实验案例一:配置端口安全
1、需求描述:(可先用模拟器模拟)
配置交换机设置端口安全,保证合法的客户端可以接入网络,
非法客户端不许接入网络并且将交换机端口置为err-disable状态
2、实验拓扑:
3、实现思路
a)将交换机的F0/1、F0/2、F0/3端口为接入模式,属于Vlan 10
b)在这3个接口启用端口安全
c)配置黏贴功能sticky(粘连)特性
d)配置端口违规
e)配置err-disable状态恢复
f)
注意:用思科Tracer实验,不能配置aging,不能配置自动恢复;更换PC后接口恢复,需要:
Clear mac-address-table
Clear port-security sticky
Int f0/1
Shut
No shut
实验案例二:配置DAI防御ARP欺骗
1、需求描述:(用真实设备)
本案例需要使用三层交换机(Cisco 3560等),在其上配置DHCP监听、IP源防护、DAI增加网络安全
2、实验拓朴:
3、实现思路
a)配置端口,加入VLAN
b)配置DHCP监听、DAI
c)模拟***
验证配置
命令参考示例:
1、DHCP侦听:三层交换机
Switch(config)#ipdhcp snooping
Switch(config)#ipdhcp snooping vlan 10
Switch(config)#ipdhcp snooping information option
Switch(config)#interface fastEthernet 0/2
Switch(config-if)#ipdhcp snooping trust
2、IP源防护:三层交换机
Switch(config)#interface FastEthernet0/1
Switch(config-if)#switchport access vlan 10
Switch(config-if)# switchport port-security
Switch(config-if)# ipverify source port-security
Switch(config)#interface FastEthernet0/3
Switch(config-if)# switchport access vlan10
Switch(config-if)# switchport port-security
Switch(config-if)# ipverify source port-security
Switch(config)#ipsource binding DHCP服务器MAC vlan 10 192.168.100.254 interface Fa0/2
3、DAI动态ARP检测:三层交换机
Switch(config)#interface rangeFastEthernet0/1 - 3
Switch(config-if)# switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config-if)# spanning-tree portfast
Switch(config)#ip arpinspection vlan 10
4、DHCP服务器(用router模拟):
router -DHCP(config)#ip dhcp pool test
router -DHCP(dhcp-config)# network 192.168.100.0 255.255.255.0
router -DHCP(dhcp-config)# default-router 192.168.100.1
router -DHCP(config)#interface f0/0
router -DHCP(config-if)# ip dhcp relay information trusted
router -DHCP(config-if)# ip address192.168.100.5 255.255.255.0
测试:
修改PC2的IP,不通
在PC2上安装长角牛,启动,连接断开
============================================================
Switch#show ip sourcebinding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
D0:27:88:47:CE:FA 192.168.100.21 686184 dhcp-snooping 10 F0/1
00:1F:C6:44:A3:CF 192.168.100.23 685696 dhcp-snooping 10 F0/3
00:0C:29:BE:C6:3A 192.168.100.2 infinite static 10 F0/2
Total number of bindings: 3
Switch#show ip dhcpsnooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
D0:27:88:47:CE:FA 192.168.100.21 686190 dhcp-snooping 10 F0/1
00:1F:C6:44:A3:CF 192.168.100.23 685702 dhcp-snooping 10 F0/3
Total number of bindings: 2
Switch# show ip arpinspection statistics vlan 10
VlanSwitch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
D0:27:88:47:CE:FA 192.168.100.21 686190 dhcp-snooping 10 F0/1
00:1F:C6:44:A3:CF 192.168.100.23 685702 dhcp-snooping 10 F0/3
Total number of bindings: 2
Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 3923 25837 25837 0
Vlan DHCP Permits ACL Permits Probe Permits Source MACFailures
---- ------------ ----------- ------------- -------------------
10 3416 0 6 0
Vlan Dest MAC Failures IP ValidationFailures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
10
转载于:https://blog.51cto.com/haigou1995/1346449
1459
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
