CCNP(BCMSN)实验：DHCP监听、IP源防护、DAI

CCNP(BCMSN)实验：DHCP监听、IP源防护、DAI

R2(config)#int e1/0R2(config-if)#ip add 22.0.0.1 255.255.255.0R2(config)#ip dhcp pool R2R2(dhcp-config)#network 22.0.0.0 /24R2(config)#ip dhcp excluded-address 22.0.0.1

第二步：在R3的接口上配置通过dhcp获得地址

R3(config)#int e1/0R3(config-if)#ip add dhcp

R3(config-if)#Interface Ethernet1/0 assigned DHCP address 22.0.0.2, mask 255.255.255.0

R3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.2, mask 255.255.255.0//我们通过sh和no sh接口，结果得出以下结果分别获得到不同网段的地域，说明dhcp各项工作正常

第三步：在SW2和sw3上开启 HDCP snooping和相关配置SW2(config)#ip dhcp snooping //开启snooping功能SW2(config)#ip dhcp snooping vlan 1//所有vlan1下的接口都配置为非信任接口，连接在vlan1下的所有dhcp服务器都无法应答

SW2(config-if)#int f0/1SW2(config-if)#ip dhcp snooping trust //配置这个接口为信任接口

SW2(config-if)#int f0/2SW2(config-if)#ip dhcp snooping limit rate 20//配置这个接口发dhcp包的个数SW2(config)#errdisable recovery cause ?all Enable timer to recover from all causesarp-inspection Enable timer to recover from arp inspection errordisable statebpduguard Enable timer to recover from BPDU Guard error disablestatechannel-misconfig Enable timer to recover from channel misconfig disablestatedhcp-rate-limit Enable timer to recover from dhcp-rate-limit errordisable statedtp-flap Enable timer to recover from dtp-flap error disablestategbic-invalid Enable timer to recover from invalid GBIC error disablestatel2ptguard Enable timer to recover from l2protocol-tunnel errordisable statelink-flap Enable timer to recover from link-flap error disablestateloopback Enable timer to recover from loopback disable statepagp-flap Enable timer to recover from pagp-flap error disablestatepsecure-violation Enable timer to recover from psecure violation disablestatesecurity-violation Enable timer to recover from 802.1x violation disablestatesfp-config-mismatch Enable timer to recover from SFP config mismatch errordisable statestorm-control Enable timer to recover from storm-control error disablestateudld Enable timer to recover from udld error disable stateunicast-flood Enable timer to recover from unicast flood disable statevmps Enable timer to recover from vmps shutdown error disablestate

SW2(config)#errdisable recovery cause all//如果违反的上面的规定后，接口会down（默认行为）这条命令的意思是恢复正常状态的原因，有上面17种，我们配置为allSW2(config)#errdisable recovery interval 30//恢复接口正常的时间为30s（最小为30s）

SW2(config)#ip dhcp snooping database flash:dhcp-snooping.text//交换机上生成一个dhcp snpooing 绑定表，绑定表中的内容是客户端mac地址和ip地址SW2#show flash:

Directory of flash:/

2 -rwx 7134080 Jan 1 1970 03:36:03 +00:00 3550.bin 3 -rwx 1224 Mar 1 1993 03:15:45 +00:00 vlan.dat 4 -rwx 3244 Mar 1 1993 00:48:21 +00:00 n 5 -rwx 2209 Mar 1 1993 00:02:52 +00:00 statr 6 -rwx 0 Mar 1 1993 05:28:29 +00:00 system_env_vars 7 -rwx 0 Mar 1 1993 05:28:29 +00:00 env_vars 8 -rwx 47 Mar 1 1993 00:43:31 +00:00 dhcp-snooping.text

SW2#more flash:dhcp-snooping.text //可以看到内面有客户端的mac地址和ip地址SW2(config)#ip source binding 0004.2704.17b1 vlan 1 12.0.0.1 interface f0/1//手工指定一个静态的mac地址和ip地址

SW3(config)#ip dhcp snooping SW3(config)#ip dhcp snooping vlan 1SW3(config)#int f0/23SW3(config-if)# ip dhcp snooping trustSW3(config)#int f0/3SW3(config-if)#no ip dhcp snooping trust第四步：配置R2(config)#ip dhcp relay information trust-all第五步：测试

01:22:41: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively downR3(config-if)#no sh01:22:43: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to upR3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.5, mask 255.255.255.0

R3(config-if)#sh01:23:58: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively downR3(config-if)#no sh

01:24:07: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to up01:24:08: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet1/0, changed state to upR3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.6, mask 255.255.255.0

R3(config-if)#sh 01:24:21: %LINK-5-CHANGED: Interface Ethernet1/0, changed state to administratively downR3(config-if)#no sh01:24:23: %LINK-3-UPDOWN: Interface Ethernet1/0, changed state to upR3(config-if)#Interface Ethernet1/0 assigned DHCP address 12.0.0.7, mask 255.255.255.0

//从上面可以看出：snooping生效了我们三次sh和no sh接口，都获得了合法dhcp服务器上的定义地址

现象成功

我们来看看源防护SW2(config-if)#ip verify source port-security//我们在接口pc端配置ip源防护有可能接入非法的dhcp的服务端接口上可配置动态arp检测SW3(config)#ip arp inspection vlan 1SW2(config)#ip arp inspection vlan 1

SW2(config-if) #int f0/23SW2(config-if) #ip arp inspection trustSW3(config-if) #int f0/23SW3(config-if) #ip arp inspection trust

第七步：SW2#sh ip dhcp snooping Switch DHCP snooping is enabledDHCP snooping is configured on following VLANs:1Insertion of option 82 is disabledcircuit-id format: vlan-mod-portremote-id format: MACOption 82 on untrusted port is not allowedVerification of hwaddr field is enabledInterface Trusted Rate limit (pps)

FastEthernet0/1 yes unlimitedFastEthernet0/2 no 2 FastEthernet0/23 yes unlimited

SW2#sh ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface

00:07:EB:79:08:D1 12.0.0.9 84188 dhcp-snooping 1 FastEthernet0/1900:04:27:04:17:B1 12.0.0.1 infinite static 1 FastEthernet0/1Total number of bindings: 2

SW3#sh ip source binding MacAddress IpAddress Lease(sec) Type VLAN Interface

00:07:EB:79:08:D1 12.0.0.9 85773 dhcp-snooping 1 FastEthernet0/3Total number of bindings: 1

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。