当前位置:   article > 正文

企业网络实验dhcp-snooping、ip source check,防非法dhcp服务器、自动获取ip(虚拟机充当DHCP服务器)、禁手动修改IP_dhcp-snooping check

dhcp-snooping check

需求

在这里插入图片描述

  • DHCP服务器:vmware虚拟机(dhcp),IP:192.168.5.254 ,可分配192.168.5.X、192.168.10.X、192.168.11.X三个网段的IP
  • DHCP中继:华为三层交接机s5700,配置vlan 5、10、11,其中g 0/0/1为dhcp信任接口,g 0/0/10开启dhcp-snooping(防非法dhcp服务器)、ip source check(防非dhcp获取的IP,手动修改IP,数据报文丢弃处理)
  • 接入交接机当傻瓜交换机用,不作任何配置。
  • PC10:可自动不可手动IP
  • PC11:可自动可手动IP

相关配置

互通性配置

vlan batch 5 10 to 11

int vlanif 5
ip address 192.168.5.254 24

int vlanif 10
ip address 192.168.10.254 24

int vlanif 11
ip address 192.168.11.254 24
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
int g 0/0/1
port link-type access 
port default vlan 5

int g 0/0/10
port link-type access 
port default vlan 10

int g 0/0/11
port link-type access 
port default vlan 11
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

此时192.168.5.253、192.168.5.254、192.168.10.254、192.168.11.254,ping是互通的

配置vmware虚拟机(dhcp)分配IP服务

vim /etc/dhcp/dhcpd.conf
  • 1

内容如下:

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
option domain-name "test.com";
option domain-name-servers 192.168.200.113, 192.168.200.114;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;


###网段声明   
subnet 192.168.5.0 netmask 255.255.255.0 {
  range   dynamic-bootp 192.168.5.51 192.168.5.199;  #ip地址池
  #option domain-name-servers ns1.internal.example.org;
  #option domain-name "internal.example.org";
  option routers 192.168.5.254; # 为客户端设定默认网关
  option broadcast-address 192.168.5.255; #为客户端设定广播地址
  #default-lease-time 600;
  #max-lease-time 7200;
}

###网段声明   
subnet 192.168.10.0 netmask 255.255.255.0 {
  range   dynamic-bootp 192.168.10.51 192.168.10.199;  #ip地址池
  #option domain-name-servers ns1.internal.example.org;
  #option domain-name "internal.example.org";
  option routers 192.168.10.254; # 为客户端设定默认网关
  option broadcast-address 192.168.10.255; #为客户端设定广播地址
  #default-lease-time 600;
  #max-lease-time 7200;
}

###网段声明   
subnet 192.168.11.0 netmask 255.255.255.0 {
  range   dynamic-bootp 192.168.11.51 192.168.11.199;  #ip地址池
  #option domain-name-servers ns1.internal.example.org;
  #option domain-name "internal.example.org";
  option routers 192.168.11.254; # 为客户端设定默认网关
  option broadcast-address 192.168.11.255; #为客户端设定广播地址
  #default-lease-time 600;
  #max-lease-time 7200;
}



host pc_deepin {                                #指定需要分配固定IP地址的客户机名称
  hardware ethernet 00:0C:29:25:D4:C6;   #指定网卡接口类型和MAC地址
  fixed-address 192.168.5.1;  #分配给客户端一个固定的地址
  server-name "deepin.test.com";#分配给客户端一个计算机名
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51

配置dhcp relay(dhcp中继)

  • 开启开局dhcp relay
int Vlanif5
dhcp select relay
dhcp relay server-ip 192.168.5.253
#
int Vlanif10
dhcp select relay
dhcp relay server-ip 192.168.5.253
#
int Vlanif11
dhcp select relay
dhcp relay server-ip 192.168.5.253
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

此时PC10、PC11均能获取到IP

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述

配置dhcp-snooping(防非法dhcp服务器)

  • 开启开局dhcp snooping
#
dhcp enable
#
dhcp snooping enable
  • 1
  • 2
  • 3
  • 4

-配置snooping

int g 0/0/10
dhcp snooping enable
  • 1
  • 2
  • 设置信任接口
int g 0/0/1
dhcp snooping trusted
  • 1
  • 2

配置ip source check(禁手动修改IP)

int g 0/0/10
arp anti-attack check user-bind enable
ip source check user-bind enable
dhcp snooping check dhcp-chaddr enable
  • 1
  • 2
  • 3
  • 4
  • 检验:自动IP
    在这里插入图片描述
ipconfig /release
ipconfig /renew
ipconfig
  • 1
  • 2
  • 3

在这里插入图片描述

  • 检验:手动IP
    在这里插入图片描述
    在这里插入图片描述
  • 查看DHCP中继user-bind
dis dhcp snooping user-bind all
  • 1

在这里插入图片描述

DHCP中继(核心交换机)配置文件

#
sysname Huawei
#
vlan batch 5 10 to 11
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
dhcp snooping enable
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user admin password simple admin
 local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif5
 ip address 192.168.5.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.5.253
#
interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.5.253
#
interface Vlanif11
 ip address 192.168.11.254 255.255.255.0
 dhcp select relay
 dhcp relay server-ip 192.168.5.253
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 5
 dhcp snooping trusted
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 ip source check user-bind enable
 dhcp snooping enable
 dhcp snooping check dhcp-chaddr enable
#
interface GigabitEthernet0/0/11
 port link-type access
 port default vlan 11
 dhcp snooping enable
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/秋刀鱼在做梦/article/detail/856402
推荐阅读
相关标签
  

闽ICP备14008679号