交换机配置dhcp snooping 端口安全

2301_78575037

已于 2023-06-29 18:06:18 修改

阅读量323

点赞数

文章标签：服务器 linux 网络

于 2023-06-29 11:33:08 首次发布

本文链接：https://blog.csdn.net/2301_78575037/article/details/131450359

版权

基于全局

s1 dhcp服务器配置

<Huawei>
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei> sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy S1
[S1]vlan b
[S1]vlan batch 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[S1]dhcp e
Info: The operation may take a few seconds. Please wait for a moment.done.
[S1]port-g
[S1]port-group
[S1]port-group g
[S1]port-group group-member g0/0/1 g0/0/02
[S1-port-group]port l
[S1-port-group]port link-t
[S1-port-group]port link-type
[S1-port-group]port link-type t
[S1-GigabitEthernet0/0/1]port link-type t
[S1-GigabitEthernet0/0/2]port link-type t
[S1-port-group]port t
[S1-port-group]port trunk a
[S1-port-group]port trunk allow-pass v
[S1-port-group]port trunk allow-pass vlan a
[S1-GigabitEthernet0/0/1]port trunk allow-pass vlan a
[S1-GigabitEthernet0/0/2]port trunk allow-pass vlan a
[S1-port-group]q
[S1]ip pool vlan10
Info:It's successful to create an IP address pool.
[S1-ip-pool-vlan10]net
[S1-ip-pool-vlan10]network 192.168.10.0 m
[S1-ip-pool-vlan10]network 192.168.10.0 mask 24
[S1-ip-pool-vlan10]g
[S1-ip-pool-vlan10]gateway-list 192.168.10.254
[S1-ip-pool-vlan10]d
[S1-ip-pool-vlan10]dns-list 8.8.8.8
[S1-ip-pool-vlan10]ip pool
[S1-ip-pool-vlan10]ip pool vlan20
Info:It's successful to create an IP address pool.
[S1-ip-pool-vlan20]net
[S1-ip-pool-vlan20]network 192.168.20.0 m
[S1-ip-pool-vlan20]network 192.168.20.0 mask 24
[S1-ip-pool-vlan20]g
[S1-ip-pool-vlan20]gateway-list 192.168.20.254
[S1-ip-pool-vlan20]d
[S1-ip-pool-vlan20]dns-list 8.8.8.8
[S1-ip-pool-vlan20]q
[S1]int v`10
^
Error: Wrong parameter found at '^' position.
[S1]int v
[S1]int Vlanif 10
[S1-Vlanif10]ip ad
[S1-Vlanif10]ip address 192.168.10.254 24
[S1-Vlanif10]dhcp s
[S1-Vlanif10]dhcp se
[S1-Vlanif10]dhcp select g
[S1-Vlanif10]dhcp select global
[S1-Vlanif10]q
[S1]int v 20
[S1-Vlanif20]ip add
[S1-Vlanif20]ip address 192.168.20.254 24
[S1-Vlanif20]dhcp sel
[S1-Vlanif20]dhcp select g
[S1-Vlanif20]dhcp select global
[S1-Vlanif20] User interface con0 is available

Please Press ENTER.

s2 配置

<Huawei>U T M
Info: Current terminal monitor is off.
<Huawei>SY
Enter system view, return user view with Ctrl+Z.
[Huawei]SY S2
[S2]int g0/0/1
[S2-GigabitEthernet0/0/1]port l
[S2-GigabitEthernet0/0/1]port link-t
[S2-GigabitEthernet0/0/1]port link-type t
[S2-GigabitEthernet0/0/1]port t
[S2-GigabitEthernet0/0/1]port trunk a
[S2-GigabitEthernet0/0/1]port trunk allow-pass v
[S2-GigabitEthernet0/0/1]port trunk allow-pass vlan a
[S2-GigabitEthernet0/0/1]q
[S2]port-g
[S2]port-group g
[S2]port-group group-member g0/0/2 g0/0/3
[S2-port-group]port l
[S2-port-group]port link-t
[S2-port-group]port link-type a
[S2-GigabitEthernet0/0/2]port link-type a
[S2-GigabitEthernet0/0/3]port link-type a
[S2-port-group]port def v 10
[S2-GigabitEthernet0/0/2]port def v 10
Error: The VLAN does not exist.
[S2-GigabitEthernet0/0/3]port def v 10
Error: The VLAN does not exist.
[S2-port-group]q
[S2]q
<S2>sy
Enter system view, return user view with Ctrl+Z.
[S2]vlan b 10 20
Info: This operation may take a few seconds. Please wait for a moment...done.
[S2]int g0/0/1
[S2-GigabitEthernet0/0/1]port l
[S2-GigabitEthernet0/0/1]port link-t
[S2-GigabitEthernet0/0/1]port link-type t
[S2-GigabitEthernet0/0/1]port t
[S2-GigabitEthernet0/0/1]port trunk a
[S2-GigabitEthernet0/0/1]port trunk allow-pass v
[S2-GigabitEthernet0/0/1]port trunk allow-pass vlan a
[S2-GigabitEthernet0/0/1]q
[S2]port-g
[S2]port-group g
[S2]port-group group-member g0/0/2 g0/0/3
[S2-port-group]port l
[S2-port-group]port link-t
[S2-port-group]port link-type a
[S2-GigabitEthernet0/0/2]port link-type a
[S2-GigabitEthernet0/0/3]port link-type a
[S2-port-group]port def v 10
[S2-GigabitEthernet0/0/2]port def v 10
[S2-GigabitEthernet0/0/3]port def v 10
[S2-port-group] User interface con0 is available

Please Press ENTER.

s3 配置

<S3>u t m
Info: Current terminal monitor is off.
<S3>sy
Enter system view, return user view with Ctrl+Z.
[S3]int g0/0/1
[S3-GigabitEthernet0/0/1]port l
[S3-GigabitEthernet0/0/1]port link-t
[S3-GigabitEthernet0/0/1]port link-type t
[S3-GigabitEthernet0/0/1]port t
[S3-GigabitEthernet0/0/1]port trunk a
[S3-GigabitEthernet0/0/1]port trunk allow-pass v
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan
[S3-GigabitEthernet0/0/1]port trunk allow-pass vlan a
[S3-GigabitEthernet0/0/1]q
[S3]port-g
[S3]port-group
[S3]port-group g
[S3]port-group group-member g0/0/2 g00/3
^
Error: Wrong parameter found at '^' position.
[S3]port-group group-member g0/0/2 g0/0/3
[S3-port-group]port l
[S3-port-group]port link-t
[S3-port-group]port link-type a
[S3-GigabitEthernet0/0/2]port link-type a
[S3-GigabitEthernet0/0/3]port link-type a
[S3-port-group]port def
[S3-port-group]port default v20
^
Error: Unrecognized command found at '^' position.
[S3-port-group]port default v 20
[S3-GigabitEthernet0/0/2]port default v 20
[S3-GigabitEthernet0/0/3]port default v 20
[S3-port-group] User interface con0 is available

Please Press ENTER.

客服端查看抓包

基于接口dhcp

[DHCP S1]dhcp server ping packet 5
[DHCP S1]dhcp server ping timeout ?
INTEGER<0-10000> Time out milliseconds
[DHCP S1]dhcp server ping timeout 50

pc端会收到仿冒dhcp服务器的假ip地址

开启snooping配置后客服端只会从信任端口g0/0/4获取dhcp服务

端口安全

<Huawei>
<Huawei>u t m
Info: Current terminal monitor is off.
<Huawei>sy
Enter system view, return user view with Ctrl+Z.
[Huawei]sy s1
[s1]int g0/0/1
[s1-GigabitEthernet0/0/1]port-se
[s1-GigabitEthernet0/0/1]port-security e
[s1-GigabitEthernet0/0/1]port-security enable
[s1-GigabitEthernet0/0/1]port-se
[s1-GigabitEthernet0/0/1]port-security ma
[s1-GigabitEthernet0/0/1]port-security max
[s1-GigabitEthernet0/0/1]port-security max-mac-num 2 只允许学习2个mac地址
[s1-GigabitEthernet0/0/1]q

先用张三、王五ping李四，然后测试小红是否可以ping通李四