《大学DHCP snooping期末考试内容.docx》由会员分享,可在线阅读,更多相关《大学DHCP snooping期末考试内容.docx(8页珍藏版)》请在第一文库网上搜索。
1、DHCPsnooping酉己置10.1.1 项目背景企业局域网有大量用户,局域网内部网络面临着两个风险:计算机病毒的扩散和内部人员的恶意攻击。为了提高网络安全,管理员决定在交换机上使用技术手段,DHCP欺骗,避免合法用户的数据被中间人窃取。10.1.2 项目目的通过本项目可以掌握如下知识点和技能点,同时积累项目经验。配置交换机的DHCPSnooping功能。10.1.3 项目拓扑本拓扑用一台交换机S1模拟大量的接入层交换机,S1通过接口G0/0/4上连至IJDHCPServer(用S2模拟),通过接口G0/0”、G0/0/2连接DHCP客户端USerA和UserB,通过接口G0/0/3连接静态
2、配置IP地址的用户USerC。S1的接口GO/0/1、G0/0/2、G0/0/3都属于V1AN1,G0/0/4接口是Tnmk接口。10.1.4 项目规划本项目的核心任务是完成接入层交换机的安全配置,为保持项目的完整性,需完成前期准备工作。10.1.5 项目前期准备工作3IV1AN配置:在两个交换机上配置TrUnk,并把接口划分到相应V1AN。步霭?DHCP服务器部署:把S2配置为DHCP服务器。10.1.4.2项目核心任务-完成接入层交换机的安全配置光S11配置DHCPSnOoPing功能:G0/0/4接口为信任接口,并配置静态绑定表,防止DHCP欺骗。设备接口连接规划表和设备接口IP地址规划
3、表如下。*10-1设备接口连接规划表设备接口接口类型V1AN对端设备及接口S1G001AccessV1AN1UserAE001G002AccessV1AN1UserBE001G003AccessV1AN1UserCE001G004TrunkS2G001S2G001TrunkS1G004UserAE001S1G001UserBE001S1G002UserCE001S1G003表22设备接口IP地址规划表设备接口TP地址备注S1G001无G002无G003无G004无S2G001192.168.1.254/24UserAE001DHCPUserBE001DHCPUserCE001192.168.1
4、.100/24网关:192.168.1.25410.1.5项目实施10.1.5.1项目准备工作弟者IV1AN配置在两个交换机上配置Tnmk,并把接口划分到相应V1AN。在R1上把接口G0/0/1、G0/0/2、G0/0/3链路类型改为access,G0/0/4链路类型改为trunk。在R2上把接口G0/0/4链路类型改为trunkOS1interfacegigabitcthernet()/0/1S1-GigabitEthemetOZOZ1port1ink-typeaccessS1-GigabitEthemetOZO/1JquitSI!interfacegigabitethcrnct0/0/2S
5、1-GigabitEthemet0()2port1ink-typeaccessS1-GigabitEthemet002quitSI!interfacegigabitcthernet0/0/3S1-GigabitEthemetO()3port1ink-typeaccessS1-GigabitEthemetO()3quitSI!interfacegigabitethcrnct0/0/4S1-GigabitEthemet004port1ink-typetrunkS1-GigabitEthemetOZOMIporttrunka11ow-passv1an1S1-GigabitEthemetOZOMJqu
6、itS2interfacegigabitcthernet0/0/1S1-GigabitEthernetOZOZ1port1ink-typetrunkS2-Gigabi(Ethemet001porttrunka11ow-passv1an1S2-GigabitEthemet001quit步理】DHCP服务器部署把S2配置为DHCP服务器。S2dhcpenab1e/他能DHCPS2interfaceV1anif1进入某个接口,虚拟接口S2-V1anif1ipaddress192.168.1.254255.255.255.0/旗口配置IP地址/S2-V1anif1dhcpse1ectinterface
7、/E基于接口的DHCP地址池S2-V1anif1dhcpserverdns-1ist1.1.1.1/EKdns服务器iU1tS2-V1anif1quit在USerA主机上检查IP地址,如下。USerB主机操作类似。POipconfig1ink1oca1IPv6address:fe80:5689:98ff:fe55:7659IPv6address:/128IPv6gateway:IPv4address:192.168.1.253Subnetmask:255.255.255.0Gateway:192.168.1.254Physica1address:54-89-98-55-76-59DNSserv
8、er:1.1.1.1以上看到已经获取IP地址在USerC主机上检查IP地址,如下。POping192.168.1.254Ping192.168.1.254:32databytes.PressC1r1_CtobreakFrom192.168.1.254:by1es=32seq=1(t1=255time=32msFrom192.168.1.254:byies=32seq=2t11=255time=32msFrom192.168.1.254:by1es=32seq=3tt1=255time=46msFrom192.168.1.254:by1es=32seq=4(t1=255time=32msFrom
9、192.168.1.254:by1es=32seq=5tt1=255time=62ms一192.168.1.254pingstatistics5packei(s)transmitted5packet(s)received0.00%packet1ossround-tripmin/avg/max=32/40/62ms10.152项目核心任务冷值I配置DHCPSnooping功能把S1的G004接口为信任接口,并在G0/0/3接口配置静态绑定表。G0/0/1-3其他接口为不可信任接口。SIdhcpenab1eSIdhcpsnoopingenab1eS1v1an1SI-v1an1dhcpsnoopin
10、genab1eSIinterfacegigabitethernet0/0/4S1-GigabitEthemetOZOMJdhcpsnoopingtrustedSI-GigabitEthemetOZOMJquitSIuser-bindstaticip-address192.168.1.100mac-add5489-9827-6945interfaceg03v1an1SIinterfaceGigabitEthernetO/O/1S1-GigabitEthemetOZO/1dhcpsnoopingenab1eSI-GigabitEthemetOZO/1JquitSIJinterfaceGigabit
11、Ethernet002SI-GigabitEthernetOO2dhcpsnoopingenab1eS1-GigabitEthemet002quitSIinterfaceGigabitEthernet003Si-GigabitEthemetOO3dhcpsnoopingenab1eS1-GigabitEthernetOO3quit10.1.6项目验证10.1.6.1 检查客户计算机IP地址和通信配置UserA、USerB计算机使用动态IP地址,USerC为静态IP(192.168.1.100)o以下是USerA的地址。PCipconfig/renewIPConfiguration1ink1oc
12、a1IPv6address:fe80:5689:98ff:fe55:7659IPv6address:/128IPv6gateway:IPv4address:192.168.1.248Subnetmask:255.255.255.0Gateway:192,168.1.254Physica1address:54-89-98-55-76-59DNSserver:1.1.1.1PCping192.168.1.254Ping192.168.1.254:32databytes,PressCtr1_CtobreakFrom192.168.1.254:bytes=32seq=1tt1=255time=93ms
13、From192.168.1.254:bytes=32seq=2tt1=255time=62msFrom192.168.1.254:bytes=32seq=3tt1=255time=63msFrom192.168.1.254:bytes=32seq=4tt1=255time=78msFrom192.168.1.254:bytes=32seq=5tt1=255time=78ms-192.168.1.254pingstatistics-5packet(s)transmitted5packet(s)received0.00%packet1ossround-tripmin/avg/max=62/74/9
14、3ms以下是USerB的地址。PCipconfig/renewIPConfiguration1ink1oca1IPv6address:fe80:5689:98ff:fed9:7a30IPv6address:/128IPv6gateway:IPv4address:192.168.1.247Subnetmask:255.255.255.0Gateway:192.168.1.254Physica1address:54-89-98-D9-7A-30DNSserver:1.1.1.1PCping192.168.1.254Ping192.168.1.254:32databytes,PressCtr1_CtobreakFrom192.168.1.254:bytes=32seq=1tt1=255time=32msFrom192.168.1.254:bytes=32seq=2tt1=255time=47msFrom192.168.1.254:bytes=32seq=3tt1=255time=47msFrom192.168.1.254:bytes=32seq=4tt1=255time=47msFrom192.168.1.254:byt