網(wǎng)絡(luò)設(shè)備調(diào)試04交換機(jī)端口安全 文檔

1、主講教師：馬宇麟,授課專業(yè)：計(jì)算機(jī)應(yīng)用技術(shù),第,4,講,交換機(jī)端口安全,網(wǎng)絡(luò)設(shè)備調(diào)試,?,當(dāng)交換機(jī)收到數(shù)據(jù)幀后發(fā)現(xiàn)，,MAC,地址表中只有數(shù),據(jù)幀的目標(biāo),MAC,地址而沒(méi)有源,MAC,地址的記錄，,該交換機(jī)該如何處理數(shù)據(jù)幀？,?,接口雙工不匹配會(huì)有何結(jié)果？速率不匹配會(huì)有何結(jié),果？,?,交換機(jī)配置模式有哪些？,課程回顧,本章結(jié)構(gòu),端口安全,DHCP,監(jiān)聽(tīng)的原理,DHCP,監(jiān)聽(tīng)配置與示例,IP,源防護(hù)配置與示例,IP,源防護(hù)原理,交換機(jī)端口安全,端口安全的配置,端口安全配置示例,DHCP,監(jiān)聽(tīng),常見(jiàn)數(shù)據(jù)鏈路層安,全威脅,動(dòng)態(tài),ARP,檢測(cè)配置與示例,IP,源防護(hù),動(dòng)態(tài),ARP,檢測(cè),動(dòng)態(tài),ARP,

2、檢測(cè)原理,F0/3,?,回顧交換機(jī)轉(zhuǎn)發(fā)原理,PC1,與,PC2,通信,常見(jiàn)數(shù)據(jù)鏈路層安全威脅,F0/1,F0/2,PC1,PC2,MAC,Address-Table,0050.56c0.0001,0050.56c0.0002,PC3,0050.56c0.0001,FFFF.FFFF.FFFF,0050.56c0.0002,ARP,廣播,單播幀轉(zhuǎn)發(fā)數(shù)據(jù),?,MAC,地址擴(kuò)散,大量偽造源,MAC,地址的數(shù)據(jù)幀使,MAC,地址表溢,出,導(dǎo)致,MAC,地址表中找不到數(shù)據(jù)幀目的地址所對(duì),應(yīng)的條目,常見(jiàn)數(shù)據(jù)鏈路層安全威脅,F0/1,F0/2,PC1,PC2,MAC,Address-Table,0050.5

3、6c0.0001,0050.56c0.0002,PC3,0050.56c0.0001,0050.56c0.0002,溢出,偽造大量源,MAC,地址,F0/3,因,MAC,地址表溢出，無(wú)法查找表,轉(zhuǎn)發(fā)，數(shù)據(jù)幀被廣播形式發(fā)送,發(fā)給,PC2,的單播幀,PC3,獲得了,PC1,、,PC2,之間傳輸?shù)臄?shù)據(jù),?,ARP,攻擊的原理,欺騙其他所有計(jì)算機(jī),欺騙被攻擊計(jì)算機(jī),常見(jiàn)數(shù)據(jù)鏈路層安全威脅,PC1,PC2,網(wǎng)關(guān),網(wǎng)關(guān)的,MAC,地址是,XX-XX-XX-XX-XX-XX,（虛假,MAC,地址）,PC1,的,MAC,地址是,XX-XX-XX-XX-XX-XX,（虛假,MAC,地址）,Internet,?,

4、ARP,欺騙原理,欺騙網(wǎng)關(guān),欺騙主機(jī),常見(jiàn)數(shù)據(jù)鏈路層安全威脅,PC1,PC2,網(wǎng)關(guān),我是網(wǎng)關(guān)，我的,MAC,地址是,XX-,XX-XX-XX-XX-XX,（,PC2,的,MAC,地址）,我是,PC1,，我的,MAC,地址是,XX-,XX-XX-XX-XX-XX,（,PC2,的,MAC,地址）,Internet,PC1,訪問(wèn)互聯(lián)網(wǎng)的流量需要經(jīng),過(guò),PC2,轉(zhuǎn)發(fā),PC1,PC2,我是,PC1,，我的,MAC,地址是,XX-XX-XX-XX-XX-XX,（,PC3,的,MAC,地址）,我是,PC2,，我的,MAC,地址是,XX-XX-XX-XX-XX-XX,（,PC3,的,MAC,地址）,PC3,P

5、C1,到,PC2,的流量需要經(jīng)過(guò),PC3,轉(zhuǎn)發(fā),?,DHCP,服務(wù)器欺騙與,DHCP,地址耗盡,DHCP,服務(wù)器欺騙,?,即客戶端將自己配置為,DHCP,服務(wù)器，分派虛假的,IP,地,址及其信息或者直接響應(yīng),DHCP,請(qǐng)求,DHCP,地址耗盡,?,即客戶端不斷的冒充新客戶發(fā)送,DHCP,請(qǐng)求，請(qǐng)求服務(wù),器分派,IP,地址，這樣很快耗盡,DHCP,配置的,IP,地址池，,其他計(jì)算機(jī)無(wú)法使用,?,IP,地址欺騙,客戶端使用自己配置的,IP,地址冒充其他客戶端或網(wǎng)絡(luò)管理,員，對(duì)其他用戶、設(shè)備、服務(wù)器等進(jìn)行非法操作,IP,地址欺騙主要是利用自行配置,IP,地址實(shí)現(xiàn)的,常見(jiàn)數(shù)據(jù)鏈路層安全威脅,?,交換機(jī)

6、端口安全的作用,基于,MAC,地址限制、允許客戶端流量,避免,MAC,地址擴(kuò)散攻擊,避免,MAC,地址欺騙攻擊（主機(jī)使用虛假,MAC,地,址發(fā)送非法數(shù)據(jù)）,端口安全,F0/3,F0/1,F0/2,?,啟用交換機(jī)端口安全特性,啟用端口安全的接口不能是動(dòng)態(tài)協(xié)商,(dynamic),模式，,必須配置接口為接入或干道模式,?,配置允許訪問(wèn)網(wǎng)絡(luò)的,MAC,地址,配置接口允許的最大活躍地址數(shù)量,配置靜態(tài)綁定的,MAC,地址,交換機(jī)端口安全的配置,5-1,Switch(config-if)#switchport port-security,Switch(config-if)#switchport port-

7、security maximum ,max-addr,max-addr,參數(shù)的范圍是,1,8192,，在默認(rèn)情況下為,1,Switch(config-if)#switchport port-security mac-address ,mac-addr,mac-addr,為靜態(tài)綁定的,MAC,地址,?,配置老化時(shí)間,如果同一端口主機(jī)經(jīng)常變化，而舊,MAC,地址一直保留，,這可能導(dǎo)致新連接到端口的客戶無(wú)法正常通訊,配置交換機(jī)接口老化時(shí)間，讓交換機(jī)刪除一段時(shí)間內(nèi)沒(méi)有,流量的,MAC,地址,?,time,參數(shù)范圍是,1,1440,分鐘，默認(rèn)為,0,表示不刪除,?,absolute,參數(shù)為老化時(shí)間到期后

8、，刪除所有,MAC,地址,并重新學(xué)習(xí),?,inactivity,參數(shù)為與端口連接的客戶端一段時(shí)間（老化,時(shí)間）沒(méi)有流量，就將其,MAC,地址從地址表中刪除,交換機(jī)端口安全的配置,5-2,Switch(config-if)#switchport port-security aging time ,time,Switch(config-if)#switchport port-security aging type absolute | inactivity ,Switch(config-if)#switchport port-security aging static,?,默認(rèn)情況下靜態(tài)綁定的,M

9、AC,地址并不受老化時(shí)間的影響，,Cisco,交,換機(jī)也可讓靜態(tài)綁定的,MAC,地址老化,?,配置,MAC,地址違規(guī)后的策略,MAC,地址違規(guī),?,最大安全數(shù)目的,MAC,地址表之外的一個(gè)新的,MAC,地址,訪問(wèn)該端口,?,一個(gè)配置為其他接口安全,MAC,地址的,MAC,地址試圖訪,問(wèn)這個(gè)端口,當(dāng)出現(xiàn)違規(guī)情況時(shí)，有三種處理方式,?,shutdown,：端口成為,err-disable,狀態(tài)，相當(dāng)于關(guān)閉端,口，默認(rèn)處理方式,?,protect,：將違規(guī)的,MAC,地址的分組丟棄，但端口處于,UP,狀態(tài)。交換機(jī)不記錄違規(guī)分組,?,restrict,：將違規(guī)的,MAC,地址的分組丟棄，但端口處于,U

10、P,狀態(tài)。交換機(jī)記錄違規(guī)分組,交換機(jī)端口安全的配置,5-3,Switch(config-if)#switchport port-security violation protect |,restrict | shutdown ,?,當(dāng)端口進(jìn)入,err-disable,狀態(tài)時(shí)，恢復(fù)接口狀態(tài),的方法有兩種,手動(dòng)恢復(fù),?,先關(guān)閉端口（,shutdown,），然后再開(kāi)啟端口（,no,shutdown,）,端口恢復(fù)為正常狀態(tài),自動(dòng)恢復(fù),?,設(shè)置,err-disable,計(jì)時(shí)器，端口進(jìn)入,err-disable,狀態(tài)時(shí)開(kāi),始計(jì)時(shí)，計(jì)時(shí)器超出后端口狀態(tài)自動(dòng)恢復(fù),交換機(jī)端口安全的配置,5-4,Switch(c

11、onfig)#errdisable recovery cause psecure-violation,Switch(config)#errdisable recovery interval ,time,恢復(fù)時(shí)間間隔,出現(xiàn),err-disable,狀態(tài)的原因,err-disable,狀態(tài)的端口，默認(rèn)情況下不會(huì)自動(dòng)恢復(fù),?,配置端口安全的,sticky,（粘連）特性,當(dāng)企業(yè)內(nèi)網(wǎng)所有端口均要啟用端口安全時(shí)，靜態(tài)綁定的,MAC,地址的工作量時(shí)十分巨大,sticky,特性能動(dòng)態(tài)的將交換機(jī)接口學(xué)習(xí)到的,MAC,加入到,運(yùn)行配置中，形成綁定關(guān)系,交換機(jī)端口安全的配置,5-5,Switch(config)#s

12、witchport port-security mac-address sticky,?,在交換機(jī)上配置端口安全,端口安全配置示例,5-1,PC1,PC2,F0/1,F0/2,Switch#show run,interface FastEthernet0/2,switchport access vlan 2,switchport mode access,switchport port-security,switchport port-security aging time 1,switchport port-security violation restrict,switchport port

13、-security aging type inactivity,switchport port-security mac-address 0025.1234.1258,啟用端口安全,配置老化時(shí)間，,1,分鐘,配置違規(guī)策略,配置老化策略,配置靜態(tài)綁定,?,查看端口安全的狀態(tài),端口安全配置示例,5-2,Switch#show port-security interface fastEthernet 0/2,Port Security : Enabled,Port Status : Secure-up,Violation Mode : Restrict,Aging Time : 1 mins,Agi

14、ng Type : Inactivity,SecureStatic Address Aging : Disabled,Maximum MAC Addresses : 1,Total MAC Addresses : 1,Configured MAC Addresses : 1,Sticky MAC Addresses : 0,Last Source Address:Vlan : 0025.1234.1258:2,Security Violation Count : 0,端口狀態(tài),違規(guī)策略,最大,MAC,地址數(shù)量,靜態(tài)綁定,MAC,地址數(shù)量,安全違規(guī)次數(shù),?,修改違規(guī)策略為,shutdown,?,

15、當(dāng),F0/2,端口接入其他,MAC,地址的設(shè)備，端口將進(jìn)入,errdisable,狀態(tài)，系統(tǒng)日志如下所示,端口安全配置示例,5-3,%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting,Fa0/2 in err-disable state,%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred,caused by MAC address 0021.1ba5.6983 on port FastEthernet0/2.,%LINEPROTO-

16、5-UPDOWN: Line protocol on Interface FastEthernet0/2,changed state to down,%LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to down,端口狀態(tài)改變,?,查看端口安全狀態(tài),端口安全配置示例,5-4,Switch#show port-security interface fastEthernet 0/2,Port Security : Enabled,Port Status : Secure-shutdown,Violation Mode : Shutd

17、own,Aging Time : 1 mins,Aging Type : Inactivity,SecureStatic Address Aging : Disabled,Maximum MAC Addresses : 1,Total MAC Addresses : 1,Configured MAC Addresses : 1,Sticky MAC Addresses : 0,Last Source Address:Vlan : 0021.1ba5.6983:2,Security Violation Count : 1,端口狀態(tài),違規(guī)次數(shù),?,查看處于,errdisable,狀態(tài)的端口,?,顯

18、示端口安全狀態(tài)的摘要信息,端口安全配置示例,5-5,Switch#show interfaces status err-disabled,Port Name Status Reason,Fa0/2 err-disabled psecure-violation,Errdisable,狀態(tài)原因,Switch#show port-security,Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security,Action,(Count) (Count) (Count),-,Fa0/2 1 1 1 Shutdown,-,Total A

19、ddresses in System (excluding one mac per port) : 0,Max Addresses limit in System (excluding one mac per port) : 8192,?,DHCP,監(jiān)聽(tīng)（,DHCP Snooping,）,保證客戶端能夠從正確的,DHCP,服務(wù)器獲得,IP,地址,避免,DHCP,服務(wù)器欺騙和,DHCP,地址耗盡,限制客戶端發(fā)送,DHCP,請(qǐng)求的速度，從而減緩,DHCP,資源,耗盡攻擊,?,DHCP,監(jiān)聽(tīng)將交換機(jī)端口分為兩種,非信任端口,?,連接終端設(shè)備的端口，該端口客戶端只能發(fā)送,DHCP,請(qǐng)求報(bào)文，而丟棄來(lái)自

20、該端口的其他所有,DHCP,報(bào)文,（,DHCP offer,等）,信任端口,?,連接合法的,DHCP,服務(wù)器或者匯聚接口，能夠轉(zhuǎn)發(fā)和,接收所有,DHCP,報(bào)文,DHCP,監(jiān)聽(tīng)的原理,2-1,?,DHCP,監(jiān)聽(tīng)?wèi)?yīng)用實(shí)例,DHCP,監(jiān)聽(tīng)的原理,2-2,客戶機(jī),1,客戶機(jī),2,客戶機(jī),3,客戶機(jī),4,DHCP,服務(wù)器,信任,信任,信任,信任,信任,信任,信任,信任,信任,非信任,非信任,非信任,非信任,?,啟用,DHCP,監(jiān)聽(tīng),?,設(shè)置,DHCP,監(jiān)聽(tīng)作用于那個(gè),VLAN,?,配置端口信任或非信任,啟用,DHCP,監(jiān)聽(tīng)后，默認(rèn)所有端口為非信任端口,配置端口為信任端口,DHCP,監(jiān)聽(tīng)配置,3-1,Sw

21、itch(config)#ip dhcp snooping vlan,number,Switch(config-if)#ip dhcp snooping trust,Switch(config)#ip dhcp snooping,可設(shè)置多個(gè),Vlan,?,DHCP,報(bào)文中的“選項(xiàng),82,”,選項(xiàng)中主要包括：,DHCP,請(qǐng)求報(bào)文進(jìn)入設(shè)備的端,口、屬于的,Vlan,、交換機(jī)的,MAC,等信息,DHCP,服務(wù)器可以根據(jù)這些信息更加精確的為客,戶端分配,IP,地址、設(shè)置策略等,?,報(bào)文中插入選項(xiàng),82,信息,DHCP,監(jiān)聽(tīng)配置,3-2,Switch(config)#ip dhcp snooping i

22、nformation option,?,限制,DHCP,報(bào)文速率，減緩,DHCP,耗盡攻擊,?,啟用核實(shí),MAC,地址功能，避免,DHCP,耗盡攻擊,檢測(cè)非信任端口的請(qǐng)求報(bào)文中源,MAC,地址和,DHCP,請(qǐng)求報(bào)文中的客戶端,MAC,地址是否相同,DHCP,監(jiān)聽(tīng)配置,3-3,速率單位,pps,在非信任端口配置,Switch(config-if)#ip dhcp snooping limit rate,rate,Switch(config)#ip dhcp snooping verify mac-address,?,在交換機(jī)上啟用,DHCP,監(jiān)聽(tīng)，限制非信任端口,DHCP,報(bào)文速率為,100pp

23、s,DHCP,監(jiān)聽(tīng)配置示例,4-1,F0/22,F0/21,F0/18,PC1,PC2,DHCP,服務(wù)器,?,交換機(jī)上啟用,DHCP,監(jiān)聽(tīng)配置,DHCP,監(jiān)聽(tīng)配置示例,4-2,Switch(config)#ip dhcp snooping,Switch(config)#ip dhcp snooping vlan 1,Switch(config)#ip dhcp snooping information option,Switch(config)#interface fastEthernet 0/21,Switch(config-if)#ip dhcp snooping trust,Switch

24、(config-if)#exit,Switch(config)#interface range fastEthernet 0/1 - 20,Switch(config-if-range)#ip dhcp snooping limit rate 100,Switch(config-if-range)#exit,Switch(config)#interface range fastEthernet 0/22 - 24,Switch(config-if-range)#ip dhcp snooping limit rate 100,Switch(config-if-range)#exit,啟用,DHC

25、P,監(jiān)聽(tīng),啟用“選項(xiàng),82,”,設(shè)置信任端口,DHCP,報(bào)文限速,?,查看,DHCP,監(jiān)聽(tīng)的狀態(tài),DHCP,監(jiān)聽(tīng)配置示例,4-3,Switch#show ip dhcp snooping,Switch DHCP snooping is enabled,DHCP snooping is configured on following VLANs: 1,DHCP snooping is configured on the following Interfaces:,Insertion of option 82 is enabled,circuit-id format: vlan-mod-port,

26、remote-id format: MAC,Option 82 on untrusted port is not allowed,Verification of hwaddr field is enabled,Interface Trusted Rate limit (pps),- - -,FastEthernet0/1 no 100,FastEthernet0/20 no 100,FastEthernet0/21 yes unlimited,FastEthernet0/22 no 100,DHCP,監(jiān)聽(tīng)已啟用,監(jiān)聽(tīng),VLAN 1,監(jiān)聽(tīng),VLAN 1,DHCP,報(bào)文限速,?,查看靜態(tài),DHCP

27、,監(jiān)聽(tīng)綁定表,DHCP,綁定表是部署,IP,源防護(hù)和動(dòng)態(tài),ARP,檢測(cè)的,基礎(chǔ),?,清除綁定表,DHCP,監(jiān)聽(tīng)配置示例,4-4,Switch#show ip dhcp snooping binding,MacAddress IpAddress Lease(sec) Type VLAN Interface,- - - - - -,00:0C:29:DA:8C:76 192.168.2.13 515748 dhcp-snooping 1 FastEthernet0/22,D0:27:88:47:CE:FA 192.168.2.14 516771 dhcp-snooping 1 FastEthern

28、et0/18,Total number of bindings: 2,Switch#clear ip dhcp snooping binding,?,請(qǐng)思考：,常見(jiàn)的數(shù)據(jù)鏈路層安全威脅有哪些？,端口如何從,err-disable,狀態(tài)恢復(fù)？,DHCP,監(jiān)聽(tīng)將交換機(jī)端口分為哪兩種？,小結(jié),?,是一種基于,IP/MAC,的端口流量過(guò)濾技術(shù),?,確?？蛻舳瞬荒苁褂米孕兄付ǖ?IP,地址，也不能使,用其他客戶正在使用的,IP,地址,?,以,DHCP,監(jiān)聽(tīng)技術(shù)為基礎(chǔ),?,只支持二層接口，包括接入接口或干道接口,?,IP,源防護(hù)兩種過(guò)濾策略,源,IP,地址過(guò)濾,?,根據(jù)源,IP,地址對(duì),IP,流量進(jìn)行過(guò)濾

29、,源,IP,和源,MAC,地址過(guò)濾,?,根據(jù)源,IP,地址和源,MAC,地址對(duì),IP,流量進(jìn)行過(guò),濾,IP,源防護(hù)原理,啟用,DHCP,監(jiān)聽(tīng)時(shí)須啟用選項(xiàng),82,?,啟用,DHCP,監(jiān)聽(tīng),?,啟用,IP,源防護(hù),源,IP,地址過(guò)濾,源,IP,和源,MAC,地址過(guò)濾,?,首先需要啟用端口安全（,switchport port-,security,）,IP,源防護(hù)配置,2-1,Switch(config-if)#ip verify source /Cisco 35,系列交換機(jī)命令,或,Switch(config-if)#ip verify source vlan dhcp-snooping,/Cis

30、co 45/65,系列交換機(jī)命令,Switch(config-if)#ip verify source port-security /Cisco 35,系列交換機(jī)命令,或,Switch(config-if)#ip verify source vlan dhcp-snooping port-security,/Cisco 45/65,系列交換機(jī)命令,?,對(duì)于使用靜態(tài),IP,的主機(jī)，手動(dòng)配置靜態(tài),IP,源綁定,?,查看,IP,源綁定表,?,查看,IP,源防護(hù)過(guò)濾器的狀態(tài),IP,源防護(hù)配置,2-2,Switch(config)# ip source binding,mac-address,vlan,

31、vlan-number,ip-,address,interface,interface-type interface-number,Switch#show ip source binding,Switch#show ip verify source,?,配置,IP,源防護(hù)，使用源,IP,和源,MAC,地址過(guò)濾,交換機(jī),Switch,的,F0/18,接口為信任接口,在,F0/1,、,F0/2,接口上開(kāi)啟,IP,源防護(hù),PC1,自動(dòng)獲取,IP,地址，而,PC2,使用固定,IP,地址,IP,源防護(hù)配置示例,4-1,F0/1,F0/2,F0/18,Switch,Cisco 3560,DHCP Serv

32、er,PC1,PC2:192.168.100.2,?,在交換機(jī),Switch,上啟用,IP,源防護(hù)配置,IP,源防護(hù)配置示例,4-2,Switch(config)#ip dhcp snooping,Switch(config)#ip dhcp snooping vlan 10,Switch(config)#ip dhcp snooping information option,Switch(config)#interface FastEthernet0/1,Switch(config-if)#switchport access vlan 10,Switch(config-if)# switch

33、port port-security,Switch(config-if)# ip verify source port-security,Switch(config)#interface FastEthernet0/2,Switch(config-if)# switchport access vlan 10,Switch(config-if)# switchport port-security,Switch(config-if)# ip verify source port-security,Switch(config)#interface fastEthernet 0/18,Switch(c

34、onfig-if)#ip dhcp snooping trust,啟用,DHCP,監(jiān)聽(tīng),啟用選項(xiàng),82,啟用,IP,源防護(hù),啟用,IP,源防護(hù),設(shè)置信任端口,?,配置,DHCP,服務(wù)器,?,配置手工綁定,由于,PC2,使用固定,IP,地址所以需要手工進(jìn)行綁定,IP,源防護(hù)配置示例,4-3,Switch-DHCP(config) #ip dhcp excluded-address 192.168.100.1,Switch-DHCP(config) #ip dhcp excluded-address 192.168.100.2,Switch-DHCP(config)#ip dhcp exclude

35、d-address 192.168.100.5,Switch-DHCP(config)#ip dhcp pool test,Switch-DHCP(dhcp-config)# network 192.168.100.0 255.255.255.0,Switch-DHCP(dhcp-config)# default-router 192.168.100.1,Switch-DHCP(config)#interface Vlan 10,Switch-DHCP(config-if)# ip dhcp relay information trusted,Switch-DHCP(config-if)# i

36、p address 192.168.100.5 255.255.255.0,配置,DHCP,中繼帶,82,信息的,DHCP,報(bào)文,Switch(config)#ip source binding 000C.29BE.C63A vlan 10,192.168.100.2 interface Fa0/2,?,DHCP,監(jiān)聽(tīng)綁定表,?,查看,IP,源綁定表,IP,源防護(hù)配置示例,4-4,Switch#show ip dhcp snooping binding,MacAddress IpAddress Lease(sec) Type VLAN Interface,- - - - - -,D0:27:8

37、8:47:CE:FA 192.168.100.3 85998 dhcp-snooping 10 FastEthernet0/1,Total number of bindings: 1,Switch#show ip source binding,MacAddress IpAddress Lease(sec) Type VLAN Interface,- - - - - -,D0:27:88:47:CE:FA 192.168.100.3 85972 dhcp-snooping 10 FastEthernet0/1,00:0C:29:BE:C6:3A 192.168.100.2 infinite st

38、atic 10 FastEthernet0/2,Total number of bindings: 2,?,查看,IP,源防護(hù)過(guò)濾器的狀態(tài),Switch#show ip verify source,Interface Filter-type Filter-mode IP-address Mac-address Vlan,- - - - - -,Fa0/1 ip-mac active 192.168.100.3 D0:27:88:47:CE:FA 10,Fa0/2 ip-mac active 192.168.100.2 00:0C:29:BE:C6:3A 10,?,動(dòng)態(tài),ARP,檢測(cè)（,Dyna

39、mic ARP inspection,，,DAI,）,DAI,是一種與,DHCP,監(jiān)聽(tīng)和,IP,源防護(hù)相結(jié)合的安全特性,根據(jù),DHCP,監(jiān)聽(tīng)綁定表以及,IP,源防護(hù)中靜態(tài),IP,源綁定表的,內(nèi)容對(duì),ARP,報(bào)文進(jìn)行檢測(cè),可設(shè)定,ARP,報(bào)文速率（,pps,）超出規(guī)定值時(shí)，交換機(jī)會(huì)將,端口置為,err-disable,狀態(tài),動(dòng)態(tài),ARP,檢測(cè),信任,PC1,PC2,信任,非信任,非信任,非信任,DHCP,服務(wù)器,?,在指定,Vlan,上啟用,DAI,?,配置信任接口,?,限制入站,ARP,報(bào)文的速率,動(dòng)態(tài),ARP,檢測(cè)配置,2-1,Switch(config)#ip arp inspection

40、 vlan number,Switch(config-if)#ip arp inspection trust,Switch(config-if)#ip arp inspection limit rate,packets-per-second,范圍為,0-2048,，默認(rèn)為,15,DAI,檢查所有,ARP,報(bào)文，當(dāng),ARP,報(bào)文較多會(huì)大量消耗,CPU,資源,?,查看啟用,DAI,的端口以及信任狀態(tài)等信息,?,查看啟用,DAI,的,Vlan,相關(guān)信息,?,查看啟用,DAI,的,Vlan,中數(shù)據(jù)包信息,?,查看,DAI,整體情況,動(dòng)態(tài),ARP,檢測(cè)配置,2-2,Switch#show ip arp

41、inspection interfaces,Switch#show ip arp inspection,vlan-id,Switch#show ip arp inspection statistics,vlan-id,Switch#show ip arp inspection,?,在交換機(jī),Switch,中啟用,DAI,客戶端與服務(wù)器處于同一個(gè),Vlan,（,Vlan 10,）,所有端口均為非信任端口,為,DHCP,服務(wù)器（,IP,地址為,192.168.100.2,）配置,靜態(tài)綁定表,動(dòng)態(tài),ARP,檢測(cè)配置示例,3-1,F0/1,F0/2,F0/3,pc1,pc2,DHCP Server,?

42、,在交換機(jī),Switch,上啟用,DAI,配置,動(dòng)態(tài),ARP,檢測(cè)配置示例,3-2,Switch(config)#ip dhcp snooping,Switch(config)#ip dhcp snooping vlan 10,Switch(config)#interface fastEthernet 0/2,Switch(config-if)#ip dhcp snooping trust,Switch(config-if)#exit,Switch(config)#ip source binding 000C.29BE.C63A vlan 10 192.168.100.2,interface

43、Fa0/2,Switch(config)#interface range FastEthernet0/1 - 3,Switch(config-if)# switchport mode access,Switch(config-if)#switchport access vlan 10,Switch(config-if)# spanning-tree portfast,Switch(config)#ip arp inspection vlan 10,開(kāi)啟,DHCP,監(jiān)聽(tīng),信任端口,靜態(tài)綁定,啟用,DAI,?,查看啟用,DAI,的端口情況,?,查看,DHCP,監(jiān)聽(tīng)綁定表,動(dòng)態(tài),ARP,檢測(cè)配置示例,3-3,Switch#show ip arp inspection interfaces,Interface Trust State Rate (pps) Burst Interval,- - - -,Fa0/1 Untrusted 15 1,Fa0/2 Untrusted 15 1,Switch#show ip dhcp snooping binding,MacAd