1、华为X7交换机DHCP SNOOPING强制终端自动获取地址接入网络应用DHCP SNOOPING强制用户自动获取地址接入网络配置案例一、应该场景介绍客户要求内网用户必须强制性通过DHCP服务器获取IP地址,自己手工设置的IP地址无效不能接入网络,防止用户乱改IP引起网络风暴,同时也方便管理。客户网络比较小,就几台交换机,通过光纤连入另外地方的总部,交换机用的是S3700-28TP-EI,了解到客户需求时,我心里没底,从来没在华为的交换机上配置过,只是听说通过DHCP SNOOPING来实现,于是到处查资料,打电话,最后打电话询问厂家服务经理,还有800售后电话,他们都告诉我,电脑第一次接入网
2、络必须通过DHCP服务器获取地址接入网络,手工设置的IP无法接入网络,但是之后由于交换机已经学习到了此电脑的MAC,之后用手工配置相同网段的地址也可以接入网络;按照配置手册上DHCP SNOOPING的步骤调试,结果果然是和厂家说的一样。这时客户说不行要达到他们的要求,必须是每次都只能通过DHCP接入网络,正好客户认识一个做华为维保的工程师,打电话过去后,告诉我加了一条IP报文检查命令,然后做接入实验,真的就达到了客户提的要求,下面就详细介绍此案例配置过程。二、网络环境拓扑图接入交换机上配置2个VLAN,VLAN4、VLAN5;VLAN4配置级联地址接入总部,VLAN5是终端用户的业务VLAN
3、;在业务VLAN5上配置DHCP中继。三、配置步骤1、开启DHCP SNOOPING(VLAN的配置过程和DHCP中继配置省略)Quidwaydhcp enableQuidwaydhcp snooping enable2、在业务端口上配置DHCP SNOOPING(级联端口不用做任何配置)Quidway interface Ethernet 0/0/2Quidway-Ethernet0/0/2 dhcp snooping enable3、在业务端口上配置IP报文检查功能Quidway-Ethernet0/0/2ip source check user-bind enable这条命令式是检查dh
4、cp snooping ip地址绑定表,和绑定表里面的IP地址匹配的数据就转发访问网络,没有则丢弃,这个就是此案例中最关键的配置。4、主要配置完成,没有终端接入或者使用手工配置的IP接入时,使用display user-bind all查看绑ip地址定表项会显示以下内容display user-bind allbind-table:Flags:O - outer vlan ,I - inner vlan ,P - map vlanifnamevsi O/I/P-vlan mac-address ip-address tp lease-Static binditem count: 0 Stati
5、c binditem total count: 0就是说地址绑定表示空的,终端的IP是非法的,所有数据都会被丢弃,访问不了网络。5、将终端获取地址类型改成自动获取后,再查看绑定表项display user-bind allbind-table:Flags:O - outer vlan ,I - inner vlan ,P - map vlanifnamevsi O/I/P-vlan mac-address ip-address tp lease-Ethernet0/0/2 - 5 /-/- 0001-0002-0003 10.1.1.1 S 0-Static binditem count: 1
6、 Static binditem total count: 1这时候终端自动获取的地址自动加进DHCP SNOOPING绑定表里面,地址是合法的,数据转发。四、配置总结本案例实际上是结合dhcp snooping自动绑定和ip source check user-bind功能让自动获取的IP地址成为合法地址,手工设置的IP不会自动加进dhcp snooping绑定表里面成为非法地址,从而实现了终端必须通过自动获取地址才能接入网络的功能。五、配置文档此案例详细实施文档如下:!Software Version V100R005C01SPC100sysnameQuidway#vlan batch 4
7、 to 5 200#stp enable#cluster enablentdp enablentdp hop 16ndp enable#dhcp enabledhcp snooping enable#undo http server enable#drop illegal-mac alarm#dhcp server group 1#dhcp server group 1dhcp-server 10.228.0.14 0 dhcp-server 10.228.0.3 1#aaaauthentication-scheme defaultauthorization-scheme defaultacc
8、ounting-scheme defaultdomain defaultdomaindefault_adminlocal-user admin password cipher 0_B4UQC-&C&8CQ!local-user admin privilege level 3local-user admin service-type telnet terminal#interface Vlanif1ip address dhcp-alloc#interface Vlanif4ip address 10.228.254.202 255.255.255.252#interface Vlanif5ip
9、 address 10.229.95.254 255.255.255.0dhcp select relaydhcp relay server-select 1# interface Vlanif200ip address 2.2.2.1 255.255.255.0#interface Ethernet0/0/1port link-type trunkport trunk allow-pass vlan 4 to 5 200ntdp enablendp enablebpdu enabledhcp snooping trusted#interface Ethernet0/0/2port link-
10、type trunkport trunk allow-pass vlan 4 to 5 200ntdp enablendp enablebpdu enabledhcp snooping trusted#interface Ethernet0/0/3port link-type accessport default vlan 5ntdp enable ndp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip so
11、urce check user-bind enable#interface Ethernet0/0/4port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/5port link-type accesspo
12、rt default vlan 5ntdp enablendp enable bpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/6port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp
13、 snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/7port link-type accessport default vlan 5ntdp enablendp enablebpdu enable dhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group
14、1ip source check user-bind enable#interface Ethernet0/0/8port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/9port link-type ac
15、cessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enable dhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/10port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping ena
16、bledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/11port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable
17、 group 1ip source check user-bind enable#interface Ethernet0/0/12port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/13port lin
18、k-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1 ip source check user-bind enable#interface Ethernet0/0/14port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp sno
19、oping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/15port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isola
20、te enable group 1ip source check user-bind enable #interface Ethernet0/0/16port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/
21、17port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable# interface Ethernet0/0/18port link-type accessport default vlan 5ntdp enablendp enablebpdu enab
22、ledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/19port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120
23、port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/20 port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Et
24、hernet0/0/21port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/22port link-type access port default vlan 5ntdp enablendp enabl
25、ebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/23port link-type accessport default vlan 5ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable thr
26、eshold 120port-isolate enable group 1ip source check user-bind enable#interface Ethernet0/0/24port link-type accessport default vlan 5 ntdp enablendp enablebpdu enabledhcp snooping enabledhcp snooping alarm dhcp-reply enable threshold 120port-isolate enable group 1ip source check user-bind enable#in
27、terface GigabitEthernet0/0/1port link-type accessport default vlan 4ntdp enablendp enablebpdu enable#interface GigabitEthernet0/0/2ntdp enablendp enablebpdu enable#interface GigabitEthernet0/0/3ntdp enablendp enable bpdu enable#interface GigabitEthernet0/0/4ntdp enablendp enablebpdu enable#interface NULL0#ip route-static 10.0.0.0 255.0.0.0 10.228.254.201#snmp-agentsnmp-agent local-engineid 000007DB7F00000100006C8Csnmp-agent sys-info version v3#user-interface con 0authentication-modeaaaidle-timeout 0 0user-interfacevty 0 4authentication-modeaaa#return
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1