企业网cisco交换机dhcp snooping和IP source guard禁止手动配置IP

网络拓扑结构:

场景介绍:

核心层: 各个vlan接口网关均在核心层
汇聚层: 两台堆叠,port-channel 上联到核心层,port-channel 下联到接入层,不运行动态路由
接入层: 两端口port-channel,分别链接至两台汇聚交换机

目的:
通过dhcp snooping 防止内部企业网私自接入dhcp server;
通过启用IP source guard防止内部用户私自手动配置ip地址。

接入层dhcp snooping 配置:

2F-NEW-ACC-SW-1(config)#ip dhcp snooping
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 24
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 25
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/47
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/48
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface Po1
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust

核心层需要如下配置:(否则客户端获取不到IP地址)

6S-CORE-SW-1(config)#interface vlan 24
6S-CORE-SW-1(config)# ip dhcp relay information trusted
6S-CORE-SW-1(config)#interface vlan 25
6S-CORE-SW-1(config)# ip dhcp relay information trusted

看一下效果:

2F-NEW-ACC-SW-1#sh ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
24-25
DHCP snooping is operational on following VLANs:
24-25
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 50f7.22c7.8d00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet1/0/47      yes        yes             unlimited
  Custom circuit-ids:
GigabitEthernet1/0/48      yes        yes             unlimited
  Custom circuit-ids:
Port-channel1              yes        yes             unlimited
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
  Custom circuit-ids:

2F-NEW-ACC-SW-1#sh ip dhcp snooping  binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  ----------                                                                                        ----------
2C:60:0C:73:EA:FC   172.16.24.17     688869      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/17
00:0B:82:86:10:35   172.16.24.136    609318      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/20
A8:1E:84:A6:74:7E   172.16.25.12     690293      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/30
1C:39:47:E4:7D:1D   172.16.25.11     688206      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/28
A4:4C:C8:10:63:EE   172.16.24.150    688220      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/7
1C:39:47:E3:5C:C3   172.16.25.14     690459      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/29
D4:81:D7:FF:04:08   172.16.24.33     684055      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/15
A8:60:B6:2E:C7:A9   172.16.25.127    690215      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/44
A8:60:B6:38:2F:A9   172.16.25.132    689510      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/43
F0:76:1C:E2:64:4C   172.16.25.10     689447      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/34
 --More--

IP Source Guard 配置:
Ip Souce Guard 需要借助于dhcp snooping,因此配置ip source guard 之前,必须先启用 dhcp snooping.
Ip Source Guard配置很简单,只需在对应的接口下启用即可:

2F-NEW-ACC-SW-1(config)#interface gigabitEthernet 1/0/1
2F-NEW-ACC-SW-1(config-if)#switchport port-security
2F-NEW-ACC-SW-1(config-if)#ip verify source port-security

看一下效果:

2F-NEW-ACC-SW-1#sh ip ver source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi1/0/1    ip-mac       inactive-no-snooping-vlan
Gi1/0/2    ip-mac       active       deny-all         deny-all           24
Gi1/0/3    ip-mac       inactive-no-snooping-vlan
Gi1/0/4    ip-mac       active       deny-all         deny-all           24
Gi1/0/5    ip-mac       active       deny-all         deny-all           24
Gi1/0/6    ip-mac       active       deny-all         deny-all           24
Gi1/0/7    ip-mac       active       172.16.24.150    A4:4C:C8:10:63:EE  24
Gi1/0/8    ip-mac       inactive-no-snooping-vlan
Gi1/0/9    ip-mac       active       deny-all         deny-all           24
Gi1/0/10   ip-mac       inactive-no-snooping-vlan
Gi1/0/11   ip-mac       active       deny-all         deny-all           24
Gi1/0/12   ip-mac       active       deny-all         deny-all           24
Gi1/0/13   ip-mac       active       deny-all         deny-all           24
Gi1/0/14   ip-mac       inactive-no-snooping-vlan
Gi1/0/15   ip-mac       active       172.16.24.33     D4:81:D7:FF:04:08  24
Gi1/0/16   ip-mac       inactive-no-snooping-vlan
Gi1/0/17   ip-mac       active       172.16.24.17     2C:60:0C:73:EA:FC  24
Gi1/0/18   ip-mac       inactive-no-snooping-vlan
Gi1/0/19   ip-mac       inactive-no-snooping-vlan
Gi1/0/20   ip-mac       active       172.16.24.136    00:0B:82:86:10:35  24

Filter mode: 全部为Active 状态
IP 地址一栏中, 显示正常IP的既可以正常上网,deny-all 的可能是手动配置的IP地址 .

原文地址:http://blog.51cto.com/magic3/2122324

时间: 2024-11-05 12:21:54

企业网cisco交换机dhcp snooping和IP source guard禁止手动配置IP的相关文章

linux 手动配置ip地址方法

手工配置静态的IP地址 也就是手工配置IP地址.子网掩码.网关和DNS. 设置方法如下: vi /etc/sysconfig/network-scripts/ifcfg-eth0 编辑本地网卡的配置文件 主要查看下面这几项是否和下面给出的一致即可. ONBOOT=yes BOOTPROTO=none IPADDR=192.168.1.66 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 DNS1=192.168.1.1 第二项表示不使用dhcp服务,如果是手动

centos手动配置IP和DNS

手动设置ip地址 如果虚拟机不能自动获取IP,只能手动配置,配置方法如下: 输入命令 #vi /etc/sysconfig/network-scripts/ifcfg-eth0 [编辑网卡的配置文件] 输入上述命令后回车,打开配置文件,使用方向键移动光标到最后一行,按字母键"O",进入编辑模式,输入以下内容: IPADDR=192.168.4.10 NETMASK=255.255.255.0 GATEWAY=192.168.4.1 另外光标移动到"ONBOOT=no"

cisco交换机DHCP分配静态IP

这里我们以vlan31进行描述 ip dhcp pool vlan31network 172.31.255.0 255.255.255.0default-router 172.31.255.254 dns-server 202.96.209.133 8.8.8.8 1.先将特殊IP地址从dhcp中剔除掉,以免后面造成ip地址冲突ip dhcp excluded-address 172.31.255.1ip dhcp excluded-address 172.31.255.100 2.编写一个静态

编辑网卡配置,手动配置IP地址

#vi /etc/sysconfig/network-scripts/ifcfg-eth0    //ifcfg-eth0表示系统当前网卡,此处不一定是eth0. DEVICE=eth0    //网卡名称. HWADDR=00:0C:29:90:59:8D    //网卡MAC. TYPE=Ethernet    //网卡类型,此处是以太网. UUID=5cb79d0d-a034-4657-b16f-de4d8b507e88    //网卡UUID号. ONBOOT=yes    //是否开机

VM虚拟机手动配置IP地址

1.查看虚拟机的网关 编辑-->虚拟网络编辑器 VMnet8 NAT模式-->NAT设置-->网关IP 2.设置IP地址 系统-->首选项-->网络连接 system etho-->编辑 -->IPV4 方法设置成手动-->添加地址-->[地址(最后一位数不能为0和1)子网掩码(255.255.255.0)网关(192.168.239.2)] DNS服务器(192.168.1.1和本地主机保持一致)-->应用 配置完成后,命令行重启网络,让配置生

(三)Cisco dhcp snooping实例1-单交换机(DHCP服务器和DHCP客户端位于同一VLAN)

环境:cisco dhcp server和客户端都属于vlan27,dhcp server 接在交换机G0/1,客户端接在交换机的G0/2 cisco dhcp server相关配置 ip dhcp pool vlan27 network 192.168.27.0 255.255.255.0 default-router 192.168.27.1 dns-server 192.168.27.1 interface Vlan27 ip dhcp relay information trusted

[Cisco] DHCP snooping 测试

测试环境:一台已经配置好DHCP的DHCP Server ,一台Cisco交换机(IOS版本:12.4),两台PC. 拓扑图为图:1-1. 测试目的:Cisco交换机开启dhcp snooping功能,默认的所有端口都为需要在DHCP Server和PC对应的端口设置 dhcp snooing trust. 图:1-1 测试步骤: 1. 在 switch上启用DHCP snooping ,将vlan 1加入到snooping,其他接口G0/1,F0/1,F0/2不做ip dhcp snoopin

交换安全三宝(DHCP Snooping+IPSG+DAI)简单实验

1 实验拓扑图 2 DHCP Snooping 2.1 基本DHCP Snooping配置: C2960#show running-config Building configuration... ! ipdhcp snooping vlan 10 ipdhcp snooping ! interface FastEthernet0/1 description ---Connected to DHCP_Server --- switchportaccess vlan 10 switchport m

DHCP snooping防范非法的服务器

一.dhcp snooping的原理 dhcp snooping在交换机上配置完成:而且必须指明在哪个vlan上进行监听,没有监听的vlan不受规则限制.交换机上开启snooping后,交换机任何一个接口的dhcp服务器都不能提供服务.因此需要在开启了dhcp snooping的交换机定义两类接口: 1.可信任接口:连接dhcp服务器的接口或上联接口 2.不可信任接口:连接客户端的接口,默认下接客户端的全为不可信任接口. 交换机只接受合法的服务器发过来的dhcp消息,drop非法的服务器发过来的