1實(shí)驗(yàn)拓?fù)鋱D

目前創(chuàng)新互聯(lián)公司已為上千家的企業(yè)提供了網(wǎng)站建設(shè)、域名、虛擬主機(jī)、網(wǎng)站托管、服務(wù)器托管、企業(yè)網(wǎng)站設(shè)計(jì)、鹽亭網(wǎng)站維護(hù)等服務(wù)，公司將堅(jiān)持客戶(hù)導(dǎo)向、應(yīng)用為本的策略，正道將秉承"和諧、參與、激情"的文化，與客戶(hù)和合作伙伴齊心協(xié)力一起成長(zhǎng)，共同發(fā)展。

2 DHCP Snooping

2.1基本DHCP Snooping配置：

C2960#show running-config

Building configuration...

!

ipdhcp snooping vlan 10

ipdhcp snooping

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcp snoopingtrust

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 spanning-treeportfast

 spanning-treebpduguard enable

!

2.2驗(yàn)證DHCP Snooping效果：

一、首先，PC能夠正常通過(guò)DHCP獲取到IP地址：

二、C2960上驗(yàn)證DHCP Snooping效果：

C2960#showip dhcp snooping

C2960#showip dhcp snooping binding

注：此綁定表非常關(guān)鍵，是后續(xù)IPSG和DAI的基礎(chǔ)。

2.3擴(kuò)展DHCP Snooping配置：

（一）指定DHCP Snooping綁定數(shù)據(jù)庫(kù)的位置

注：如果想寫(xiě)到外部數(shù)據(jù)庫(kù)，必須先寫(xiě)到本地，否則不成功。

C2960(config)#ip dhcp snooping databaseflash:/dhcp-snooping.db

01:00:28: %DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING:Saving DHCP snooping bindings to flash can fill up your device causing thewrites of bindings to device, to fail.

01:00:29: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is notrunning; reloaded binding lease expiration times are incorrect.

01:00:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED:DHCP snooping database Write succeeded.

（二）限制端口接收DHCP包的速率

C2960(config)#interface f0/10

C2960(config-if)#ip dhcp snooping limit rate 20

（三）DHCP選項(xiàng)82的處理

1、關(guān)閉82選項(xiàng)

C2960(config)#no ip dhcp snooping information option

C2960#showip dhcp snooping

2、允許從untrust接口接收插入了82選項(xiàng)的DHCP報(bào)文

C2960(config)#ip dhcp snooping information optionallow-untrusted

C2960#showip dhcp snooping

3 IP Source Guard

2.1基本IPSG配置：

C2960#show running-config interface f0/10

Building configuration...

Current configuration : 423 bytes

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 switchportport-security maximum 10

 switchportport-security

 switchportport-security mac-address sticky

 switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

 spanning-treeportfast

 spanning-treebpduguard enable

 ip verify sourceport-security

 ip dhcpsnooping limit rate 20

end

2.2驗(yàn)證IPSG效果：

一、交換機(jī)上形成了IPSG綁定表

C2960#showip verify source

C2960#showip source binding

二、此時(shí)PC能夠和外界正常通信

注：經(jīng)過(guò)實(shí)驗(yàn)，此時(shí)如果將PC1改為手動(dòng)設(shè)置IP（仍為10.1.10.11），則2960的DHCP Snooping綁定表馬上消失，IPSG綁定表也隨之消失，導(dǎo)致此時(shí)PC1無(wú)法和外界通信。

2.3擴(kuò)展IPSG配置：

（一）手工配置IPSG綁定表

C2960(config)#ip source bindingAAAA.BBBB.CCCC vlan 10 10.1.10.100 interface Fa0/5

C2960#showip source binding

3 Dynamic ARP Inspection

2.1基本DAI配置：

C2960#show running-config

Building configuration...

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 ip arp inspectiontrust

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcpsnooping trust

!

iparp inspection vlan 10

iparp inspection validate src-mac dst-mac ip

!

2.2驗(yàn)證DAI效果：

C2960#show ip arp inspection

C2960#showip arp inspection interface f0/1

2.3擴(kuò)展DAI配置：

（一）限制端口接收ARP報(bào)文的速率

C2960(config)#interface fastEthernet 0/10

C2960(config-if)#ip arp inspection limit rate 20

（二）配置ARP訪(fǎng)問(wèn)控制列表，主要是為了靜態(tài)配置IP地址的主機(jī)，相當(dāng)于做了手動(dòng)的映射

C2960(config)#arp access-list TEST

C2960(config-arp-nacl)#permit ip host 10.1.10.20 machost aaaa.bbbb.cccc

C2960(config)#ip arp inspection filter TEST vlan 10

C2960#showip arp inspection vlan 10

（三）配置由于DAI導(dǎo)致err-disable的端口自動(dòng)恢復(fù)

C2960(config)#errdisable recovery cause arp-inspection

C2960(config)#errdisable recovery interval 60

C2960#showerrdisable recovery

 C2960最終配置：

C2960#show running-config

Building configuration...

Current configuration : 3001 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname C2960

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

system mtu routing 1500

!

!

ip dhcp snooping vlan 10

ip dhcp snooping

ip arp inspection vlan 10

ip arp inspection validate src-mac dst-mac ip

ip arp inspection filter TEST vlan  10

!

!

errdisable recovery cause arp-inspection

errdisable recovery interval 60

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 ip arpinspection trust

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcp snoopingtrust

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 switchportport-security maximum 10

 switchportport-security

 switchportport-security mac-address sticky

 switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

 ip arpinspection limit rate 20

 spanning-treeportfast

 spanning-treebpduguard enable

 ip verifysource port-security

 ip dhcpsnooping limit rate 20

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!        

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface FastEthernet0/27

!

interface FastEthernet0/28

!

interface FastEthernet0/29

!

interface FastEthernet0/30

!

interface FastEthernet0/31

!

interface FastEthernet0/32

!

interface FastEthernet0/33

!

interface FastEthernet0/34

!

interface FastEthernet0/35

!

interface FastEthernet0/36

!

interface FastEthernet0/37

!

interface FastEthernet0/38

!

interface FastEthernet0/39

!        

interface FastEthernet0/40

!

interface FastEthernet0/41

!

interface FastEthernet0/42

!

interface FastEthernet0/43

!

interface FastEthernet0/44

!

interface FastEthernet0/45

!

interface FastEthernet0/46

!

interface FastEthernet0/47

!

interface FastEthernet0/48

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

 no ip address

 no iproute-cache

!

interface Vlan10

 ip address10.1.10.254 255.255.255.0

!

ip http server

ip http secure-server

ip source binding AAAA.BBBB.CCCC vlan 10 10.1.10.100interface Fa0/5

!

arp access-list TEST

 permit ip host10.1.10.20 mac host aaaa.bbbb.cccc

!

line con 0

line vty 0 4

 login

line vty 5 15

 login

!

end

C2960#