大学DHCP snooping期末考试内容.docx

DHCPsnooping酉己置10.1.1 项目背景企业局域网有大量用户，局域网内部网络面临着两个风险：计算机病毒的扩散和内部人员的恶意攻击。为了提高网络安全，管理员决定在交换机上使用技术手段，DHCP欺骗，避免合法用户的数据被中间人窃取。10.1.2 项目目的通过本项目可以掌握如下知识点和技能点，同时积累项目经验。配置交换机的DHCPSnooping功能。10.1.3 项目拓扑本拓扑用一台交换机Sl模拟大量的接入层交换机，Sl通过接口G0/0/4上连到DHCPServer（用S2模拟），通过接口G0/0”、G0/0/2连接DHCP客户端USerA和UserB,通过接口G0/0/3连接静态配置IP地址的用户USerC。Sl的接口GO/0/1、G0/0/2、G0/0/3都属于VLAN1,G0/0/4接口是Tnmk接口。10.1.4 项目规划本项目的核心任务是完成接入层交换机的安全配置，为保持项目的完整性，需完成前期准备工作。10.1.5 项目前期准备工作3IVLAN配置：在两个交换机上配置TrUnk,并把接口划分到相应VLAN。步霭？DHCP服务器部署：把S2配置为DHCP服务器。10.1.4.2项目核心任务-完成接入层交换机的安全配置光Sll配置DHCPSnOoPing功能：G0/0/4接口为信任接口，并配置静态绑定表，防止DHCP欺骗。设备接口连接规划表和设备接口IP地址规划表如下。*10-1设备接口连接规划表设备接口接口类型VLAN对端设备及接口SlG00lAccessVLAN1UserAE00lG002AccessVLAN1UserBE00lG003AccessVLAN1UserCE00lG004TrunkS2G00lS2G00lTrunkSlG004UserAE00lSlG00lUserBE00lSlG002UserCE00lSlG003表22设备接口IP地址规划表设备接口TP地址备注SlG00l无G002无G003无G004无S2G00l192.168.1.254/24UserAE00lDHCPUserBE00lDHCPUserCE00l192.168.1.100/24网关：192.168.1.25410.1.5项目实施10.1.5.1项目准备工作弟者IVLAN配置在两个交换机上配置Tnmk,并把接口划分到相应VLAN。在Rl上把接口G0/0/1、G0/0/2、G0/0/3链路类型改为access,G0/0/4链路类型改为trunk。在R2上把接口G0/0/4链路类型改为trunkOSlinterfacegigabitcthernet()/0/1Sl-GigabitEthemetOZOZlportlink-typeaccessS1-GigabitEthemetOZO/1JquitSI!interfacegigabitethcrnct0/0/2S1-GigabitEthemet0()2portlink-typeaccessS1-GigabitEthemet002quitSI!interfacegigabitcthernet0/0/3S1-GigabitEthemetO()3portlink-typeaccessS1-GigabitEthemetO()3quitSI!interfacegigabitethcrnct0/0/4S1-GigabitEthemet004portlink-typetrunkSl-GigabitEthemetOZOMIporttrunkallow-passvlan1S1-GigabitEthemetOZOMJquitS2interfacegigabitcthernet0/0/1Sl-GigabitEthernetOZOZlportlink-typetrunkS2-Gigabi(Ethemet00lporttrunkallow-passvlan1S2-GigabitEthemet001quit步理】DHCP服务器部署把S2配置为DHCP服务器。S2dhcpenable/他能DHCPS2interfaceVlanifl进入某个接口，虚拟接口S2-Vlaniflipaddress192.168.1.254255.255.255.0/旗口配置IP地址/S2-Vlanifldhcpselectinterface/E基于接口的DHCP地址池S2-Vlanifldhcpserverdns-listl.l.l.l/EKdns服务器iUltS2-Vlaniflquit在USerA主机上检查IP地址，如下。USerB主机操作类似。POipconfig1.inklocalIPv6address:fe80:5689:98ff:fe55:7659IPv6address:/128IPv6gateway:IPv4address:192.168.1.253Subnetmask:255.255.255.0Gateway:192.168.1.254Physicaladdress:54-89-98-55-76-59DNSserver:l.l.l.l以上看到已经获取IP地址在USerC主机上检查IP地址，如下。POping192.168.1.254Ping192.168.1.254:32databytes.PressClrl_CtobreakFrom192.168.1.254:byles=32seq=l(tl=255time=32msFrom192.168.1.254:byies=32seq=2tll=255time=32msFrom192.168.1.254:byles=32seq=3ttl=255time=46msFrom192.168.1.254:byles=32seq=4(tl=255time=32msFrom192.168.1.254:byles=32seq=5ttl=255time=62ms一192.168.1.254pingstatistics5packei(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=32/40/62ms10.152项目核心任务冷值I配置DHCPSnooping功能把Sl的G004接口为信任接口，并在G0/0/3接口配置静态绑定表。G0/0/1-3其他接口为不可信任接口。SIdhcpenableSIdhcpsnoopingenableSlvlan1SI-vlan1dhcpsnoopingenableSIinterfacegigabitethernet0/0/4S1-GigabitEthemetOZOMJdhcpsnoopingtrustedSI-GigabitEthemetOZOMJquitSIuser-bindstaticip-address192.168.1.100mac-add5489-9827-6945interfaceg03vlan1SIinterfaceGigabitEthernetO/O/1S1-GigabitEthemetOZO/1dhcpsnoopingenableSI-GigabitEthemetOZO/1JquitSIJinterfaceGigabitEthernet002SI-GigabitEthernetOO2dhcpsnoopingenableS1-GigabitEthemet002quitSIinterfaceGigabitEthernet003Si-GigabitEthemetOO3dhcpsnoopingenableS1-GigabitEthernetOO3quit10.1.6项目验证10.1.6.1 检查客户计算机IP地址和通信配置UserA、USerB计算机使用动态IP地址，USerC为静态IP(192.168.1.100)o以下是USerA的地址。PCipconfig/renewIPConfiguration1.inklocalIPv6address:fe80:5689:98ff:fe55:7659IPv6address:/128IPv6gateway:IPv4address:192.168.1.248Subnetmask:255.255.255.0Gateway:192,168.1.254Physicaladdress:54-89-98-55-76-59DNSserver:1.1.1.1PC>ping192.168.1.254Ping192.168.1.254:32databytes,PressCtrl_CtobreakFrom192.168.1.254:bytes=32seq=lttl=255time=93msFrom192.168.1.254:bytes=32seq=2ttl=255time=62msFrom192.168.1.254:bytes=32seq=3ttl=255time=63msFrom192.168.1.254:bytes=32seq=4ttl=255time=78msFrom192.168.1.254:bytes=32seq=5ttl=255time=78ms-192.168.1.254pingstatistics-5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=62/74/93ms以下是USerB的地址。PC>ipconfig/renewIPConfiguration1.inklocalIPv6address:fe80:5689:98ff:fed9:7a30IPv6address:/128IPv6gateway:IPv4address:192.168.1.247Subnetmask:255.255.255.0Gateway:192.168.1.254Physicaladdress:54-89-98-D9-7A-30DNSserver:1.1.1.1PC>ping192.168.1.254Ping192.168.1.254:32databytes,PressCtrl_CtobreakFrom192.168.1.254:bytes=32seq=lttl=255time=32msFrom192.168.1.254:bytes=32seq=2ttl=255time=47msFrom192.168.1.254:bytes=32seq=3ttl=255time=47msFrom192.168.1.254:bytes=32seq=4ttl=255time=47msFrom192.168.1.254:bytes=32seq=5ttl=255time=31ms-192.168.1.254pingstatistics-5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=31/40/47ms以下是USerC的地址。PCipconfig1.inklocalIPv6address:fe80:5689:98ff:fe27:6945IPv6address:/128IPv6gateway:IPv4address:192.168.1.100Subnetmask:255.255.255.0Gateway:192.168.1.254Physicaladdress:54-89-98-27-69-45DNSserver:PC>ping192.168.1.254Ping192.168.1.254:32databytes.PressClrl_C(obreakFrom192.168.1.254:byles=32seq=lt(l=255lime=63msFrom192.168.1.254:byles=32seq=2(tl=255time=46msFrom192.168.1.254:byles=32seq=3(tl=255time=47msFrom192.168.1.254:byles=32seq=4ttl=255time=31msFrom192.168.1.254:byles=32seq=5(tl=255time=31ms一192.168.1.254pingstatistics一5packet(s)transmitted5packet(s)received0.00%packetlossround-tripmin/avg/max=31/43/63ms10.1.6.2检查DHCPSnooping情况SldisplaydhcpsnoopingDHCPsnoopingglobalrunninginformation:DHCPsnooping:EnableStaticusermaxnumber:1024Currentstaticusernumber:1Dhcpusermaxnumber:1024(default)Currentdhcpusernumber:2Arpdhcp-sningdelect:Disable(default)Alarmthreshold:100(default)Checkdhcp-rae:Disable(default)Dhcp-ratelimii(pps):100(default)Alarmdhcp-raie:Disable(default)Alarmdhcp-raiethreshold:100(default)Discardeddhcppacketsforralelimit:0Bind-tableautosave:Disable(default)Offlineremovemac-address:Disable(default)Clientpositiontransferallowed:Enable(default)DHCPsnoopingrunninginformationforVLAN1:DHCPsnooping:EnableDhcpusermaxnumber:1024(default)Currentdhcpusernumber:2Checkdhcp-giaddr:Disable(default)Checkdhcp-chaddr:Disable(default)Checkdhcp-request:Disable(default)Checkdhcp-raie:Disable(default)DHCPsnoopingrunninginformationforinterfaceGigabitElherne(004:DHCPsnoopingTrustedinterfaceDhcpusermaxnumberCurrenidhcpusernumber:Disable(default):Yes:1024(default):0Checkdhcp-giaddr:Disable(default)Checkdhcp-chaddr:Disable(defiult)Alarmdhcp-chaddr:Disable(default)Checkdhcp-request:Disable(default)Alarmdhcp-request:Disable(default)Checkdhcp-rate:Disable(default)Alarmdhcp-raie:Disable(default)Alarmdhcp-raiethreshold:100Discardeddhcppacketsforralelimit:0Alarmdhcp-reply:Disable(default)Sldisplaydhcpsnoopinguser-bindallDHCPDynamicBind-table:FIagszO-outervlan.1-innervlan,P-mapvlanIPAddressMACAddressVSIVLAN(OIP)InterfaceLease192.168.1.2485489-9855-76591/-/-GE0/0/12020.04.27-14:56192.168.1.2475489-98d9-7a301/-/-GE0022020.04.27-14:57printcount:2totalcount:2SIdisplaydhcpstaticuser-bindalDHCPstaticBind-table:FIagszO-outervlan,1-innervlan,PI-mapvlanIPAddressMACAddressVSIVLAN(OIP)Interface192.168.1.1005489-9827-69451/-Z-GE003printcount:1totalcount:1Sldisplaydhcpsnoopingvlan1DHCPsnoopingrunninginformationforVLAN1DHCPsnooping:EnableDhcpusermaxnumber:1024(default)Currentdhcpusernumber:2Checkdhcp-giaddrDisable(default)Checkdhcp-chaddrDisable(default)Checkdhcp-requestDisable(default)Checkdhcp-rateDisable(default)SIdisplaydhcpsnoopinginterfaceGigabitEthernet0/0/1DHCPsnoopingrunninginIbrmationforinterlaceGigabitElhernetOZOZl:DHCPsnooping:EnableTrustedinterface:NoDhcpusermaxnumber:1024(default)Currentdhcpusernumber:1Checkdhcp-giaddr:Disable(default)Checkdhcp-chaddr:Disable(default)Alarmdhcp-chaddr:Disable(default)Checkdhcp-request:Disable(default)Alarmdhcp-request:Disable(default)Checkdhcp-rate:Disable(default)Alarmdhcp-raie:Disable(default)Alarmdhcp-raiethreshold:100Discardeddhcppacketsforralelimit:0Alarmdhcp-reply:Disable(default)SldisplaydhcpsnoopinginterfaceGigabitEthernet0/0/4DHCPsnoopingrunninginformationforinterfaceGigabitElherne(004:DHCPsnooping:Disable(default)Trustedinterface:YesDhcpusermaxnumber:1024(default)Currentdhcpusernumber:0Checkdhcp-giaddr:Disable(default)Checkdhcp-chaddr:Disable(default)Alarmdhcp-chaddr:Disable(default)Checkdhcp-request:Disable(default)Alarmdhcp-request:Disable(default)Checkdhcp-rae:Disable(default)Alarmdhcp-raie:Disable(default)Alarmdhcp-raiethreshold:100Discardeddhcppacketsforralelimit:0Alanndhcp-reply:Disable(default)