取消
显示结果 
搜索替代 
您的意思是: 
cancel
7112
查看次数
0
有帮助
4
评论
碧云天
Spotlight
Spotlight
本帖最后由 碧云天 于 2020-4-18 22:31 编辑
一.概述
1.DAI作用

①.使用DAI,管理员可以指定交换机的端口为信任和非信任端口:

  • 信任端口可以转发任何ARP信息
  • 非信任端口的ARP消息要进行ARP检测验证
②.交换机执行如下的ARP验证:

  • 静态ARP监控:为一个静态的IP地址配置一个静态ARP访问控制列表
  • 动态ARP监控:为DHCP指派的IP地址引用DHCP snooping绑定数据库
2.DAI配置步骤
①确认DHCP snooping技术已经被激活,并且已经完全填充数据库。
---没有DHCP服务器,也需要配置DHCP snooping
②指定某端口为信任端口,也就是接受这个接口上的ARP欺骗威胁。
---交换机级联的trunk接口必须配置为信任接口
③默认其他接口为非信任端口
④在每一个端口上设置ARP限速(可选)
---防止进行arp扫描
⑤配置一个ARP访问控制列表,静态IP映射到MAC.(可选)
⑥调整error-disable行为。
⑦在特定VLAN中启用ARP Inspect功能。
3.测试拓扑
222857mbx6z32yhxelkiy3.png
二.基本配置
1.DHCPserver
hostname DHCPserver
interface Ethernet0/0
ip address 192.168.10.8 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
ip dhcp relay information trust-all
ip dhcp excluded-address 192.168.10.8
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.254
ip dhcp excluded-address 192.168.10.253
ip dhcp excluded-address 192.168.20.253
ip dhcp pool vlan10Pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool vlan20Pool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
2.host SW1
hostname SW1
VLAN 10
VLAN 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface range Ethernet0/1-2
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface Ethernet0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface Vlan10
ip address 192.168.10.253 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.253 255.255.255.0
ip helper-address 192.168.10.8
no shutdown
!配置DHCP snooping
ip dhcp snooping
clock timezone GMT +8
do clock set 21:05:00 18 Apr 2020
ip dhcp snooping database unix:/dhcp.db
int rang e0/0, e0/2
ip dhcp snooping trust
int rang e0/1, e0/3
ip dhcp snooping limit rate 3
exit
ip dhcp snooping vlan 10,20
3.host SW2
hostname SW2
VLAN 10
VLAN 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface Ethernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface Vlan10
ip address 192.168.10.254 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.10.8
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!配置DHCP snooping
ip dhcp snooping
clock timezone GMT +8
do clock set 21:05:00 18 Apr 2020
ip dhcp snooping database unix:/dhcp.db
int e0/0
ip dhcp snooping trust
int rang e0/1-2
ip dhcp snooping limit rate 3
exit
ip dhcp snooping vlan 10,20
4.验证
①Client1能正常获取IP地址
Client1#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.10.1 YES DHCP up up
Client1#
②Client2能正常获取IP地址
Client2#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.20.1 YES DHCP up up
Client2#
③Client3能正常获取IP地址
Client3#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.10.2 YES DHCP up up
Client3#
④Client4能正常获取IP地址
Client4#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.20.2 YES DHCP up up
Client4#
三.配置交换机的ARP监控
1.配置启用DAI交换机之间的互联链路接口为信任端口
SW1和SW2
int e0/0
ip arp inspection trust
2.对非信任端口ARP进行限速
SW1和SW2
int range E0/1-3
ip arp inspection limit rate 10
3.为非信任端口上的所有静态主机配置ARP监控豁免的ACL
SW1
arp access-list xll-ARP-Filter
permit ip host 192.168.10.8 mac host aabb.cc00.4000
ip arp inspection filter xll-ARP-Filter vlan 10
备注:如果ip arp inspection filter xll-ARP-Filter vlan 10 static,则只检测静态绑定的,不检测由DHCP snooping动态生成的库。
4.设置违规端口error-disable自动恢复时间为180秒
SW1和SW2
errdisable recovery cause arp-inspection
errdisable recovery interval 180
5.在特定vlan启用ARP监控
SW1和SW2
ip arp inspection vlan 10,20
四.验证
1.Client1~4都能ping通DHCPserver
Client1#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/5 ms
Client1#
Client2#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Client2#
Client3#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Client3#
Client4#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Client4#
DHCPserver(config)#int e0/0
DHCPserver(config-if)#mac
DHCPserver(config-if)#mac?
mac-address mace
2.如果手工修改DHCPserver的E0/0接口mac地址,SW1会报错
DHCPserver(config-if)#mac-a
DHCPserver(config-if)#mac-address 1.1.1
DHCPserver(config-if)#
SW1(config)#
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc80.2000/192.168.10.254/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc80.1000/192.168.10.253/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc00.7000/192.168.10.3/22:25:04 GMT Sat Apr 18 2020])
SW1(config)#do sho
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc00.5000/192.168.10.4/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/ffff.ffff.ffff/192.168.10.8/22:25:04 GMT Sat Apr 18 2020])
评论
one-time
Level 13
Level 13
感谢楼主分享,谢谢~
suzhouxiaoniu
Spotlight
Spotlight
大神最近发了很多原创实验,感谢分享,请教一下,这些实验是使用EVE平台做的吗
碧云天
Spotlight
Spotlight
suzhouxiaoniu 发表于 2020-4-26 18:05
大神最近发了很多原创实验,感谢分享,请教一下,这些实验是使用EVE平台做的吗

我不是大神,只是在学习,都是用eve做的实验,eve可以做很多二层的实验。
weihunter
Spotlight
Spotlight
TRUNK配置 spanning-tree portfast ???
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接