一、 DHCP snooping
1.拓扑图:
---备注:GNS无法做该实验,L2IOU能敲命令,但是没有实际效果。
2.操作步骤:
A.交换机开启DHCP功能
Switch(config)#ip dhcp snooping
B. 交换机指定定审查的VLAN
Switch(config)#ip dhcp snooping vlan 10
C.交换机指定授权DHCP服务器对应的端口为可信端口
Switch(config)#interface f0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
D. DHCP服务器不支持82选项,可以选择信任或者关闭
R1(config)#interface g0/0
R1(config-if)#ip dhcp relay information trusted
R1(config-if)#exit
----交换机82选项见如下所示:
Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:C4:94:81:20 10.0.0.3 86227 dhcp-snooping 10 FastEthernet0/2
00:0B:FD:3F:10:A0 10.0.0.4 86322 dhcp-snooping 10 FastEthernet0/3
Total number of bindings: 2
E.交换机 对用户端口的DHCP请求进行流量限制
Switch(config)#interface range f0/2 - 3
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 2
Switch(config-if-range)#ip dhcp snooping limit rate 2
Switch(config-if-range)#exit
---最后效果:
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 no 2
FastEthernet0/3 no 2
二、 ARP审查:
1. 基本配置
Switch(config)#ip arp inspection vlan 10
Switch#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Untrusted 15 1
Fa0/2 Untrusted 15 1
Fa0/3 Untrusted 15 1
Fa0/4 Untrusted 15 1
Fa0/5 Untrusted 15 1
Switch#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
10 Deny Deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
10 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
10 0 0 0
2. 指定不受arp审查影响的trust端口,
Switch(config)#interface f0/1
Switch(config-if)#ip arp inspection trust
Switch(config-if)#exit
3. 限定端口单位时间内转发Arp数据包的数量
Switch(config)#interface range f0/1 - 4
Switch(config-if-range)#ip arp inspection limit rate 5
Switch(config-if-range)#exit
Switch#sh ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Trusted 5 1
Fa0/2 Untrusted 5 1
Fa0/3 Untrusted 5 1
Fa0/4 Untrusted 5 1
Fa0/5 Untrusted 15 1
Fa0/6 Untrusted 15 1
三、 IP源防护
1. 基于端口的策略,在端口下配置
Switch(config)#interface range f0/1 - 4
Switch(config-if-range)#ip verify source
Switch(config-if-range)#exit
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip inactive-trust-port
Fa0/2 ip active 10.0.0.3 10
Fa0/3 ip active 10.0.0.5 10
Fa0/4 ip active deny-all 10
2. 设定IP+MAC的源防护
Switch(config)#interface range f0/1 – 4
Switch(config-if)#switchport port-security
Switch(config-if-range)#ip verify source port-security
Switch(config-if-range)#^Z
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip-mac inactive-trust-port
Fa0/2 ip-mac active 10.0.0.3 00:24:C4:94:81:20 10
Fa0/3 ip-mac active 10.0.0.5 00:0B:FD:3F:10:A0 10
Fa0/4 ip-mac active deny-all permit-all 10
3. 静态IP源防护
Switch(config)#ip source binding 0017.5AED.DDF8 vlan 10 10.0.0.40 interface Fa0/4
Switch#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip-mac inactive-trust-port
Fa0/2 ip-mac active 10.0.0.3 00:24:C4:94:81:20 10
Fa0/3 ip-mac active 10.0.0.5 00:0B:FD:3F:10:A0 10
Fa0/4 ip-mac active 10.0.0.40 permit-all 10
四、PVLAN:
1.二层VLAN体系:
A.主VLAN对外可见,适用于和外部设备通信的VLAN号
B.辅助VLAN仅内部可见,用于在VLAN内被按照用户流量特点进行反内部分组
- 团体辅助VLAN:
相同团体VLAN内的成员可以互相通信,但是不能和其他孤立VLAN中的成员通信,也不能和其他团体VLAN中的成员通信。
- 孤立辅助VLAN:
相同孤立VLAN内的成员之间不允许互相通信,也不能和其他孤立VLAN中的成员通信,也不能和其他团体VLAN中的成员通信。
- 混杂端口:
混杂端口属于主VLAN,是主VLAN内部所有用户对外访问的网关。
混杂端口可以根据管理员控制与所有的主VLAN成员或者特定的辅助VLAN中的成员通信,
2.配置步骤:
第一步:交换机改为透明模式
vtp mode transparent
第二步:设定辅助VLAN
Switch(config)#vlan 120
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#quit
第三步:设定主VLAN,并且关联辅助VLAN到主VLAN
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 120
Switch(config-vlan)#exit
第四步:辅助VLAN用户添加
Switch(config)#interface range f0/3 - 4
Switch(config-if-range)#switchport mode private-vlan host
Switch(config-if-range)#switchport private-vlan host-association 10 120
第五步:设定混杂端口,并声明混杂端口为那些辅助VLAN服务
Switch(config)#interface f0/5
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 10 add 120
Switch#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 120 isolated Fa0/3, Fa0/4, Fa0/5
孤立VLAN数量测试:结果是任何一个主VLAN都只能有一个孤立VLAN
Switch(config)#vlan 500
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan association add 500
%Command rejected: invalid private vlan association between vlan10 and vlan500. Isolated VLAN 120 is already associated with VLAN 10.
3.PVLAN跳跃攻击阻止:
网关设备上增加ACL,防止用户间通过32位主机路由互相通信
access-list 101 permit ip any host 10.0.0.5
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
R5(config)#interface g0/0
R5(config-if)#ip access-group 101 in
利用多层交换的路由功能,在多层交换设备上实现混杂端口:
Switch(config)#ip routing
Switch(config)#interface vlan 10
Switch(config-if)#ip address 10.0.0.5 255.255.255.0
Switch(config-if)#private-vlan mapping 110,120
Switch(config-if)#exit
