華為配置IPSG防止主機私自更改IP地址示例(DHCP Snooping動態綁定)
2022-05-13 14:55:32
- 文件版本 :
組網需求
如圖12-15所示,Host通過Switch_1接入網絡,Switch_2作為DHCP Server為Host動態分配IP地址,Gateway為企業出口網關。管理員希望Host使用動態分配的地址,不允許私自配置靜態IP地址,如果私自指定IP地址將無法訪問網絡。
圖12-15 配置IPSG防止主機私自更改IP地址(DHCP Snooping動態綁定)組網圖
配置思路
采用如下的思路配置IPSG功能,實現上述需求。
在Switch_2上配置DHCP Server功能(假設地址池為10.1.1.0/24),為Host動態分配IP地址。
在Switch_1上配置DHCP Snooping功能,保證Host從合法的DHCP Server獲取IP地址,同時生成DHCP Snooping動態綁定表,記錄Host的IP地址、MAC地址、VLAN、接口的綁定關系。
在Switch_1連接Host的VLAN上使能IPSG功能,防止Host通過私自配置IP地址的方式訪問網絡。
操作步驟
在Switch_2上配置DHCP Server功能
[Switch_2] vlan batch 10
[Switch_2] interface gigabitethernet 1/0/1
[Switch_2-GigabitEthernet1/0/1] port link-type trunk
[Switch_2-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch_2-GigabitEthernet1/0/1] quit
[Switch_2] dhcp enable
[Switch_2] ip pool 10
[Switch_2-ip-pool-10] network 10.1.1.0 mask 24
[Switch_2-ip-pool-10] gateway-list 10.1.1.1
[Switch_2-ip-pool-10] quit
[Switch_2] interface vlanif 10
[Switch_2-Vlanif10] ip address 10.1.1.1 255.255.255.0
[Switch_2-Vlanif10] dhcp select global
[Switch_2-Vlanif10] quit
在Switch_1上配置DHCP Snooping功能
# 配置各接口所屬VLAN。
[Switch_1] vlan batch 10
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type access[
Switch_1-GigabitEthernet1/0/1] port default vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
[Switch_1] interface gigabitethernet 1/0/2
[Switch_1-GigabitEthernet1/0/2] port link-type access
[Switch_1-GigabitEthernet1/0/2] port default vlan 10
[Switch_1-GigabitEthernet1/0/2] quit
[Switch_1] interface gigabitethernet 1/0/3
[Switch_1-GigabitEthernet1/0/3] port link-type trunk
[Switch_1-GigabitEthernet1/0/3] port trunk allow-pass vlan 10
[Switch_1-GigabitEthernet1/0/3] quit
# 使能DHCP Snooping功能,并將連接DHCP Server的GE1/0/3接口配置為信任接口。
[Switch_1] dhcp enable
[Switch_1] dhcp snooping enable
[Switch_1] vlan 10
[Switch_1-vlan10] dhcp snooping enable
[Switch_1-vlan10] dhcp snooping trusted interface gigabitethernet 1/0/3
在Switch_1的VLAN10上使能IPSG功能
[Switch_1-vlan10] ip source check user-bind enable
[Switch_1-vlan10] quit
驗證配置結果
Host上線后,在Switch_1上執行display dhcp snooping user-bind all命令,可以查看Host的動態綁定表信息。
[Switch_1] display dhcp snooping user-bind allDHCP Dynamic Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Address MAC Address VSI/VLAN(O/I/P) InterfaceLease -------------------------------------------------------------------------------- 10.1.1.254 0001-0001-0001--/10/--GE1/0/12014.08.17-07:31 10.1.1.253 0002-0002-0002--/10/--GE1/0/22014.08.17-07:34 -------------------------------------------------------------------------------- print count:2 total count:2
Host使用DHCP服務器動態分配的IP地址可以正常訪問網絡,將Host更改為與動態獲得的IP地址不一樣的靜態IP地址后無法訪問網絡。
配置文件
Switch_1的配置文件
# sysname Switch_1 # vlan batch 10 # dhcp enable # dhcp snooping enable # vlan 10 dhcp snooping enable dhcp snooping trusted interface GigabitEthernet1/0/3 ip source check user-bind enable # interface GigabitEthernet1/0/1 port link-type access port default vlan 10 # interface GigabitEthernet1/0/2 port link-type access port default vlan 10 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 10 # return
Switch_2的配置文件
# sysname Switch_2 # vlan batch 10 # dhcp enable # ip pool 10 gateway-list 10.1.1.1 network 10.1.1.0 mask 255.255.255.0 # interface Vlanif10 ip address 10.1.1.1 255.255.255.0 dhcp select global # interface GigabitEthernet1/0/1 port link-type trunk port trunk allow-pass vlan 10 # return