亚洲激情专区-91九色丨porny丨老师-久久久久久久女国产乱让韩-国产精品午夜小视频观看

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

發布時間:2020-04-29 18:46:52 來源:網絡 閱讀:2578 作者:gift2010 欄目:網絡安全

1 實驗拓撲圖

    交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

2 DHCP Snooping

2.1 基本DHCP Snooping配置:

C2960#show running-config

Building configuration...

!

ipdhcp snooping vlan 10

ipdhcp snooping

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcp snoopingtrust

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 spanning-treeportfast

 spanning-treebpduguard enable

!

 

2.2 驗證DHCP Snooping效果:

一、首先,PC能夠正常通過DHCP獲取到IP地址:

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

二、C2960上驗證DHCP Snooping效果:

C2960#showip dhcp snooping

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

C2960#showip dhcp snooping binding

交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

注:此綁定表非常關鍵,是后續IPSGDAI的基礎。

2.3 擴展DHCP Snooping配置:

(一)指定DHCP Snooping綁定數據庫的位置

注:如果想寫到外部數據庫,必須先寫到本地,否則不成功。

C2960(config)#ip dhcp snooping databaseflash:/dhcp-snooping.db

01:00:28: %DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING:Saving DHCP snooping bindings to flash can fill up your device causing thewrites of bindings to device, to fail.

01:00:29: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is notrunning; reloaded binding lease expiration times are incorrect.

01:00:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED:DHCP snooping database Write succeeded.

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗


(二)限制端口接收DHCP包的速率

C2960(config)#interface f0/10

C2960(config-if)#ip dhcp snooping limit rate 20

(三)DHCP 選項82的處理

1關閉82選項

C2960(config)#no ip dhcp snooping information option

C2960#showip dhcp snooping

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗


2、允許從untrust接口接收插入了82選項的DHCP報文

C2960(config)#ip dhcp snooping information optionallow-untrusted

C2960#showip dhcp snooping

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗


3 IP Source Guard

2.1 基本IPSG配置:

C2960#show running-config interface f0/10

Building configuration...

 

Current configuration : 423 bytes

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 switchportport-security maximum 10

 switchportport-security

 switchportport-security mac-address sticky

 switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

 spanning-treeportfast

 spanning-treebpduguard enable

 ip verify sourceport-security

 ip dhcpsnooping limit rate 20

end

 

2.2 驗證IPSG效果:

一、交換機上形成了IPSG綁定表

C2960#showip verify source

C2960#showip source binding

交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗 


二、此時PC能夠和外界正常通信

交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

注:經過實驗,此時如果將PC1改為手動設置IP(仍為10.1.10.11),則2960DHCP Snooping綁定表馬上消失,IPSG綁定表也隨之消失,導致此時PC1無法和外界通信。

 

2.3 擴展IPSG配置:

(一)手工配置IPSG綁定表

C2960(config)#ip source bindingAAAA.BBBB.CCCC vlan 10 10.1.10.100 interface Fa0/5

C2960#showip source binding

交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗 


3 Dynamic ARP Inspection

2.1 基本DAI配置:

C2960#show running-config

Building configuration...

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 ip arp inspectiontrust

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcpsnooping trust

!

iparp inspection vlan 10

iparp inspection validate src-mac dst-mac ip

!

 

 

 

 

 

2.2 驗證DAI效果:

C2960#show ip arp inspection

交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗 

C2960#showip arp inspection interface f0/1

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗


2.3 擴展DAI配置:

(一)限制端口接收ARP報文的速率

C2960(config)#interface fastEthernet 0/10

C2960(config-if)#ip arp inspection limit rate 20

 

(二)配置ARP訪問控制列表,主要是為了靜態配置IP地址的主機,相當于做了手動的映射

C2960(config)#arp access-list TEST

C2960(config-arp-nacl)#permit ip host 10.1.10.20 machost aaaa.bbbb.cccc

C2960(config)#ip arp inspection filter TEST vlan 10

 

C2960#showip arp inspection vlan 10

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗


(三)配置由于DAI導致err-disable的端口自動恢復

C2960(config)#errdisable recovery cause arp-inspection

C2960(config)#errdisable recovery interval 60

 

C2960#showerrdisable recovery

 交換安全三寶(DHCP Snooping+IPSG+DAI)簡單實驗

 

 

 C2960最終配置:

C2960#show running-config

Building configuration...

 

Current configuration : 3001 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname C2960

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

system mtu routing 1500

!

!

ip dhcp snooping vlan 10

ip dhcp snooping

ip arp inspection vlan 10

ip arp inspection validate src-mac dst-mac ip

ip arp inspection filter TEST vlan  10

!

!

errdisable recovery cause arp-inspection

errdisable recovery interval 60

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

interface FastEthernet0/1

 description ---Connected to DHCP_Server ---

 switchportaccess vlan 10

 switchport modeaccess

 ip arpinspection trust

 spanning-treeportfast

 spanning-treebpduguard enable

 ip dhcp snoopingtrust

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

 description ---Connected to PC1 ---

 switchportaccess vlan 10

 switchport modeaccess

 switchportport-security maximum 10

 switchportport-security

 switchportport-security mac-address sticky

 switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

 ip arpinspection limit rate 20

 spanning-treeportfast

 spanning-treebpduguard enable

 ip verifysource port-security

 ip dhcpsnooping limit rate 20

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!        

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface FastEthernet0/27

!

interface FastEthernet0/28

!

interface FastEthernet0/29

!

interface FastEthernet0/30

!

interface FastEthernet0/31

!

interface FastEthernet0/32

!

interface FastEthernet0/33

!

interface FastEthernet0/34

!

interface FastEthernet0/35

!

interface FastEthernet0/36

!

interface FastEthernet0/37

!

interface FastEthernet0/38

!

interface FastEthernet0/39

!        

interface FastEthernet0/40

!

interface FastEthernet0/41

!

interface FastEthernet0/42

!

interface FastEthernet0/43

!

interface FastEthernet0/44

!

interface FastEthernet0/45

!

interface FastEthernet0/46

!

interface FastEthernet0/47

!

interface FastEthernet0/48

!

interface GigabitEthernet0/1

!

interface GigabitEthernet0/2

!

interface Vlan1

 no ip address

 no iproute-cache

!

interface Vlan10

 ip address10.1.10.254 255.255.255.0

!

ip http server

ip http secure-server

ip source binding AAAA.BBBB.CCCC vlan 10 10.1.10.100interface Fa0/5

!

arp access-list TEST

 permit ip host10.1.10.20 mac host aaaa.bbbb.cccc

!

line con 0

line vty 0 4

 login

line vty 5 15

 login

!

end

 

C2960#

 

 

 

 


向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

芷江| 贵定县| 牙克石市| 天津市| 乌拉特中旗| 建德市| 广河县| 浑源县| 兴化市| 额敏县| 通海县| 巫溪县| 长顺县| 咸宁市| 长乐市| 金湖县| 景洪市| 静安区| 阿瓦提县| 渑池县| 东光县| 湘潭县| 宁夏| 恩施市| 新晃| 盘锦市| 京山县| 南郑县| 栾城县| 定襄县| 萝北县| 开原市| 澎湖县| 天水市| 海淀区| 东乌珠穆沁旗| 万安县| 淅川县| 临江市| 长海县| 西畴县|