案，具有“安全穩(wěn)定、簡(jiǎn)單易用、服務(wù)可用性高、性價(jià)比高”等特點(diǎn)與優(yōu)勢(shì)，專為企業(yè)上云打造定制，能夠滿足用戶豐富、多元化的應(yīng)用場(chǎng)景需求。

當(dāng)前文章：交換安全三寶（DHCPSnooping+IPSG+DAI）簡(jiǎn)單實(shí)驗(yàn)-創(chuàng)新互聯(lián)
當(dāng)前鏈接：http://weahome.cn/article/shjjs.html