如何利用交换机和端口设置来管理DHCP(1)(4)
四、应用实例
我校1#学生公寓,PC拥有数量大约1000台。采用DHCP分配IP地址,拥有4个C类地址,实际可用地址数约1000个。由于楼内经常存在私开的DHCP服务器,导致大量主机无法分配到合法IP地址;另外,由于有相当数量的主机指定IP地址,因此造成了与DHCP分配的IP地址冲突。以上两方面,均造成了该公寓楼大量主机无法正常访问网络。
经过一段时间的分析、实验,我们决定对该公寓楼部署DHCP Snooping和Dynamic ARP Inspection两项技术,以保证网络的正常运行。
该公寓网络设备使用情况如下,接入层为××台Cisco 2950交换机上联至堆叠的4台Cisco 3750,再通过光纤上联至汇聚层的Cisco 3750交换机。同时汇聚层的Cisco 3750交换机还兼做DHCP服务器。
部署过程
首先按如下过程配置DHCP Snooping
- configure terminal
- ip dhcp snooping 在全局模式下启用DHCP Snooping
- ip dhcp snooping vlan 103 在VLAN 103中启用DHCP Snooping
- ip dhcp snooping information option Enable the switch to insert and remove DHCP relay information(option-82 field) in forwarded DHCP request messages to the DHCP server. The default is enabled.
- interface GigabitEthernet1/0/28,进入交换机的第28口
- ip dhcp snooping trust 将第28口设置为受信任端口
- ip dhcp snooping limit rate 500 设置每秒钟处理DHCP数据包上限
- end 退出
完成配置后,可用如下命令观察DHCP Snooping运行状况:
- show ip dhcp snooping
得到如下信息:
- Switch DHCP snooping is enabled
- DHCP snooping is configured on following VLANs:
- 103
- Insertion of option 82 is enabled
- Verification of hwaddr field is enabled
- Interface Trusted Rate limit (pps)
- ------------------------ ------- ----------------
- GigabitEthernet1/0/22 yes unlimited
- GigabitEthernet1/0/24 yes unlimited
- GigabitEthernet1/0/27 yes unlimited
- GigabitEthernet1/0/28 no 500
- show ip dhcp snooping binding,得到如下信息:
- MacAddress IpAddress Lease(sec) Type VLAN Interface
- ------------------ --------------- ---------- -----------
- 00:11:09:11:51:16 210.77.5.201 3209 dhcp-snooping 103 GigabitEth ernet1/0/28
- 00:50:8D:63:5A:05 210.77.6.134 2466 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:E0:4C:A17:80 210.77.4.26 3070 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:0F:EA:A8:BC:22 210.77.5.198 1887 dhcp-snooping 103 GigabitEthernet1/0/28
- 10:E0:8C:50:805 210.77.5.95 3034 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:03:0D:0E:9A:A5 210.77.6.230 3144 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:50:8D:6C:08:9F 210.77.4.17 3012 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:E0:50:00:0B:54 210.77.6.18 3109 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:0F:EA:13:40:54 210.77.7.7 2631 dhcp-snooping 103 GigabitEthernet1/0/28
- 00:E0:4C:45:21:E9 210.77.7.77 2687 dhcp-snooping 103 GigabitEthernet1/0/28
- --More--
接下来配置Dynamic ARP Inspection
- show cdp neighbors 检查交换机之间的连接情况
- Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
- S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
- Device ID Local Intrfce Holdtme Capability Platform Port ID
- ap Gig 1/0/23 149 T AIR-AP1230Fas 0
- hall-3750 Gig 1/0/27 135 S I WS-C3750-2Gig 1/0/1
- #west-3750 Gig 1/0/28 173 S I WS-C3750G-Gig 1/0/25
- configure terminal 进入全局配置模式
- ip arp inspection vlan 103 在VLAN 103上启用Dynamic ARP Inspection
- interface GigabitEthernet1/0/28 进入第28端口
- ip arp inspection trust 将端口设置为受信任端口
- The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets.
- end
配置完成后可以用如下命令观察Dynamic ARP Inspection的运行情况
- show arp access-list [acl-name] Displays detailed information about ARP ACLs.
- show ip arp inspection interfaces [interface-id] Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.
- Interface Trust State Rate (pps) Burst Interval
- --------------- ----------- ---------- --------------
- Gi1/0/21 Untrusted 15 1
- Gi1/0/22 Trusted None N/A
- Gi1/0/23 Untrusted 15 1
- Gi1/0/24 Trusted None N/A
- Gi1/0/25 Untrusted 15 1
- Gi1/0/26 Untrusted 15 1
- Gi1/0/27 Trusted None N/A
- Gi1/0/28 Untrusted None N/A
- show ip arp inspection vlan vlan-range, Displays the configuration and the operating state of dynamic ARP inspection for all VLANs configured on the switch, for a specified VLAN, or for a range of VLANs.
- yql-2#-3750#sh ip arp inspection vlan 103
- Source Mac Validation : Disabled
- Destination Mac Validation : Disabled
- IP Address Validation : Disabled
- Vlan Configuration Operation ACL Match Static ACL
- ---- ------------- --------- --------- ----------
- 103 Enabled Active
- Vlan ACL Logging DHCP Logging
- ---- ----------- ------------
- 103 Deny Deny
注意事项:
- DHCP Snooping
l 在配置DHCP Snooping以前,必须确认该设备作为DHCP服务器。
l 建议对非信任端口的上限不要超过100。对于被设置为受信任的trunk端口,需要适当增加
- Dynamic ARP Inspection
必须限制trunk端口处理ARP包的数量
评论暂时关闭