DHCP做好后,客户端可以自行修改Ip ,怎么办?
2015-07-23 15:34
573 查看
2003server做好以后,客户端可以正常获取IP ,但是客户端也可以自己修改IP ,照样可以上网,我已经将MAC和IP绑定了,请问有什么方法让客户端修改不了IP 吗?公司用的是cisco的路由器和交换机
查了一哈,用dhcp snooping 或者 ip source binding 再加上ip verify source功能是可以实现的
他原理是这样的,利用dhcp server和交换机的dhcp snooping可以给某个特点的交换机端口,或者某个mac 分配某个固定的ip地址,就是说每次去申请dhcp都是给的这个ip地址,如果某个用户想要自己配置ip地址从而实现上网等目的的话,那么他只能自己配置网络管理员“想要给他分配的”那个地址,其他的地址用户配上去理论上是可行的,但是有了ip source binding 和ip verify source这东西以后,交换机会在转发数据的时候核查这个表,如果从这个接口进来的数据ip地址不是给定的地址,那么交换机会做丢弃处理
总的来说,交换机是这么干的,用户你自己可以配地址,但是,前提是你配的这个地址和管理员想要你用的地址一样,否则交换机就不让你出去,就这么简单
引用: 作者: yang_li_ge
查了一哈,用dhcp
snooping 或者 ip source binding 再加上ip verify source功能是可以实现的
他原理是这样的,利用dhcp server和交换机的dhcp snooping可以给某个特点的交换机端口,或者某个mac 分配某个固定的ip地址,就是说每次去申请dhcp都是给的这个ip地址,如果某个用户想要自己配置ip地址从而实现上网等目的的话,那么他只能自己配置网络管理员“想要给他分配的”那个地址,其他的地址用户配上去理论上是可行的,但是有了ip
source binding 和ip verify source这东西以后,交换机会在转发数据的时候核...
不对哦。
并不需要根据MAC分别固定IP。
dhcp snooping和DAI其实不是一个功能。
dhcp snooping是为了监测端口是不是允许DHCP服务器的以及DHCP请求的频度,如果过高就关闭的一种保护功能,由此监视产生了一个动态的IP和MAC的对应表。
DAI是监视ARP广播的,说白了是对付ARP欺骗的。
把这两个功能联动,DAI读取DHCP产生的对应表,某个MAC地址只能发出那个对应表里面对应的IP地址的ARP广播,否则丢包。这样不仅仅是禁止自己设定IP,ARP欺骗行为也被禁止。
这个方法很早就在这个论坛出现,据说是某老牌CCIE的指导。我2006年在这儿看见了这东西,顿时眼前一亮。就是必须在3560以上才行,3550都不行。
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname phone-main
!
logging buffered 16384 debugging
enable password 7 094F471A1A0A
!
username admin password 7 0207545505035D0B7C
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
clock timezone JST 8
vtp mode transparent
!
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 10.54.156.1 10.54.156.9
ip dhcp excluded-address 10.54.156.129 10.54.156.139
!
ip dhcp pool Data
network 10.54.156.0 255.255.255.128
default-router 10.54.156.1
dns-server 10.54.61.15
option 242 ascii "L2QVLAN=192,VLANTEST=10"
!
ip dhcp pool Voice
network 10.54.156.128 255.255.255.192
default-router 10.54.156.129
option 242 ascii "MCIPADD=10.54.65.8,HTTPSRVR=10.54.65.15"
!
ip dhcp snooping vlan 128,192
ip dhcp snooping
ip arp inspection vlan 128,192
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
!
!
dot1x system-auth-control
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1,192 priority 24576
!
vlan internal allocation policy ascending
!
vlan 128
name Data
!
vlan 192
name Voice
!
vlan 224
name Server
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface FastEthernet0/1
switchport access vlan 128
switchport mode access
switchport voice vlan 192
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
storm-control broadcast level 10.00
storm-control multicast level 5.00
storm-control action shutdown
spanning-tree portfast
!
...
!
interface FastEthernet0/24
no switchport
ip address 192.168.1.18 255.255.255.248
priority-queue out
mls qos trust dscp
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
channel-group 1 mode desirable
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
channel-group 1 mode desirable
ip dhcp snooping trust
!
interface Vlan1
no ip address
shutdown
!
interface Vlan128
ip address 10.54.156.2 255.255.255.128
standby 1 ip 10.54.156.1
standby 1 preempt
standby 1 track FastEthernet0/24
!
interface Vlan192
ip address 10.54.156.130 255.255.255.192
standby 2 ip 10.54.156.129
standby 2 priority 110
standby 2 preempt
standby 2 track FastEthernet0/24 20
!
interface Vlan224
ip address 10.54.156.194 255.255.255.224
standby 3 ip 10.54.156.193
standby 3 priority 110
standby 3 preempt
standby 3 track FastEthernet0/24 20
!
router rip
version 2
redistribute connected route-map routeout
network 192.168.1.0
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
access-list 1 permit 10.54.156.128 0.0.0.63
access-list 1 permit 10.54.156.192 0.0.0.31
access-list 2 permit 10.54.156.0 0.0.0.127
route-map routeout permit 10
match ip address 1
set metric 1
!
route-map routeout permit 20
match ip address 2
set metric 2
!
radius-server host 10.54.65.15 auth-port 1645 acct-port 1646 key 7 03054D0A1F0E
radius-server source-ports 1645-1646
!
control-plane
!
alias exec c conf t
!
line con 0
line vty 0 4
password 7 02050D480809
line vty 5 15
!
ntp clock-period 36028972
ntp server 10.54.61.15
end
查了一哈,用dhcp snooping 或者 ip source binding 再加上ip verify source功能是可以实现的
他原理是这样的,利用dhcp server和交换机的dhcp snooping可以给某个特点的交换机端口,或者某个mac 分配某个固定的ip地址,就是说每次去申请dhcp都是给的这个ip地址,如果某个用户想要自己配置ip地址从而实现上网等目的的话,那么他只能自己配置网络管理员“想要给他分配的”那个地址,其他的地址用户配上去理论上是可行的,但是有了ip source binding 和ip verify source这东西以后,交换机会在转发数据的时候核查这个表,如果从这个接口进来的数据ip地址不是给定的地址,那么交换机会做丢弃处理
总的来说,交换机是这么干的,用户你自己可以配地址,但是,前提是你配的这个地址和管理员想要你用的地址一样,否则交换机就不让你出去,就这么简单
引用: 作者: yang_li_ge
查了一哈,用dhcp
snooping 或者 ip source binding 再加上ip verify source功能是可以实现的
他原理是这样的,利用dhcp server和交换机的dhcp snooping可以给某个特点的交换机端口,或者某个mac 分配某个固定的ip地址,就是说每次去申请dhcp都是给的这个ip地址,如果某个用户想要自己配置ip地址从而实现上网等目的的话,那么他只能自己配置网络管理员“想要给他分配的”那个地址,其他的地址用户配上去理论上是可行的,但是有了ip
source binding 和ip verify source这东西以后,交换机会在转发数据的时候核...
不对哦。
并不需要根据MAC分别固定IP。
dhcp snooping和DAI其实不是一个功能。
dhcp snooping是为了监测端口是不是允许DHCP服务器的以及DHCP请求的频度,如果过高就关闭的一种保护功能,由此监视产生了一个动态的IP和MAC的对应表。
DAI是监视ARP广播的,说白了是对付ARP欺骗的。
把这两个功能联动,DAI读取DHCP产生的对应表,某个MAC地址只能发出那个对应表里面对应的IP地址的ARP广播,否则丢包。这样不仅仅是禁止自己设定IP,ARP欺骗行为也被禁止。
这个方法很早就在这个论坛出现,据说是某老牌CCIE的指导。我2006年在这儿看见了这东西,顿时眼前一亮。就是必须在3560以上才行,3550都不行。
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname phone-main
!
logging buffered 16384 debugging
enable password 7 094F471A1A0A
!
username admin password 7 0207545505035D0B7C
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
clock timezone JST 8
vtp mode transparent
!
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 10.54.156.1 10.54.156.9
ip dhcp excluded-address 10.54.156.129 10.54.156.139
!
ip dhcp pool Data
network 10.54.156.0 255.255.255.128
default-router 10.54.156.1
dns-server 10.54.61.15
option 242 ascii "L2QVLAN=192,VLANTEST=10"
!
ip dhcp pool Voice
network 10.54.156.128 255.255.255.192
default-router 10.54.156.129
option 242 ascii "MCIPADD=10.54.65.8,HTTPSRVR=10.54.65.15"
!
ip dhcp snooping vlan 128,192
ip dhcp snooping
ip arp inspection vlan 128,192
!
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos srr-queue input bandwidth 90 10
mls qos srr-queue input threshold 1 8 16
mls qos srr-queue input threshold 2 34 66
mls qos srr-queue input buffers 67 33
mls qos srr-queue input cos-map queue 1 threshold 2 1
mls qos srr-queue input cos-map queue 1 threshold 3 0
mls qos srr-queue input cos-map queue 2 threshold 1 2
mls qos srr-queue input cos-map queue 2 threshold 2 4 6 7
mls qos srr-queue input cos-map queue 2 threshold 3 3 5
mls qos srr-queue input dscp-map queue 1 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue input dscp-map queue 1 threshold 3 0 1 2 3 4 5 6 7
mls qos srr-queue input dscp-map queue 1 threshold 3 32
mls qos srr-queue input dscp-map queue 2 threshold 1 16 17 18 19 20 21 22 23
mls qos srr-queue input dscp-map queue 2 threshold 2 33 34 35 36 37 38 39 48
mls qos srr-queue input dscp-map queue 2 threshold 2 49 50 51 52 53 54 55 56
mls qos srr-queue input dscp-map queue 2 threshold 2 57 58 59 60 61 62 63
mls qos srr-queue input dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue input dscp-map queue 2 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output cos-map queue 1 threshold 3 5
mls qos srr-queue output cos-map queue 2 threshold 3 3 6 7
mls qos srr-queue output cos-map queue 3 threshold 3 2 4
mls qos srr-queue output cos-map queue 4 threshold 2 1
mls qos srr-queue output cos-map queue 4 threshold 3 0
mls qos srr-queue output dscp-map queue 1 threshold 3 40 41 42 43 44 45 46 47
mls qos srr-queue output dscp-map queue 2 threshold 3 24 25 26 27 28 29 30 31
mls qos srr-queue output dscp-map queue 2 threshold 3 48 49 50 51 52 53 54 55
mls qos srr-queue output dscp-map queue 2 threshold 3 56 57 58 59 60 61 62 63
mls qos srr-queue output dscp-map queue 3 threshold 3 16 17 18 19 20 21 22 23
mls qos srr-queue output dscp-map queue 3 threshold 3 32 33 34 35 36 37 38 39
mls qos srr-queue output dscp-map queue 4 threshold 1 8
mls qos srr-queue output dscp-map queue 4 threshold 2 9 10 11 12 13 14 15
mls qos srr-queue output dscp-map queue 4 threshold 3 0 1 2 3 4 5 6 7
mls qos queue-set output 1 threshold 1 138 138 92 138
mls qos queue-set output 1 threshold 2 138 138 92 400
mls qos queue-set output 1 threshold 3 36 77 100 318
mls qos queue-set output 1 threshold 4 20 50 67 400
mls qos queue-set output 2 threshold 1 149 149 100 149
mls qos queue-set output 2 threshold 2 118 118 100 235
mls qos queue-set output 2 threshold 3 41 68 100 272
mls qos queue-set output 2 threshold 4 42 72 100 242
mls qos queue-set output 1 buffers 10 10 26 54
mls qos queue-set output 2 buffers 16 6 17 61
mls qos
!
!
!
!
dot1x system-auth-control
no file verify auto
!
spanning-tree mode rapid-pvst
spanning-tree portfast bpduguard default
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
spanning-tree vlan 1,192 priority 24576
!
vlan internal allocation policy ascending
!
vlan 128
name Data
!
vlan 192
name Voice
!
vlan 224
name Server
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface FastEthernet0/1
switchport access vlan 128
switchport mode access
switchport voice vlan 192
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
priority-queue out
mls qos trust cos
auto qos voip trust
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x reauthentication
storm-control broadcast level 10.00
storm-control multicast level 5.00
storm-control action shutdown
spanning-tree portfast
!
...
!
interface FastEthernet0/24
no switchport
ip address 192.168.1.18 255.255.255.248
priority-queue out
mls qos trust dscp
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
channel-group 1 mode desirable
ip dhcp snooping trust
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
channel-group 1 mode desirable
ip dhcp snooping trust
!
interface Vlan1
no ip address
shutdown
!
interface Vlan128
ip address 10.54.156.2 255.255.255.128
standby 1 ip 10.54.156.1
standby 1 preempt
standby 1 track FastEthernet0/24
!
interface Vlan192
ip address 10.54.156.130 255.255.255.192
standby 2 ip 10.54.156.129
standby 2 priority 110
standby 2 preempt
standby 2 track FastEthernet0/24 20
!
interface Vlan224
ip address 10.54.156.194 255.255.255.224
standby 3 ip 10.54.156.193
standby 3 priority 110
standby 3 preempt
standby 3 track FastEthernet0/24 20
!
router rip
version 2
redistribute connected route-map routeout
network 192.168.1.0
no auto-summary
!
ip classless
no ip http server
no ip http secure-server
!
access-list 1 permit 10.54.156.128 0.0.0.63
access-list 1 permit 10.54.156.192 0.0.0.31
access-list 2 permit 10.54.156.0 0.0.0.127
route-map routeout permit 10
match ip address 1
set metric 1
!
route-map routeout permit 20
match ip address 2
set metric 2
!
radius-server host 10.54.65.15 auth-port 1645 acct-port 1646 key 7 03054D0A1F0E
radius-server source-ports 1645-1646
!
control-plane
!
alias exec c conf t
!
line con 0
line vty 0 4
password 7 02050D480809
line vty 5 15
!
ntp clock-period 36028972
ntp server 10.54.61.15
end
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 苹果开发者文档
- 关于ueditor在Java中文件上传问题,404问题
- myeclipse 不能添加非myeclipse开发的项目
- 【计算机基础】当你在浏览器中输入Google.com并且按下回车之后发生了什么?
- apk包图片压缩工具tinypng将包压缩到一半
- jquery实现简单实用的打分程序实例
- php 取数组元素
- ButterKnife学习
- RTFSC
- Soldier and Cards(Problem - 546C - Codeforces)
- IAR for STM8 学习笔记(1)--数据类型
- vs2010 link : fatal error lnk1123: 转换到 coff 期间失败: 文件无效或损坏
- STM32单片机内部EEPROM的读写
- RHEL5中挂载光驱
- java项目打成jar包,并执行
- SOLR---Field、CopyField、DynamicField
- C#对Windows文件的操作
- Decimal Degrees 转换成 meters
- swift里UITableView简单的用法
- php null 空字符串与 0