网络拓扑结构:场景介绍:核心层: 各个vlan接口网关均在核心层汇聚层: 两台堆叠,port-channel 上联到核心层,port-channel 下联到接入层,不运行动态路由接入层: 两端口por
.
网络拓扑结构:
场景介绍:
核心层: 各个vlan接口网关均在核心层
汇聚层: 两台堆叠,port-channel 上联到核心层,port-channel 下联到接入层,不运行动态路由
接入层: 两端口port-channel,分别链接至两台汇聚交换机
目的:
通过dhcp snooping 防止内部企业网私自接入dhcp server;
通过启用IP source guard防止内部用户私自手动配置ip地址。
接入层dhcp snooping 配置:
2F-NEW-ACC-SW-1(config)#ip dhcp snooping2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 242F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 252F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/472F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/482F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust2F-NEW-ACC-SW-1(config)#interface Po12F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust核心层需要如下配置:(否则客户端获取不到IP地址)
6S-CORE-SW-1(config)#interface vlan 246S-CORE-SW-1(config)# ip dhcp relay information trusted6S-CORE-SW-1(config)#interface vlan 256S-CORE-SW-1(config)# ip dhcp relay information trusted看一下效果:
2F-NEW-ACC-SW-1#sh ip dhcp snoopingSwitch DHCP snooping is enabledSwitch DHCP gleaning is disabledDHCP snooping is configured on following VLANs:24-25DHCP snooping is operational on following VLANs:24-25DHCP snooping is configured on the following L3 Interfaces:Insertion of option 82 is enabled circuit-id default format: vlan-mod-port remote-id: 50f7.22c7.8d00 (MAC)Option 82 on untrusted port is not allowedVerification of hwaddr field is enabledVerification of giaddr field is enabledDHCP snooping trust/rate is configured on the following Interfaces:Interface Trusted Allow option Rate limit (pps)----------------------- ------- ------------ ----------------GigabitEthernet1/0/47 yes yes unlimited Custom circuit-ids:GigabitEthernet1/0/48 yes yes unlimited Custom circuit-ids:Port-channel1 yes yes unlimitedInterface Trusted Allow option Rate limit (pps)----------------------- ------- ------------ ---------------- Custom circuit-ids:2F-NEW-ACC-SW-1#sh ip dhcp snooping bindingMacAddress IpAddress Lease(sec) Type VLAN Interface------------------ --------------- ---------- ------------- ---- ---------- ----------2C:60:0C:73:EA:FC 172.16.24.17 688869 dhcp-snooping 24 GigabitEt hernet1/0/1700:0B:82:86:10:35 172.16.24.136 609318 dhcp-snooping 24 GigabitEt hernet1/0/20A8:1E:84:A6:74:7E 172.16.25.12 690293 dhcp-snooping 25 GigabitEt hernet1/0/301C:39:47:E4:7D:1D 172.16.25.11 688206 dhcp-snooping 25 GigabitEt hernet1/0/28A4:4C:C8:10:63:EE 172.16.24.150 688220 dhcp-snooping 24 GigabitEt hernet1/0/71C:39:47:E3:5C:C3 172.16.25.14 690459 dhcp-snooping 25 GigabitEt hernet1/0/29D4:81:D7:FF:04:08 172.16.24.33 684055 dhcp-snooping 24 GigabitEt hernet1/0/15A8:60:B6:2E:C7:A9 172.16.25.127 690215 dhcp-snooping 25 GigabitEt hernet1/0/44A8:60:B6:38:2F:A9 172.16.25.132 689510 dhcp-snooping 25 GigabitEt hernet1/0/43F0:76:1C:E2:64:4C 172.16.25.10 689447 dhcp-snooping 25 GigabitEt hernet1/0/34 --More--IP Source Guard 配置:
Ip Souce Guard 需要借助于dhcp snooping,因此配置ip source guard 之前,必须先启用 dhcp snooping.
Ip Source Guard配置很简单,只需在对应的接口下启用即可:
2F-NEW-ACC-SW-1(config)#interface gigabitEthernet 1/0/12F-NEW-ACC-SW-1(config-if)#switchport port-security2F-NEW-ACC-SW-1(config-if)#ip verify source port-security看一下效果:
2F-NEW-ACC-SW-1#sh ip ver sourceInterface Filter-type Filter-mode IP-address Mac-address Vlan--------- ----------- ----------- --------------- ----------------- ----Gi1/0/1 ip-mac inactive-no-snooping-vlanGi1/0/2 ip-mac active deny-all deny-all 24Gi1/0/3 ip-mac inactive-no-snooping-vlanGi1/0/4 ip-mac active deny-all deny-all 24Gi1/0/5 ip-mac active deny-all deny-all 24Gi1/0/6 ip-mac active deny-all deny-all 24Gi1/0/7 ip-mac active 172.16.24.150 A4:4C:C8:10:63:EE 24Gi1/0/8 ip-mac inactive-no-snooping-vlanGi1/0/9 ip-mac active deny-all deny-all 24Gi1/0/10 ip-mac inactive-no-snooping-vlanGi1/0/11 ip-mac active deny-all deny-all 24Gi1/0/12 ip-mac active deny-all deny-all 24Gi1/0/13 ip-mac active deny-all deny-all 24Gi1/0/14 ip-mac inactive-no-snooping-vlanGi1/0/15 ip-mac active 172.16.24.33 D4:81:D7:FF:04:08 24Gi1/0/16 ip-mac inactive-no-snooping-vlanGi1/0/17 ip-mac active 172.16.24.17 2C:60:0C:73:EA:FC 24Gi1/0/18 ip-mac inactive-no-snooping-vlanGi1/0/19 ip-mac inactive-no-snooping-vlanGi1/0/20 ip-mac active 172.16.24.136 00:0B:82:86:10:35 24Filter mode: 全部为Active 状态
IP 地址一栏中, 显示正常IP的既可以正常上网,deny-all 的可能是手动配置的IP地址 .
