企業網cisco交換機dhcp snooping和IP source guard禁止手動配置IP

時間  2019-11-06
標籤 企業 cisco 交換機 dhcp snooping source guard 禁止 手動 配置 简体版
原文   原文鏈接

網絡拓撲結構:
企業網cisco交換機dhcp snooping和IP source guard禁止手動配置IP網絡

場景介紹:ide

核心層: 各個vlan接口網關均在覈心層
匯聚層: 兩臺堆疊,port-channel 上聯到核心層,port-channel 下聯到接入層,不運行動態路由
接入層: 兩端口port-channel,分別連接至兩臺匯聚交換機oop

目的:
經過dhcp snooping 防止內部企業網私自接入dhcp server;
經過啓用IP source guard防止內部用戶私自手動配置ip地址。ui

接入層dhcp snooping 配置:code

2F-NEW-ACC-SW-1(config)#ip dhcp snooping
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 24
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 25
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/47
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/48
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface Po1
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust

核心層須要以下配置:(不然客戶端獲取不到IP地址)orm

6S-CORE-SW-1(config)#interface vlan 24
6S-CORE-SW-1(config)# ip dhcp relay information trusted
6S-CORE-SW-1(config)#interface vlan 25
6S-CORE-SW-1(config)# ip dhcp relay information trusted

看一下效果:server

2F-NEW-ACC-SW-1#sh ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
24-25
DHCP snooping is operational on following VLANs:
24-25
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 50f7.22c7.8d00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet1/0/47      yes        yes             unlimited
  Custom circuit-ids:
GigabitEthernet1/0/48      yes        yes             unlimited
  Custom circuit-ids:
Port-channel1              yes        yes             unlimited
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
  Custom circuit-ids:

2F-NEW-ACC-SW-1#sh ip dhcp snooping  binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  ----------                                                                                        ----------
2C:60:0C:73:EA:FC   172.16.24.17     688869      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/17
00:0B:82:86:10:35   172.16.24.136    609318      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/20
A8:1E:84:A6:74:7E   172.16.25.12     690293      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/30
1C:39:47:E4:7D:1D   172.16.25.11     688206      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/28
A4:4C:C8:10:63:EE   172.16.24.150    688220      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/7
1C:39:47:E3:5C:C3   172.16.25.14     690459      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/29
D4:81:D7:FF:04:08   172.16.24.33     684055      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/15
A8:60:B6:2E:C7:A9   172.16.25.127    690215      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/44
A8:60:B6:38:2F:A9   172.16.25.132    689510      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/43
F0:76:1C:E2:64:4C   172.16.25.10     689447      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/34
 --More--

IP Source Guard 配置:
Ip Souce Guard 須要藉助於dhcp snooping,所以配置ip source guard 以前,必須先啓用 dhcp snooping.
Ip Source Guard配置很簡單,只需在對應的接口下啓用便可:blog

2F-NEW-ACC-SW-1(config)#interface gigabitEthernet 1/0/1
2F-NEW-ACC-SW-1(config-if)#switchport port-security
2F-NEW-ACC-SW-1(config-if)#ip verify source port-security

看一下效果:接口

2F-NEW-ACC-SW-1#sh ip ver source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi1/0/1    ip-mac       inactive-no-snooping-vlan
Gi1/0/2    ip-mac       active       deny-all         deny-all           24
Gi1/0/3    ip-mac       inactive-no-snooping-vlan
Gi1/0/4    ip-mac       active       deny-all         deny-all           24
Gi1/0/5    ip-mac       active       deny-all         deny-all           24
Gi1/0/6    ip-mac       active       deny-all         deny-all           24
Gi1/0/7    ip-mac       active       172.16.24.150    A4:4C:C8:10:63:EE  24
Gi1/0/8    ip-mac       inactive-no-snooping-vlan
Gi1/0/9    ip-mac       active       deny-all         deny-all           24
Gi1/0/10   ip-mac       inactive-no-snooping-vlan
Gi1/0/11   ip-mac       active       deny-all         deny-all           24
Gi1/0/12   ip-mac       active       deny-all         deny-all           24
Gi1/0/13   ip-mac       active       deny-all         deny-all           24
Gi1/0/14   ip-mac       inactive-no-snooping-vlan
Gi1/0/15   ip-mac       active       172.16.24.33     D4:81:D7:FF:04:08  24
Gi1/0/16   ip-mac       inactive-no-snooping-vlan
Gi1/0/17   ip-mac       active       172.16.24.17     2C:60:0C:73:EA:FC  24
Gi1/0/18   ip-mac       inactive-no-snooping-vlan
Gi1/0/19   ip-mac       inactive-no-snooping-vlan
Gi1/0/20   ip-mac       active       172.16.24.136    00:0B:82:86:10:35  24

Filter mode: 所有爲Active 狀態
IP 地址一欄中, 顯示正常IP的既能夠正常上網,deny-all 的多是手動配置的IP地址 .ip

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程