企业网络实验dhcp-snooping、ip source check,防非法dhcp服务器、自动获取ip(虚拟机充当DHCP服务器)、禁手动修改IP
文章目录
- 需求
- 相关配置
- 互通性配置
- 配置vmware虚拟机(dhcp)分配IP服务
- 配置dhcp relay(dhcp中继)
- 配置dhcp-snooping(防非法dhcp服务器)
- 配置ip source check(禁手动修改IP)
- DHCP中继(核心交换机)配置文件
需求
- DHCP服务器:vmware虚拟机(dhcp),IP:192.168.5.254 ,可分配192.168.5.X、192.168.10.X、192.168.11.X三个网段的IP
- DHCP中继:华为三层交接机s5700,配置vlan 5、10、11,其中g 0/0/1为dhcp信任接口,g 0/0/10开启dhcp-snooping(防非法dhcp服务器)、ip source check(防非dhcp获取的IP,手动修改IP,数据报文丢弃处理)
- 接入交接机当傻瓜交换机用,不作任何配置。
- PC10:可自动不可手动IP
- PC11:可自动可手动IP
相关配置
互通性配置
- cloud云彩桥接配置
详见:https://blog.csdn.net/xzzteach/article/details/140390519 - DHCP中继交接机(核心交换机)配置
vlan batch 5 10 to 11int vlanif 5
ip address 192.168.5.254 24int vlanif 10
ip address 192.168.10.254 24int vlanif 11
ip address 192.168.11.254 24
int g 0/0/1
port link-type access
port default vlan 5int g 0/0/10
port link-type access
port default vlan 10int g 0/0/11
port link-type access
port default vlan 11
此时192.168.5.253、192.168.5.254、192.168.10.254、192.168.11.254,ping是互通的
配置vmware虚拟机(dhcp)分配IP服务
vim /etc/dhcp/dhcpd.conf
内容如下:
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
option domain-name "test.com";
option domain-name-servers 192.168.200.113, 192.168.200.114;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;###网段声明
subnet 192.168.5.0 netmask 255.255.255.0 {range dynamic-bootp 192.168.5.51 192.168.5.199; #ip地址池#option domain-name-servers ns1.internal.example.org;#option domain-name "internal.example.org";option routers 192.168.5.254; # 为客户端设定默认网关option broadcast-address 192.168.5.255; #为客户端设定广播地址#default-lease-time 600;#max-lease-time 7200;
}###网段声明
subnet 192.168.10.0 netmask 255.255.255.0 {range dynamic-bootp 192.168.10.51 192.168.10.199; #ip地址池#option domain-name-servers ns1.internal.example.org;#option domain-name "internal.example.org";option routers 192.168.10.254; # 为客户端设定默认网关option broadcast-address 192.168.10.255; #为客户端设定广播地址#default-lease-time 600;#max-lease-time 7200;
}###网段声明
subnet 192.168.11.0 netmask 255.255.255.0 {range dynamic-bootp 192.168.11.51 192.168.11.199; #ip地址池#option domain-name-servers ns1.internal.example.org;#option domain-name "internal.example.org";option routers 192.168.11.254; # 为客户端设定默认网关option broadcast-address 192.168.11.255; #为客户端设定广播地址#default-lease-time 600;#max-lease-time 7200;
}host pc_deepin { #指定需要分配固定IP地址的客户机名称hardware ethernet 00:0C:29:25:D4:C6; #指定网卡接口类型和MAC地址fixed-address 192.168.5.1; #分配给客户端一个固定的地址server-name "deepin.test.com";#分配给客户端一个计算机名
}
配置dhcp relay(dhcp中继)
- 开启开局dhcp relay
int Vlanif5
dhcp select relay
dhcp relay server-ip 192.168.5.253
#
int Vlanif10
dhcp select relay
dhcp relay server-ip 192.168.5.253
#
int Vlanif11
dhcp select relay
dhcp relay server-ip 192.168.5.253
此时PC10、PC11均能获取到IP
配置dhcp-snooping(防非法dhcp服务器)
- 开启开局dhcp snooping
#
dhcp enable
#
dhcp snooping enable
-配置snooping
int g 0/0/10
dhcp snooping enable
- 设置信任接口
int g 0/0/1
dhcp snooping trusted
配置ip source check(禁手动修改IP)
int g 0/0/10
arp anti-attack check user-bind enable
ip source check user-bind enable
dhcp snooping check dhcp-chaddr enable
- 检验:自动IP
ipconfig /release
ipconfig /renew
ipconfig
- 检验:手动IP
- 查看DHCP中继user-bind
dis dhcp snooping user-blind all
DHCP中继(核心交换机)配置文件
#
sysname Huawei
#
vlan batch 5 10 to 11
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
dhcp snooping enable
#
diffserv domain default
#
drop-profile default
#
aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password simple adminlocal-user admin service-type http
#
interface Vlanif1
#
interface Vlanif5ip address 192.168.5.254 255.255.255.0dhcp select relaydhcp relay server-ip 192.168.5.253
#
interface Vlanif10ip address 192.168.10.254 255.255.255.0dhcp select relaydhcp relay server-ip 192.168.5.253
#
interface Vlanif11ip address 192.168.11.254 255.255.255.0dhcp select relaydhcp relay server-ip 192.168.5.253
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 5dhcp snooping trusted
#
interface GigabitEthernet0/0/2
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10port link-type accessport default vlan 10arp anti-attack check user-bind enableip source check user-bind enabledhcp snooping enabledhcp snooping check dhcp-chaddr enable
#
interface GigabitEthernet0/0/11port link-type accessport default vlan 11dhcp snooping enable
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return