下面我们主要讲解了IP dhcp snooping的内容。包括:3750配置DHCP服务,配置DHCP snooping、静态IP dhcp snooping和IP Source Guard、启动dai、DHCP设置,分配固定IP
前面的文章中我们也讲解过dhcp snooping的有关知识,对于它的理解,配置以及相关的调制,应用我们都介绍过了。这里我们再来对IP dhcp snooping的具体配置以及案例分析进行一下介绍,希望对大家能够有所帮助。
1、3750配置DHCP服务,配置DHCP snooping
- 如下:(无用的部分已经删除了)
- clocktimezoneWST8
- switch1provisionws-c3750g-48ts
- systemmturouting1500
- ipsubnet-zero
- ipdhcpexcluded-address192.168.1.1(保留地址)
- !
- ipdhcppooltest(启动DHCP)
- network192.168.1.0255.255.255.0
- default-router192.168.1.1
- dns-server192.168.1.1
- !
- ipdhcpsnoopingvlan1(指定DHCPsnooping防护的vlan)
- ipdhcpsnoopinginformationoptionallow-untrusted
- ipdhcpsnoopingdatabaseflash:snooping(指定数据库路径)
- ipdhcpsnooping(启动DHCPsnooping)
- !
- !
- interfaceGigabitEthernet1/0/1
- !
- interfaceGigabitEthernet1/0/31(正常的端口)
- switchportmodeaccess
- spanning-treeportfast
- !
- interfaceGigabitEthernet1/0/32
- !
- interfaceGigabitEthernet1/0/42
- !
- interfaceGigabitEthernet1/0/43(启用IPDHCPsnooping端口)
- switchportmodeaccess
- switchportport-security
- spanning-treeportfast
- ipverifysource
(启用IP地址效验,此端口用户不能自己设置地址,只能通过DHCP获得,但没有mac层安全控制。
测试发现,假如g1/0/43口的用户分得地址=192.168.1.2,g1/0/42用户故意修改IP为192.168.1.2,也会影响 g1/0/43的用户,虽然g1/0/42修改IP不能访问网络,但g1/0/43会提示IP冲突,所以必须结合DAI才能保护mac层)
- !
- interfaceGigabitEthernet1/0/44
- !
- interfaceGigabitEthernet1/0/45
- switchportmodeaccess
- switchportport-security
- switchportport-securityviolationrestrict
- spanning-treeportfast
- ipverifysourceport-security
- (启用后此端口无法DHCP注册地址,分析原因由于port-security的安全限制无法注册MAC)
- (ipverifysourceport-security是配合启动IPsourebinding使用
- ipsourcebinding001b.a111.5e11vlan1192.168.1.200interfaceGi1/0/45,注意ipsourcebinding和动态DHCP不能同时用)
- !
- interfaceGigabitEthernet1/0/46
- !
#p#2、静态IP dhcp snooping和IP Source Guard
- clocktimezoneWST8
- switch1provisionws-c3750g-48ts
- systemmturouting1500
- ipsubnet-zero
- !
- ipdhcpsnoopingvlan1(指定DHCPsnooping防护的vlan)
- ipdhcpsnoopinginformationoptionallow-untrusted
- ipdhcpsnoopingdatabaseflash:snooping(指定数据库路径)
- ipdhcpsnoopingdatabasewrite-delay15
- ipdhcpsnooping(启动DHCPsnooping)
- !
- !
- !
- interfaceGigabitEthernet1/0/45(启动IPSourceGuard的端口)
- switchportmodeaccess
- switchportport-security
- switchportport-securityviolationrestrict
- spanning-treeportfast
- ipverifysourceport-security
- (ipverifysourceport-security是配合启动IPsourebinding使用
- ipsourcebinding000A.E439.5F55vlan1192.168.1.200interfaceGi1/0/45,说明ipsourcebinding和动态DHCP不能同时用)
- !
- !
- interfaceVlan1
- ipaddress192.168.1.1255.255.255.0
- !
- ipclassless
- iphttpserver
- iphttpsecure-server
- !
- !
- ipsourcebinding000A.E439.5F55vlan1192.168.1.200interfaceGi1/0/45
- !
- control-plane
- !
- !
- 注意使用如下命令查看工作状态:
- Switch#shipversource
- Switch#shipdhcpbinding
- Switch#shipdhcpsnoopingbinding
#p#3、启动dai
- ipsubnet-zero
- ipdhcpexcluded-address192.168.1.1
- !
- ipdhcppooltest
- network192.168.1.0255.255.255.0
- default-router192.168.1.1
- dns-server192.168.1.1
- leaseinfinite
- !
- ipdhcpsnoopingvlan1(需要DHCP为基础)
- ipdhcpsnoopinginformationoptionallow-untrusted
- ipdhcpsnoopingdatabaseflash:snooping(指定snooping数据保存位置)
- ipdhcpsnooping(启动DHCPsnooping)
- iparpinspectionvlan1(启动DAI)
- iparpinspectionvalidatesrc-macdst-macip(检测项目)
- !
- !
- !
- interfaceGigabitEthernet1/0/31
- switchportmodeaccess
- iparpinspectiontrust(如果设置trust可以改IP,设置untrust不可以改IP,因为DAI检测)
- spanning-treeportfast
- !
- interfaceGigabitEthernet1/0/32
- !
- nterfaceGigabitEthernet1/0/44
- !
- interfaceGigabitEthernet1/0/45
- switchportmodeaccess
- switchportport-security
- switchportport-securityviolationrestrict
- spanning-treeportfast
- ipverifysourceport-security
- !
- !
- Switch#shiparpinspection
#p#4、DHCP设置,分配固定IP
有时我们需要控制IP分配,可以使用下面方法!
- systemmturouting1500
- ipsubnet-zero
- ipdhcpexcluded-address192.168.1.1
- !
- ipdhcppooltest
- host192.168.1.18255.255.255.0(分给用户的IP)
- client-identifier0101.0bf5.395e.55(用户端mac)
- client-nametest
- !
- ipdhcppoolgo
- network192.168.1.0255.255.255.0(启动网内DHCP)
- !
- Switch#shipdhcpbinding
- IPaddressClient-ID/LeaseexpirationType
- Hardwareaddress
- 192.168.1.180101.0bf5.395e.55InfiniteManual
时间仓促,没能进行很好的测试,希望大家能够讨论,给与指正!