IP DHCP Snooping on VLAN1
config:
(conf)#ip dhcp snooping
(conf)#ip dhcp snooping vlan 1
(conf)#ip dhcp snooping database flash: dhcp-snooping
(conf)#ip dhcp snooping information option
(在連接DHCP伺服器的介面啟用Snooping信任)
(conf-int)#ip dhcp snooping trust
(在連接用戶端的介面啟用Snooping流量限制)
(conf-int)#ip dhcp snooping limit rate 100
IP Source Guard + DHCP IP Binding check
config:
(conf-int)#switchport mode access
(conf-int)#switchport access vlan 1
(conf-int)#ip verify source
IP Source Guard + DHCP IP&Mac address binding check
config:
(conf-int)#switchport mode access
(conf-int)#switchport access vlan 1
(conf-int)#ip verify source port-security
IP Source Guard static + IP&Mac address&Interface binding check
config:
(conf)#ip source binding 001d.7286.48ac vlan 1 192.168.168.20 interface gigabitethernet 0/1
show:
--Static and dynamic binding
(檢視DHCP Snooping的自動綁定與IP Source的手動綁定)
#show ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1D:72:86:48:AC 192.168.168.20 infinite static 1 GE 0/10
00:04:76:C6:A0:03 192.168.168.22 683222 dhcp-snooping 1 GE 0/5
00:04:76:AB:EC:6C 192.168.168.23 684066 dhcp-snooping 1 GE 0/6
00:04:76:9C:CA:46 192.168.168.21 683080 dhcp-snooping 1 GE 0/7
Total number of bindings: 4
#show ip verify source
(檢視DHCP Snooping與IP Source Guard的比對狀態與結果)
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Gi0/5 ip inactive-no-snooping-vlan
Gi0/6 ip inactive-no-snooping-vlan
Gi0/7 ip active permit-all 1
Gi0/8 ip active deny-all 1
Gi0/9 ip-mac inactive-no-snooping-vlan
Gi0/10 ip-mac active 192.168.168.20 permit-all 1
Gi0/11 ip-mac active deny-all deny-all 1
Gi0/12 ip-mac inactive-no-snooping-vlan
IP ARP Snooping
config:
(conf)#ip arp inspection vlan 1
(conf)#ip arp inspection validate src-mac dst-mac ip
(在連接DHCP伺服器的介面啟用ARP Inspection信任)
(conf-int)#ip arp inspection trust
(在連接用戶端的介面啟用ARP Inspection流量限制)
(conf-int)#ip arp snooping limit rate 100
(建立全域的ARP Inspection ACL白名單)
(conf)#ip arp inspection filter white-list vlan 1
(conf)#arp access-list white-list
(conf-arp-nacl)#permit ip host 192.168.168.20 mac host 001d.7286.48ac
(設定errdisable的介面狀態自動復原)
(conf)#errdisable recovery cause arp-inspection
(conf)#errdisable recovery interval 30
show:
#show ip arp inspection vlan 1
(檢視ARP Inspection的設定狀態)
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Disabled active white-list No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
1 Deny Deny Off
#show ip arp inspection interfaces
(檢視ARP Inspection的介面模式與允許傳輸流量)
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi0/9 Untrusted 15 1
Gi0/10 Untrusted 15 1
Gi0/11 Untrusted 15 1
Gi0/12 Untrusted 15 1
Gi0/13 Untrusted 100 1
Gi0/14 Untrusted 100 1
Gi0/15 Untrusted 100 1
Gi0/16 Untrusted 100 1
Gi0/17 Untrusted 15 1
Gi0/18 Trusted None N/A
Gi0/19 Untrusted 15 1
Gi0/20 Untrusted 15 1
#show errdisable recovery
(檢視啟用errdisable的自動復原原因與時間)
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Enable
bpduguard Disabled
channel-misconfig Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
link-flap Disabled
mac-limit Disabled
loopback Disabled
pagp-flap Disabled
port-mode-failure Disabled
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
small-frame Disabled
storm-control Disabled
udld Disabled
vmps Disabled
Timer interval: 30 seconds
#sh interfaces status err-disabled
(檢視進入errdisable狀態的介面與原因)
Port Name Status Reason Err-disabled Vlans
Gi0/14 err-disabled arp-inspection
沒有留言:
張貼留言