华为X7交换机DHCP SNOOPING强制终端自动获取地址接入网络应用.docx
《华为X7交换机DHCP SNOOPING强制终端自动获取地址接入网络应用.docx》由会员分享,可在线阅读,更多相关《华为X7交换机DHCP SNOOPING强制终端自动获取地址接入网络应用.docx(16页珍藏版)》请在冰豆网上搜索。
华为X7交换机DHCPSNOOPING强制终端自动获取地址接入网络应用
DHCPSNOOPING强制用户自动获取地址接入网络配置案例
一、应该场景介绍
客户要求内网用户必须强制性通过DHCP服务器获取IP地址,自己手工设置的IP地址无效不能接入网络,防止用户乱改IP引起网络风暴,同时也方便管理。
客户网络比较小,就几台交换机,通过光纤连入另外地方的总部,交换机用的是S3700-28TP-EI,了解到客户需求时,我心里没底,从来没在华为的交换机上配置过,只是听说通过DHCPSNOOPING来实现,于是到处查资料,打电话,最后打电话询问厂家服务经理,还有800售后电话,他们都告诉我,电脑第一次接入网络必须通过DHCP服务器获取地址接入网络,手工设置的IP无法接入网络,但是之后由于交换机已经学习到了此电脑的MAC,之后用手工配置相同网段的地址也可以接入网络;按照配置手册上DHCPSNOOPING的步骤调试,结果果然是和厂家说的一样。
这时客户说不行要达到他们的要求,必须是每次都只能通过DHCP接入网络,正好客户认识一个做华为维保的工程师,打电话过去后,告诉我加了一条IP报文检查命令,然后做接入实验,真的就达到了客户提的要求,下面就详细介绍此案例配置过程。
二、网络环境拓扑图
接入交换机上配置2个VLAN,VLAN4、VLAN5;VLAN4配置级联地址接入总部,VLAN5是终端用户的业务VLAN;在业务VLAN5上配置DHCP中继。
三、配置步骤
1、开启DHCPSNOOPING(VLAN的配置过程和DHCP中继配置省略)
[Quidway]dhcpenable
[Quidway]dhcpsnoopingenable
2、在业务端口上配置DHCPSNOOPING(级联端口不用做任何配置)
[Quidway]interfaceEthernet0/0/2
[Quidway-Ethernet0/0/2]dhcpsnoopingenable
3、在业务端口上配置IP报文检查功能
[Quidway-Ethernet0/0/2]ipsourcecheckuser-bindenable
这条命令式是检查dhcpsnoopingip地址绑定表,和绑定表里面的IP地址匹配的数据就转发访问网络,没有则丢弃,这个就是此案例中最关键的配置。
4、主要配置完成,没有终端接入或者使用手工配置的IP接入时,使用displayuser-bindall查看绑ip地址定表项会显示以下内容
displayuser-bindall
bind-table:
Flags:
O-outervlan,I-innervlan,P-mapvlan
ifnamevsiO/I/P-vlanmac-addressip-addresstplease
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
Staticbinditemcount:
0Staticbinditemtotalcount:
0
就是说地址绑定表示空的,终端的IP是非法的,所有数据都会被丢弃,访问不了网络。
5、将终端获取地址类型改成自动获取后,再查看绑定表项
displayuser-bindall
bind-table:
Flags:
O-outervlan,I-innervlan,P-mapvlan
ifnamevsiO/I/P-vlanmac-addressip-addresstplease
-------------------------------------------------------------------------------------------------------
Ethernet0/0/2--5/--/--0001-0002-000310.1.1.1S0
-------------------------------------------------------------------------------------------------------
Staticbinditemcount:
1Staticbinditemtotalcount:
1
这时候终端自动获取的地址自动加进DHCPSNOOPING绑定表里面,地址是合法的,数据转发。
四、配置总结
本案例实际上是结合dhcpsnooping自动绑定和ipsourcecheckuser-bind功能让自动获取的IP地址成为合法地址,手工设置的IP不会自动加进dhcpsnooping绑定表里面成为非法地址,从而实现了终端必须通过自动获取地址才能接入网络的功能。
五、配置文档
此案例详细实施文档如下:
!
SoftwareVersionV100R005C01SPC100
sysnameQuidway
#
vlanbatch4to5200
#
stpenable
#
clusterenable
ntdpenable
ntdphop16
ndpenable
#
dhcpenable
dhcpsnoopingenable
#
undohttpserverenable
#
dropillegal-macalarm
#
dhcpservergroup1
#
dhcpservergroup1
dhcp-server10.228.0.140
dhcp-server10.228.0.31
#
aaa
authentication-schemedefault
authorization-schemedefault
accounting-schemedefault
domaindefault
domaindefault_admin
local-useradminpasswordcipher^`0_][]`B4UQC-&C&"^8CQ!
!
local-useradminprivilegelevel3
local-useradminservice-typetelnetterminal
#
interfaceVlanif1
ipaddressdhcp-alloc
#
interfaceVlanif4
ipaddress10.228.254.202255.255.255.252
#
interfaceVlanif5
ipaddress10.229.95.254255.255.255.0
dhcpselectrelay
dhcprelayserver-select1
#
interfaceVlanif200
ipaddress2.2.2.1255.255.255.0
#
interfaceEthernet0/0/1
portlink-typetrunk
porttrunkallow-passvlan4to5200
ntdpenable
ndpenable
bpduenable
dhcpsnoopingtrusted
#
interfaceEthernet0/0/2
portlink-typetrunk
porttrunkallow-passvlan4to5200
ntdpenable
ndpenable
bpduenable
dhcpsnoopingtrusted
#
interfaceEthernet0/0/3
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/4
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/5
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/6
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/7
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/8
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/9
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/10
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/11
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/12
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/13
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/14
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/15
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/16
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/17
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/18
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/19
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/20
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/21
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/22
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/23
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceEthernet0/0/24
portlink-typeaccess
portdefaultvlan5
ntdpenable
ndpenable
bpduenable
dhcpsnoopingenable
dhcpsnoopingalarmdhcp-replyenablethreshold120
port-isolateenablegroup1
ipsourcecheckuser-bindenable
#
interfaceGigabitEthernet0/0/1
portlink-typeaccess
portdefaultvlan4
ntdpenable
ndpenable
bpduenable
#
interfaceGigabitEthernet0/0/2
ntdpenable
ndpenable
bpduenable
#
interfaceGigabitEthernet0/0/3
ntdpenable
ndpenable
bpduenable
#
interfaceGigabitEthernet0/0/4
ntdpenable
ndpenable
bpduenable
#
interfaceNULL0
#
iproute-static10.0.0.0255.0.0.010.228.254.201
#
snmp-agent
snmp-agentlocal-engineid000007DB7F00000100006C8C
snmp-agentsys-infoversionv3
#
user-interfacecon0
authentication-modeaaa
idle-timeout00
user-interfacevty04
authentication-modeaaa
#
return