IPSG技术和IP组播

1，IPSG技术概述

 

 

 

实验：  DHCP snooping +  IPSG

拓扑：

 

需求：

1，实现PC1  和PC2  动态获取IP地址

2, 在SW2 配置DHCP snooping  实现DHCP 服务器的安全

3, 在 连接PC 1  和 PC2 的 接口上 做IPSG ，防止终端自己更改地址，实施欺骗

4，配置端口安全  ，实现限制终端的连接数量，来保证网络的安全可靠性

5，配置端口隔离 ，实现同一VLAN内二层隔离 ，在SW1 上 实现三层通信

配置思路：

1，配置终端地址

2，配置交换机

-创建VLAN

-配置access 、trunk  

3，配置三层接口地址vlanif

4，配置DHCP 服务器

-开启服务

-配置地址池

-接口下开启DHCP功能

5，实现PC1 /PC2 自动获取到IP地址

6，SW2 上配置DHCO  SNOOPING  防护DHCP服务器

7，连接PC1/PC2 的SW2上的接口配置 IPSG  

动态绑定表

静态绑定表

8，配置端口安全

9，配置端口隔离 ，实现二层隔离 三层通信

配置命令：

[DHCP]vlan  batch 10 20
[DHCP]int g0/0/2
[DHCP-GigabitEthernet0/0/2]port link-type access 
[DHCP-GigabitEthernet0/0/2]port default vlan 20
[DHCP-GigabitEthernet0/0/2]q
[DHCP]int g0/0/1
[DHCP-GigabitEthernet0/0/1]port link-type trunk   
[DHCP-GigabitEthernet0/0/1]port trunk allow-pass vlan all
[DHCP-GigabitEthernet0/0/1]
[SW2]vlan  batch  10 20
[SW2]int g0/0/3
[SW2-GigabitEthernet0/0/3]port link-type trunk   
[SW2-GigabitEthernet0/0/3]port trunk  allow-pass vlan all 
[SW2-GigabitEthernet0/0/3]q
[SW2]int g0/0/1  
[SW2-GigabitEthernet0/0/1]port link-type access 
[SW2-GigabitEthernet0/0/1]port default vlan 10
[SW2-GigabitEthernet0/0/1]q
[SW2]int g0/0/2
[SW2-GigabitEthernet0/0/2]port link-type access 
[SW2-GigabitEthernet0/0/2]port default vlan 10
[SW2-GigabitEthernet0/0/2]q
[DHCP]int Vlanif 10
[DHCP-Vlanif10]ip add 192.168.10.254 24
[DHCP-Vlanif10]q
[DHCP]int Vlanif 20
[DHCP-Vlanif20]ip add 192.168.20.254 24
[DHCP-Vlanif20]q
[DHCP]dhcp enable 
[DHCP]ip pool vlan10   //配置地址池
[DHCP-ip-pool-vlan10]network 192.168.10.0 mask 24
[DHCP-ip-pool-vlan10]gateway-list 192.168.10.254
[DHCP-ip-pool-vlan10]dns-list 8.8.8.8  
[DHCP-ip-pool-vlan10]lease day 2
[DHCP-ip-pool-vlan10]static-bind ip-address 192.168.10.1 mac-address 00e0-fc86-2d62   //动态绑定指定的地址分配给主机
[DHCP-ip-pool-vlan10]static-bind ip-address 192.168.10.2 mac-address 00e0-fcb2-1996
[DHCP-ip-pool-vlan10]q
[DHCP]int Vlanif 10
[DHCP-Vlanif10]dhcp select global 
[PC1]dhcp enable 
[PC1]int g0/0/0
[PC1-GigabitEthernet0/0/0]ip address dhcp-alloc   //实现路由器接口自动从DHCP获取IP地址
[PC1-GigabitEthernet0/0/0]q
[PC1]dis ip int brief 
Interface                         IP Address/Mask      Physical   Protocol  
GigabitEthernet0/0/0              192.168.10.1/24      up         up   
PC2同上。
配置dhcp  snooping  防止DHCP服务器仿冒
[SW2]dhcp enable   
[SW2]dhcp snooping enable 
[SW2]int  g0/0/3  
[SW2-GigabitEthernet0/0/3]dhcp snooping trusted   //连接合法DHCP服务器接口
[SW2-GigabitEthernet0/0/3]q
[SW2]int g0/0/1  
[SW2-GigabitEthernet0/0/1]dhcp snooping enable 
[SW2-GigabitEthernet0/0/1]q
[SW2]int g0/0/2  
[SW2-GigabitEthernet0/0/2]dhcp snooping enable 
[SW2-GigabitEthernet0/0/2]q
[SW2]dis dhcp snooping user-bind all 
[SW2]int  g0/0/1     //配置IPSG  ，防止主机篡改IP 地址
[SW2-GigabitEthernet0/0/1]ip source check  user-bind enable 
[SW2-GigabitEthernet0/0/1]ip source check  user-bind alarm enable 
[SW2-GigabitEthernet0/0/1]ip source check user-bind alarm threshold 3
[SW2-GigabitEthernet0/0/1]q
[PC1]int  g0/0/0
[PC1-GigabitEthernet0/0/0]ip add 192.168.10.100 24  //手动更改了IP地址
[PC1-GigabitEthernet0/0/0]q
[PC1]ip route-static 0.0.0.0 0 192.168.10.254
[SW2]user-bind static ip-address 192.168.10.100 mac-address 00e0-fc86-2d62 interface g0/0/1 vlan 10   //静态绑定IP地址和MAC 地址相关信息
[SW2]dis dhcp static user-bind all 
[SW2]int  g0/0/2   //配置端口安全，限制连接数量
[SW2-GigabitEthernet0/0/2]port-security enable   
[SW2-GigabitEthernet0/0/2]port-security max-mac-num 2
[SW2-GigabitEthernet0/0/2]port-security mac-address sticky 
[SW2]int g0/0/1
[SW2-GigabitEthernet0/0/1]port-isolate enable group 1
[SW2-GigabitEthernet0/0/1]q
[SW2]int g0/0/2  
[SW2-GigabitEthernet0/0/2]port-isolate enable  group 1  //实现二层隔离
[SW2-GigabitEthernet0/0/2]
interface Vlanif10
ip address 192.168.10.254 255.255.255.0
arp-proxy enable
arp-proxy inner-sub-vlan-proxy enable   //在一个VLAN内 实现三层通信
dhcp select global

2,IP组播基础