Shulou(Shulou.com)06/01 Report--

1 Experimental topology diagram

2 DHCP Snooping2.1 basic DHCP Snooping configuration:

C2960#show running-config

Building configuration...

!

Ipdhcp snooping vlan 10

Ipdhcp snooping

!

Interface FastEthernet0/1

Description-Connected to DHCP_Server-

Switchportaccess vlan 10

Switchport modeaccess

Spanning-treeportfast

Spanning-treebpduguard enable

Ip dhcp snoopingtrust

!

Interface FastEthernet0/10

Description-Connected to PC1-

Switchportaccess vlan 10

Switchport modeaccess

Spanning-treeportfast

Spanning-treebpduguard enable

!

2.2 verify the DHCP Snooping effect:

1. First, PC can obtain the IP address normally through DHCP:

Second, verify the DHCP Snooping effect on C2960:

C2960#showip dhcp snooping

C2960#showip dhcp snooping binding

Note: this binding table is critical and is the basis for subsequent IPSG and DAI.

2.3 extended DHCP Snooping configuration:

(1) specify the location where DHCP Snooping binds the database

Note: if you want to write to an external database, you must first write to the local database, otherwise it will not succeed.

C2960 (config) # ip dhcp snooping databaseflash:/dhcp-snooping.db

01:00:28:% DHCP_SNOOPING-4-DHCP_SNOOPING_DATABASE_FLASH_WARNING:Saving DHCP snooping bindings to flash can fill up your device causing thewrites of bindings to device, to fail.

01:00:29:% DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is notrunning; reloaded binding lease expiration times are incorrect.

01:00:29:% DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED:DHCP snooping database Write succeeded.

(2) limit the rate at which the port receives DHCP packets

C2960 (config) # interface f0lap10

C2960 (config-if) # ip dhcp snooping limit rate 20

(III) treatment of DHCP option 82

1. Turn off the 82 option

C2960 (config) # no ip dhcp snooping information option

C2960#showip dhcp snooping

2. Allow DHCP messages with 82 options to be received from the untrust interface

C2960 (config) # ip dhcp snooping information optionallow-untrusted

C2960#showip dhcp snooping

3 IP Source Guard2.1 basic IPSG configuration:

C2960#show running-config interface f0/10

Building configuration...

Current configuration: 423 bytes

!

Interface FastEthernet0/10

Description-Connected to PC1-

Switchportaccess vlan 10

Switchport modeaccess

Switchportport-security maximum 10

Switchportport-security

Switchportport-security mac-address sticky

Switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

Spanning-treeportfast

Spanning-treebpduguard enable

Ip verify sourceport-security

Ip dhcpsnooping limit rate 20

End

2.2 verify the IPSG effect:

1. An IPSG binding table is formed on the switch

C2960#showip verify source

C2960#showip source binding

At this time, PC can communicate with the outside world normally.

Note: through experiments, if you change PC1 to manually set IP (still 10.1.10.11), the DHCP Snooping binding table of 2960 will disappear immediately, and the IPSG binding table will also disappear, resulting in PC1 being unable to communicate with the outside world.

2.3 extended IPSG configuration:

(1) manually configure the IPSG binding table

C2960 (config) # ip source bindingAAAA.BBBB.CCCC vlan 10 10.1.10.100 interface Fa0/5

C2960#showip source binding

3 Dynamic ARP Inspection2.1 basic DAI configuration:

C2960#show running-config

Building configuration...

!

Interface FastEthernet0/1

Description-Connected to DHCP_Server-

Switchportaccess vlan 10

Switchport modeaccess

Ip arp inspectiontrust

Spanning-treeportfast

Spanning-treebpduguard enable

Ip dhcpsnooping trust

!

Iparp inspection vlan 10

Iparp inspection validate src-mac dst-mac ip

!

2.2 verify the DAI effect:

C2960#show ip arp inspection

C2960#showip arp inspection interface f0/1

2.3 extended DAI configuration:

(1) limit the rate at which ARP messages are received by the port

C2960 (config) # interface fastEthernet 0lap 10

C2960 (config-if) # ip arp inspection limit rate 20

(2) configuring ARP access control lists is mainly for statically configuring hosts with IP addresses, which is equivalent to manual mapping.

C2960 (config) # arp access-list TEST

C2960 (config-arp-nacl) # permit ip host 10.1.10.20 machost aaaa.bbbb.cccc

C2960 (config) # ip arp inspection filter TEST vlan 10

C2960#showip arp inspection vlan 10

(3) configure the port of err-disable to recover automatically due to DAI

C2960 (config) # errdisable recovery cause arp-inspection

C2960 (config) # errdisable recovery interval 60

C2960#showerrdisable recovery

Final configuration of C2960:

C2960#show running-config

Building configuration...

Current configuration: 3001 bytes

!

Version 12.2

No service pad

Service timestamps debug uptime

Service timestamps log uptime

No service password-encryption

!

Hostname C2960

!

Boot-start-marker

Boot-end-marker

!

!

No aaa new-model

System mtu routing 1500

!

!

Ip dhcp snooping vlan 10

Ip dhcp snooping

Ip arp inspection vlan 10

Ip arp inspection validate src-mac dst-mac ip

Ip arp inspection filter TEST vlan 10

!

!

Errdisable recovery cause arp-inspection

Errdisable recovery interval 60

!

Spanning-tree mode rapid-pvst

Spanning-tree extend system-id

!

Vlan internal allocation policy ascending

!

!

Interface FastEthernet0/1

Description-Connected to DHCP_Server-

Switchportaccess vlan 10

Switchport modeaccess

Ip arpinspection trust

Spanning-treeportfast

Spanning-treebpduguard enable

Ip dhcp snoopingtrust

!

Interface FastEthernet0/2

!

Interface FastEthernet0/3

!

Interface FastEthernet0/4

!

Interface FastEthernet0/5

!

Interface FastEthernet0/6

!

Interface FastEthernet0/7

!

Interface FastEthernet0/8

!

Interface FastEthernet0/9

!

Interface FastEthernet0/10

Description-Connected to PC1-

Switchportaccess vlan 10

Switchport modeaccess

Switchportport-security maximum 10

Switchportport-security

Switchportport-security mac-address sticky

Switchportport-security mac-address sticky 54ee.7535.bb02 vlan access

Ip arpinspection limit rate 20

Spanning-treeportfast

Spanning-treebpduguard enable

Ip verifysource port-security

Ip dhcpsnooping limit rate 20

!

Interface FastEthernet0/11

!

Interface FastEthernet0/12

!

Interface FastEthernet0/13

!

Interface FastEthernet0/14

!

Interface FastEthernet0/15

!

Interface FastEthernet0/16

!

Interface FastEthernet0/17

!

Interface FastEthernet0/18

!

Interface FastEthernet0/19

!

Interface FastEthernet0/20

!

Interface FastEthernet0/21

!

Interface FastEthernet0/22

!

Interface FastEthernet0/23

!

Interface FastEthernet0/24

!

Interface FastEthernet0/25

!

Interface FastEthernet0/26

!

Interface FastEthernet0/27

!

Interface FastEthernet0/28

!

Interface FastEthernet0/29

!

Interface FastEthernet0/30

!

Interface FastEthernet0/31

!

Interface FastEthernet0/32

!

Interface FastEthernet0/33

!

Interface FastEthernet0/34

!

Interface FastEthernet0/35

!

Interface FastEthernet0/36

!

Interface FastEthernet0/37

!

Interface FastEthernet0/38

!

Interface FastEthernet0/39

!

Interface FastEthernet0/40

!

Interface FastEthernet0/41

!

Interface FastEthernet0/42

!

Interface FastEthernet0/43

!

Interface FastEthernet0/44

!

Interface FastEthernet0/45

!

Interface FastEthernet0/46

!

Interface FastEthernet0/47

!

Interface FastEthernet0/48

!

Interface GigabitEthernet0/1

!

Interface GigabitEthernet0/2

!

Interface Vlan1

No ip address

No iproute-cache

!

Interface Vlan10

Ip address10.1.10.254 255.255.255.0

!

Ip http server

Ip http secure-server

Ip source binding AAAA.BBBB.CCCC vlan 10 10.1.10.100interface Fa0/5

!

Arp access-list TEST

Permit ip host10.1.10.20 mac host aaaa.bbbb.cccc

!

Line con 0

Line vty 0 4

Login

Line vty 5 15

Login

!

End

C2960#

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.