企业网cisco交换机dhcp snooping和IP source guard禁止手动配置IP

网络拓扑结构：

场景介绍:

核心层：各个vlan接口网关均在核心层
汇聚层：两台堆叠，port-channel 上联到核心层，port-channel 下联到接入层，不运行动态路由
接入层：两端口port-channel，分别链接至两台汇聚交换机

目的：
通过dhcp snooping 防止内部企业网私自接入dhcp server；
通过启用IP source guard防止内部用户私自手动配置ip地址。

接入层dhcp snooping 配置：

2F-NEW-ACC-SW-1(config)#ip dhcp snooping
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 24
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 25
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/47
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/48
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface Po1
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust

核心层需要如下配置：(否则客户端获取不到IP地址)

6S-CORE-SW-1(config)#interface vlan 24
6S-CORE-SW-1(config)# ip dhcp relay information trusted
6S-CORE-SW-1(config)#interface vlan 25
6S-CORE-SW-1(config)# ip dhcp relay information trusted

看一下效果：

2F-NEW-ACC-SW-1#sh ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
24-25
DHCP snooping is operational on following VLANs:
24-25
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 50f7.22c7.8d00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet1/0/47      yes        yes             unlimited
  Custom circuit-ids:
GigabitEthernet1/0/48      yes        yes             unlimited
  Custom circuit-ids:
Port-channel1              yes        yes             unlimited
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
  Custom circuit-ids:

2F-NEW-ACC-SW-1#sh ip dhcp snooping  binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  ----------                                                                                        ----------
2C:60:0C:73:EA:FC   172.16.24.17     688869      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/17
00:0B:82:86:10:35   172.16.24.136    609318      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/20
A8:1E:84:A6:74:7E   172.16.25.12     690293      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/30
1C:39:47:E4:7D:1D   172.16.25.11     688206      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/28
A4:4C:C8:10:63:EE   172.16.24.150    688220      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/7
1C:39:47:E3:5C:C3   172.16.25.14     690459      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/29
D4:81:D7:FF:04:08   172.16.24.33     684055      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/15
A8:60:B6:2E:C7:A9   172.16.25.127    690215      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/44
A8:60:B6:38:2F:A9   172.16.25.132    689510      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/43
F0:76:1C:E2:64:4C   172.16.25.10     689447      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/34
 --More--

IP Source Guard 配置：
Ip Souce Guard 需要借助于dhcp snooping,因此配置ip source guard 之前，必须先启用 dhcp snooping.
Ip Source Guard配置很简单，只需在对应的接口下启用即可：

2F-NEW-ACC-SW-1(config)#interface gigabitEthernet 1/0/1
2F-NEW-ACC-SW-1(config-if)#switchport port-security
2F-NEW-ACC-SW-1(config-if)#ip verify source port-security

看一下效果：

2F-NEW-ACC-SW-1#sh ip ver source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi1/0/1    ip-mac       inactive-no-snooping-vlan
Gi1/0/2    ip-mac       active       deny-all         deny-all           24
Gi1/0/3    ip-mac       inactive-no-snooping-vlan
Gi1/0/4    ip-mac       active       deny-all         deny-all           24
Gi1/0/5    ip-mac       active       deny-all         deny-all           24
Gi1/0/6    ip-mac       active       deny-all         deny-all           24
Gi1/0/7    ip-mac       active       172.16.24.150    A4:4C:C8:10:63:EE  24
Gi1/0/8    ip-mac       inactive-no-snooping-vlan
Gi1/0/9    ip-mac       active       deny-all         deny-all           24
Gi1/0/10   ip-mac       inactive-no-snooping-vlan
Gi1/0/11   ip-mac       active       deny-all         deny-all           24
Gi1/0/12   ip-mac       active       deny-all         deny-all           24
Gi1/0/13   ip-mac       active       deny-all         deny-all           24
Gi1/0/14   ip-mac       inactive-no-snooping-vlan
Gi1/0/15   ip-mac       active       172.16.24.33     D4:81:D7:FF:04:08  24
Gi1/0/16   ip-mac       inactive-no-snooping-vlan
Gi1/0/17   ip-mac       active       172.16.24.17     2C:60:0C:73:EA:FC  24
Gi1/0/18   ip-mac       inactive-no-snooping-vlan
Gi1/0/19   ip-mac       inactive-no-snooping-vlan
Gi1/0/20   ip-mac       active       172.16.24.136    00:0B:82:86:10:35  24

Filter mode: 全部为Active 状态
IP 地址一栏中，显示正常IP的既可以正常上网,deny-all 的可能是手动配置的IP地址 .

原文地址：http://blog.51cto.com/magic3/2122324

时间： 2024-11-05 12:21:54

企业网cisco交换机dhcp snooping和IP source guard禁止手动配置IP的相关文章

linux 手动配置ip地址方法

手工配置静态的IP地址也就是手工配置IP地址.子网掩码.网关和DNS. 设置方法如下: vi /etc/sysconfig/network-scripts/ifcfg-eth0 编辑本地网卡的配置文件主要查看下面这几项是否和下面给出的一致即可. ONBOOT=yes BOOTPROTO=none IPADDR=192.168.1.66 NETMASK=255.255.255.0 GATEWAY=192.168.1.1 DNS1=192.168.1.1 第二项表示不使用dhcp服务,如果是手动

centos手动配置IP和DNS

手动设置ip地址如果虚拟机不能自动获取IP,只能手动配置,配置方法如下: 输入命令 #vi /etc/sysconfig/network-scripts/ifcfg-eth0 [编辑网卡的配置文件] 输入上述命令后回车,打开配置文件,使用方向键移动光标到最后一行,按字母键"O",进入编辑模式,输入以下内容: IPADDR=192.168.4.10 NETMASK=255.255.255.0 GATEWAY=192.168.4.1 另外光标移动到"ONBOOT=no"

cisco交换机DHCP分配静态IP

这里我们以vlan31进行描述 ip dhcp pool vlan31network 172.31.255.0 255.255.255.0default-router 172.31.255.254 dns-server 202.96.209.133 8.8.8.8 1.先将特殊IP地址从dhcp中剔除掉,以免后面造成ip地址冲突ip dhcp excluded-address 172.31.255.1ip dhcp excluded-address 172.31.255.100 2.编写一个静态

编辑网卡配置，手动配置IP地址

#vi /etc/sysconfig/network-scripts/ifcfg-eth0 //ifcfg-eth0表示系统当前网卡,此处不一定是eth0. DEVICE=eth0 //网卡名称. HWADDR=00:0C:29:90:59:8D //网卡MAC. TYPE=Ethernet //网卡类型,此处是以太网. UUID=5cb79d0d-a034-4657-b16f-de4d8b507e88 //网卡UUID号. ONBOOT=yes //是否开机

VM虚拟机手动配置IP地址

1.查看虚拟机的网关编辑-->虚拟网络编辑器 VMnet8 NAT模式-->NAT设置-->网关IP 2.设置IP地址系统-->首选项-->网络连接 system etho-->编辑 -->IPV4 方法设置成手动-->添加地址-->[地址(最后一位数不能为0和1)子网掩码(255.255.255.0)网关(192.168.239.2)] DNS服务器(192.168.1.1和本地主机保持一致)-->应用配置完成后,命令行重启网络,让配置生

（三）Cisco dhcp snooping实例1-单交换机（DHCP服务器和DHCP客户端位于同一VLAN）

环境:cisco dhcp server和客户端都属于vlan27,dhcp server 接在交换机G0/1,客户端接在交换机的G0/2 cisco dhcp server相关配置 ip dhcp pool vlan27 network 192.168.27.0 255.255.255.0 default-router 192.168.27.1 dns-server 192.168.27.1 interface Vlan27 ip dhcp relay information trusted

[Cisco] DHCP snooping 测试

测试环境:一台已经配置好DHCP的DHCP Server ,一台Cisco交换机(IOS版本:12.4),两台PC. 拓扑图为图:1-1. 测试目的:Cisco交换机开启dhcp snooping功能,默认的所有端口都为需要在DHCP Server和PC对应的端口设置 dhcp snooing trust. 图:1-1 测试步骤: 1. 在 switch上启用DHCP snooping ,将vlan 1加入到snooping,其他接口G0/1,F0/1,F0/2不做ip dhcp snoopin

交换安全三宝（DHCP Snooping+IPSG+DAI）简单实验

1 实验拓扑图 2 DHCP Snooping 2.1 基本DHCP Snooping配置: C2960#show running-config Building configuration... ! ipdhcp snooping vlan 10 ipdhcp snooping ! interface FastEthernet0/1 description ---Connected to DHCP_Server --- switchportaccess vlan 10 switchport m

DHCP snooping防范非法的服务器

一.dhcp snooping的原理 dhcp snooping在交换机上配置完成:而且必须指明在哪个vlan上进行监听,没有监听的vlan不受规则限制.交换机上开启snooping后,交换机任何一个接口的dhcp服务器都不能提供服务.因此需要在开启了dhcp snooping的交换机定义两类接口: 1.可信任接口:连接dhcp服务器的接口或上联接口 2.不可信任接口:连接客户端的接口,默认下接客户端的全为不可信任接口. 交换机只接受合法的服务器发过来的dhcp消息,drop非法的服务器发过来的