2024年2月26日发(作者:诺高)
DHCP SNOOPING强制用户自动获取地址接入网络配置案例
一、应该场景介绍
客户要求内网用户必须强制性通过DHCP服务器获取IP地址,自己手工设置的IP地址无效不能接入网络,防止用户乱改IP引起网络风暴,同时也方便管理。
客户网络比较小,就几台交换机,通过光纤连入另外地方的总部,交换机用的是S3700-28TP-EI,了解到客户需求时,我心里没底,从来没在华为的交换机上配置过,只是听说通过DHCP SNOOPING来实现,于是到处查资料,打电话,最后打电话询问厂家服务经理,还有800售后电话,他们都告诉我,电脑第一次接入网络必须通过DHCP服务器获取地址接入网络,手工设置的IP无法接入网络,但是之后由于交换机已经学习到了此电脑的MAC,之后用手工配置相同网段的地址也可以接入网络;按照配置手册上DHCP SNOOPING的步骤调试,结果果然是和厂家说的一样。这时客户说不行要达到他们的要求,必须是每次都只能通过DHCP接入网络,正好客户认识一个做华为维保的工程师,打电话过去后,告诉我加了一条IP报文检查命令,然后做接入实验,真的就达到了客户提的要求,下面就详细介绍此案例配置过程。
二、网络环境拓扑图
接入交换机上配置2个VLAN,VLAN4、VLAN5;VLAN4配置级联地址接入总部,VLAN5是终端用户的业务VLAN;在业务VLAN5上配置DHCP中继。
三、配置步骤
1、开启DHCP SNOOPING(VLAN的配置过程和DHCP中继配置省略)
[Quidway]dhcp enable
[Quidway]dhcp snooping enable
2、在业务端口上配置DHCP SNOOPING(级联端口不用做任何配置)
[Quidway] interface Ethernet 0/0/2
[Quidway-Ethernet0/0/2] dhcp snooping enable
3、在业务端口上配置IP报文检查功能
[Quidway-Ethernet0/0/2]ip source check user-bind enable
这条命令式是检查dhcp snooping ip地址绑定表,和绑定表里面的IP地址匹配的数据就转发访问网络,没有则丢弃,这个就是此案例中最关键的配置。
4、主要配置完成,没有终端接入或者使用手工配置的IP接入时,使用display user-bind all查看绑ip地址定表项会显示以下内容
bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
ifnamevsi O/I/P-vlan mac-address ip-address tp lease
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
Static binditem count: 0 Static binditem total count: 0
就是说地址绑定表示空的,终端的IP是非法的,所有数据都会被丢弃,访问不了网络。
5、将终端获取地址类型改成自动获取后,再查看绑定表项
bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
ifnamevsi O/I/P-vlan mac-address ip-address tp lease
-------------------------------------------------------------------------------------------------------
Ethernet0/0/2 -- 5 /--/-- 0001-0002-0003 10.1.1.1 S 0
-------------------------------------------------------------------------------------------------------
Static binditem count: 1 Static binditem total count: 1
这时候终端自动获取的地址自动加进DHCP SNOOPING绑定表里面,地址是合法的,数据转发。
四、配置总结
本案例实际上是结合dhcp snooping自动绑定和ip source check user-bind功能让自动获取的IP地址成为合法地址,手工设置的IP不会自动加进dhcp snooping绑定表里面成为非法地址,从而实现了终端必须通过自动获取地址才能接入网络的功能。
五、配置文档
此案例详细实施文档如下:
!Software Version V100R005C01SPC100
sysnameQuidway
#
vlan batch 4 to 5 200
#
stp enable
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
dhcp enable
dhcp snooping enable
#
undo http server enable
#
drop illegal-mac alarm
#
dhcp server group 1
#
dhcp server group 1
dhcp-server 10.228.0.14 0
dhcp-server 10.228.0.3 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domaindefault_admin
local-user admin password cipher ^`0_][]`B4UQC-&C&"^8CQ!!
local-user admin privilege level 3
local-user admin service-type telnet terminal
#
interface Vlanif1
ip address dhcp-alloc
#
interface Vlanif4
ip address 10.228.254.202 255.255.255.252
#
interface Vlanif5
ip address 10.229.95.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlanif200
ip address 2.2.2.1 255.255.255.0
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 4 to 5 200
ntdp enable
ndp enable
bpdu enable
dhcp snooping trusted
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 4 to 5 200
ntdp enable
ndp enable
bpdu enable
dhcp snooping trusted
#
interface Ethernet0/0/3
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/4
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/5
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/6
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/7
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/8
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/9
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/10
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/11
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/12
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/13
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/14
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/15
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/16
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/17
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/18
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/19
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/20
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/21
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/22
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/23
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/24
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 4
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/2
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/3
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/4
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
ip route-static 10.0.0.0 255.0.0.0 10.228.254.201
#
snmp-agent
snmp-agent local-engineid 000007DB7FC8C
snmp-agent sys-info version v3
#
user-interface con 0
authentication-modeaaa
idle-timeout 0 0
user-interfacevty 0 4
authentication-modeaaa
#
return
2024年2月26日发(作者:诺高)
DHCP SNOOPING强制用户自动获取地址接入网络配置案例
一、应该场景介绍
客户要求内网用户必须强制性通过DHCP服务器获取IP地址,自己手工设置的IP地址无效不能接入网络,防止用户乱改IP引起网络风暴,同时也方便管理。
客户网络比较小,就几台交换机,通过光纤连入另外地方的总部,交换机用的是S3700-28TP-EI,了解到客户需求时,我心里没底,从来没在华为的交换机上配置过,只是听说通过DHCP SNOOPING来实现,于是到处查资料,打电话,最后打电话询问厂家服务经理,还有800售后电话,他们都告诉我,电脑第一次接入网络必须通过DHCP服务器获取地址接入网络,手工设置的IP无法接入网络,但是之后由于交换机已经学习到了此电脑的MAC,之后用手工配置相同网段的地址也可以接入网络;按照配置手册上DHCP SNOOPING的步骤调试,结果果然是和厂家说的一样。这时客户说不行要达到他们的要求,必须是每次都只能通过DHCP接入网络,正好客户认识一个做华为维保的工程师,打电话过去后,告诉我加了一条IP报文检查命令,然后做接入实验,真的就达到了客户提的要求,下面就详细介绍此案例配置过程。
二、网络环境拓扑图
接入交换机上配置2个VLAN,VLAN4、VLAN5;VLAN4配置级联地址接入总部,VLAN5是终端用户的业务VLAN;在业务VLAN5上配置DHCP中继。
三、配置步骤
1、开启DHCP SNOOPING(VLAN的配置过程和DHCP中继配置省略)
[Quidway]dhcp enable
[Quidway]dhcp snooping enable
2、在业务端口上配置DHCP SNOOPING(级联端口不用做任何配置)
[Quidway] interface Ethernet 0/0/2
[Quidway-Ethernet0/0/2] dhcp snooping enable
3、在业务端口上配置IP报文检查功能
[Quidway-Ethernet0/0/2]ip source check user-bind enable
这条命令式是检查dhcp snooping ip地址绑定表,和绑定表里面的IP地址匹配的数据就转发访问网络,没有则丢弃,这个就是此案例中最关键的配置。
4、主要配置完成,没有终端接入或者使用手工配置的IP接入时,使用display user-bind all查看绑ip地址定表项会显示以下内容
bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
ifnamevsi O/I/P-vlan mac-address ip-address tp lease
-------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
Static binditem count: 0 Static binditem total count: 0
就是说地址绑定表示空的,终端的IP是非法的,所有数据都会被丢弃,访问不了网络。
5、将终端获取地址类型改成自动获取后,再查看绑定表项
bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - map vlan
ifnamevsi O/I/P-vlan mac-address ip-address tp lease
-------------------------------------------------------------------------------------------------------
Ethernet0/0/2 -- 5 /--/-- 0001-0002-0003 10.1.1.1 S 0
-------------------------------------------------------------------------------------------------------
Static binditem count: 1 Static binditem total count: 1
这时候终端自动获取的地址自动加进DHCP SNOOPING绑定表里面,地址是合法的,数据转发。
四、配置总结
本案例实际上是结合dhcp snooping自动绑定和ip source check user-bind功能让自动获取的IP地址成为合法地址,手工设置的IP不会自动加进dhcp snooping绑定表里面成为非法地址,从而实现了终端必须通过自动获取地址才能接入网络的功能。
五、配置文档
此案例详细实施文档如下:
!Software Version V100R005C01SPC100
sysnameQuidway
#
vlan batch 4 to 5 200
#
stp enable
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
dhcp enable
dhcp snooping enable
#
undo http server enable
#
drop illegal-mac alarm
#
dhcp server group 1
#
dhcp server group 1
dhcp-server 10.228.0.14 0
dhcp-server 10.228.0.3 1
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domaindefault_admin
local-user admin password cipher ^`0_][]`B4UQC-&C&"^8CQ!!
local-user admin privilege level 3
local-user admin service-type telnet terminal
#
interface Vlanif1
ip address dhcp-alloc
#
interface Vlanif4
ip address 10.228.254.202 255.255.255.252
#
interface Vlanif5
ip address 10.229.95.254 255.255.255.0
dhcp select relay
dhcp relay server-select 1
#
interface Vlanif200
ip address 2.2.2.1 255.255.255.0
#
interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 4 to 5 200
ntdp enable
ndp enable
bpdu enable
dhcp snooping trusted
#
interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 4 to 5 200
ntdp enable
ndp enable
bpdu enable
dhcp snooping trusted
#
interface Ethernet0/0/3
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/4
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/5
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/6
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/7
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/8
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/9
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/10
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/11
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/12
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/13
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/14
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/15
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/16
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/17
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/18
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/19
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/20
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/21
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/22
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/23
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface Ethernet0/0/24
port link-type access
port default vlan 5
ntdp enable
ndp enable
bpdu enable
dhcp snooping enable
dhcp snooping alarm dhcp-reply enable threshold 120
port-isolate enable group 1
ip source check user-bind enable
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 4
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/2
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/3
ntdp enable
ndp enable
bpdu enable
#
interface GigabitEthernet0/0/4
ntdp enable
ndp enable
bpdu enable
#
interface NULL0
#
ip route-static 10.0.0.0 255.0.0.0 10.228.254.201
#
snmp-agent
snmp-agent local-engineid 000007DB7FC8C
snmp-agent sys-info version v3
#
user-interface con 0
authentication-modeaaa
idle-timeout 0 0
user-interfacevty 0 4
authentication-modeaaa
#
return