(三) 实验步骤与记录
A.
使用cisco871充当hub使用,871一个lan端口与3750g的Gi2/0/5连接,待端口稳定后:
Switch#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ---------------------------------------------------------------------------
Gi2/0/5 1 1 0 Shutdown --------------------------------------------------------------------------- Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144
Switch#sh port-security address Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0019.e75b.1e79 SecureDynamic Gi2/0/5 - ------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 B.
电脑与871另一个lan口连接,log输入如下:
*Mar 1 00:38:20.667: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi2/0/5, putting Gi2/0/5 in err-disable state *Mar 1 00:38:20.718: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d4be.d92d.1893 on port GigabitEthernet2/0/5.
*Mar 1 00:38:20.726: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/5, changed state to down *Mar 1 00:38:22.672: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/5, changed state to down 其中,d4be.d92d.1893为电脑mac地址。 C.
断开电脑与871的连接,等待errdisable recovery恢复:
*Mar 1 00:38:50.715: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Gi2/0/5 *Mar 1 00:38:54.927: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/5, changed state to up
*Mar 1 00:38:54.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/5, changed state to up D.
871换另一个未使用的端口与3750g的Gi2/0/5连接,待端口稳定后:
Switch#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) ---------------------------------------------------------------------------
Gi2/0/5 1 1 0 Shutdown ---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144
Switch#sh port-security address Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0019.e75b.1e7c SecureDynamic Gi2/0/5 - ------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144
可见,本次871使用端口mac 0019.e75b.1e7c与步骤A中871使用端口mac 0019.e75b.1e79是不同的,但可以正常接入。
Switch#sh log
*Mar 1 00:46:44.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/5, changed state to down *Mar 1 00:46:46.400: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/5, changed state to down *Mar 1 00:46:48.405: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/5, changed state to up
*Mar 1 00:46:48.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/5, changed state to up log信息也正常。
(四) 总结
为了实现交换机端口接入安全,防止用户私接hub,cisco需要做如下配置:(不考虑默认参数) 1.
全局模式下配置:
errdisable recovery cause psecure-violation errdisable recovery interval 30
其中recovery的时间,根据实际情况酌情设置,范围为30-86400秒,最大为24小时 2.
接口模式下配置:
switchport mode access switchport port-security
switchport port-security maximum 1 switchport port-security violation shutdown
其中第一条语句必须有,因为端口安全必须在access 模式下做,否则第二条语句不能设置
通过以上配置,当用户私接hub时,相对应的交换机端口将会被置为err-disable状态,端口的err-disable状态会根据
设置的errdisable recovery时间间隔,进行尝试恢复,如果hub依然连接,此端口将会再次被置为errdisable状态,直到撤掉hub,此端口才会恢复正常状态。
当用户更换电脑,接入时间,只为端口正常协商时间,如果端口配置为spanning-tree portfast,将接入更快,端口配置
的接入安全参数,不影响用户更换电脑,只要不违反mac数目限制即可。
四、 DHCP Snooping
---全局配置--- ip dhcp snooping
---全局上启用dhcp snooping--- ip dhcp snooping vlan 8
---在VLAN8上启用dhcp snooping--- ip dhcp snooping database flash:/pool ----建立一个database,命名为pool--- ip dhcp snooping database write-delay 30 ip dhcp snooping database timeout 180 要点说明:
? 对连接办公区与外围的ES交换机、连接车间的ES交换机进行DHCP Snooping特性设定。
? 对于使用静态IP的终端设备,使用ARP ACL把IP与相应的MAC地址进行捆绑,说见IP arp inspection设计。
如果内部有一台电脑私自架设DHCP服务器,其他客户端不会受到影响,因为非法的DHCP数据包被ES所丢弃,不能发送到其它交换机去。
(一) cisco下DHCP Snooping命令
全局配置模式下: ip dhcp snooping ?
database DHCP snooping database agent information DHCP Snooping information verify DHCP snooping verify vlan DHCP Snooping vlan
ip dhcp snooping information option默认是开启的。
ip dhcp snooping database ? flash2: Database agent URL flash: Database agent URL ftp: Database agent URL http: Database agent URL rcp: Database agent URL tftp: Database agent URL
timeout Configure abort timeout interval
ip dhcp snooping vlan ?
WORD DHCP Snooping vlan first number or vlan range, example: 1,3-5,7,9-11
#0-86400 sec #15-86400 sec
write-delay Configure delay timer for writes to URL
接口配置模式下: ip dhcp snooping ?
information DHCP Snooping information limit DHCP Snooping limit trust DHCP Snooping trust config vlan DHCP Snooping vlan 说明:
如果全局开启ip dhcp snooping,所有端口默认为untrust端口。
(二) 实验环境搭建
简单拓扑图:
DHCP server ACisco 3750DHCP server BCisco 871接入交换机 CCisco 3750PC
说明: ? ? ? 其中:
DHCP server A 3750交换机,分配172.16.1.0 /24的地址: Switch (config)#service dhcp
//开启DHCP 服务,默认是开启的 //定义地址池
//DHCP 服务器要分配的网络和掩码 //定义租期
//排除的地址段
DHCP server A设定为合法DHCP服务器,DHCP server B设定为非法DHCP服务器 接入交换机C,连接两台DHCP服务器 PC机连接接入交换机C,设置成自动获取IP
Switch (config)#ip dhcp pool test-dhcp-pool Switch (dhcp-config)#network 172.16.1.0 /24 Switch (dhcp-config)#lease infinite Switch (dhcp-config)#exit Switch (config)#int vlan 1
Switch (config-if)#ip add 172.16.1.1 255.255.255.0 Switch (config-if)#ip dhcp relay information trusted
Switch (config-if)#int g2/0/5
Switch (config)#ip dhcp excluded-address 172.16.1.1 172.16.1.5
//连接 接入交换机C
Switch (config-if)#ip dhcp relay information trusted
DHCP server B 871路由器,分配192.168.1.0 /24的地址: Router (config)#service dhcp
//开启DHCP 服务,默认是开启的 //定义地址池
//DHCP 服务器要分配的网络和掩码 //定义租期
//排除的地址段
Router (config)#ip dhcp pool test-dhcp-pool Router (dhcp-config)#network 192.168.1.0 /24 Router (dhcp-config)#lease infinite Router(dhcp-config)#exit
Router(config)#int vlan 1
Router(config-if)#ip add 192.168.1.1 255.255.255.0
接入交换机C,初始配置为: interface Vlan1
ip address 192.168.1.2 255.255.255.0 !
Router (config)#ip dhcp excluded-address 192.168.1.1 192.168.1.5
为了telent到两台DHCP服务器,方便测试,不配置对实验没有影响。
(三) 实验步骤与记录
1. PC机自动获取IP测试
使用ipconfig /renew、ipconfig /renew两个命令,反复自动获取IP,获取的IP如下图:
可以看出,可以获取到DHCP server A分配的IP,也可以获取到DHCP server B分配的IP
2. DHCP Snooping的配置
全局配置模式下:
Switch(config)#ip dhcp snooping Switch(config)#ip dhcp snooping vlan 1
其中:必须配置相应的vlan,否则dhcp snooping不会起作用。