在交换机上实施IP与 MAC的双向绑定 说明:不能够在二层交换上做基于 IP的双向绑定,但可在三层交换机上完成SW1(config># interface FastEthernet0/1 SW1(config-if># switchport mode access SW1(config-if>#switchport port-security SW1(config-if># switchport port-security violation restrict //shutdown protect restrict SW1(config-if># switchport port-security mac-address 00b0.6451.c920 SW1(config-if># spanning-tree portfastSW1(config-if># ip access-group 11 in //调用ACL SW1(config-if># exit SW1(config># access-list 11 permit 192.168.2.69
IPSG 实验配置步骤
QQ截图20180514042234.jpg (18.5 KB>
2018-5-14 04:22
SW(config># ipdhcp snooping SW(config># ipdhcp snooping vlan 1,10 SW(config># ipdhcp snooping verify mac-address SW(config># ip source binding 0000.0000.0001 vlan 10 172.16.1.5 interface f0/5 SW(config># interface f0/1 SW(config-if># switchport mode access SW(config-if># switchport port-security SW(config-if># ip verify source vlandhcp-snooping port-security SW(config># interface f0/5 SW(config-if># switchport mode access SW(config-if># switchport port-security SW(config-if># ip verify source vlandhcp-snooping port-security SW(config-if># endb5E2RGbCAP
QQ截图20180514042350.jpg (31.34 KB>
2018-5-14 04:24
一、配置 SW1的防护功能 SW1(config># ipdhcp snooping //启用 DHCP Snooping SW1(config># ipdhcp snooping information option //启用 82 选项 SW1(config># ipdhcp snooping vlan 10,20 //DHCP监听作用的 VLAN SW1(config># ipdhcp database flash:dhcp.db //将 DHCP绑定信息保存到dhcp.db中 SW1(config># ipdhcp snooping verify mac-address SW1(config># interface f0/21 SW1(config-if># switchport mode access SW1(config-if># switchport port-security SW1(config-if># ip verify source port-security SW1(config># interface f0/23 SW1(config-if># switchport mode access SW1(config-if># switchport port-security SW1(config-if># ip verify source port-security 可选配//SW1(config># ip source binding 0000.0000.0001 vlan 10 172.16.1.1 interface f0/2 可选配//SW1(config># ip source binding 0000.0000.0002 vlan 20 172.16.2.1 interface f0/1 SW1(config># iparp inspection vlan 10,20 //ARP检测基于 VLAN10 VLAN20 SW1(config># iparp inspection validate src-mac dst-mac ip //基于源 MAC 目标 MAC和 IP //DHCP服务器的配置 DHCP-SERVER 使用路由器来完成 Router(config># ipdhcp pool vlan10 定义地址池 Router(config-vlan># network 172.16.1.0 255.255.255.0 定义地址池做用的网段及地址范围 Router(config-vlan># default-router 172.16.1.254 定义客户端的默认网关 Router(config-vlan># dns-server 218.108.248.200 定义客户端的dnsRouter(config-vlan>#exit Router(config># ipdhcp pool vlan20 Router(config-vlan># network 172.16.2.0 255.255.255.0 Router(config-vlan># default-router 172.16.2.254 Router(config-vlan># dns-server 218.108.248.200 Router(config-vlan># exit Router(config># ipdhcp excluded-address 172.16.1.100 172.16.1.254 //配置保留地址段 Router(config># ipdhcp excluded-address 172.16.2.100 172.16.2.254 Router(config># interface e0/0 Router(config-if># ip address 172.16.3.1 255.255.255.0 Router(config-if># no shutdown 交换机上的配置 SW1(config># interface vlan 10 SW1(config-if># ip address 172.16.1.254 255.255.255.0 SW1(config-if># ip helper-address 172.16.3.1 //以单播向DHCP-SERVER发送请求 SW1(config-if># interface vlan20 SW1(config-if># ip address 172.16.2.254 255.255.255.0 SW1(config-if># ip helper-address 172.16.3.1p1EanqFDPw
申明:
所有资料为本人收集整理,仅限个人学习使用,勿做商业用途。
本文来源:https://www.2haoxitong.net/k/doc/7b77aa080342a8956bec0975f46527d3250ca61d.html
文档为doc格式