1.建立 IP Source Guard 使用埠的巨集
建立巨集指令為 switch(config)#macro name macro-name
內容如下:
# macro:oa-clinet
# connect oa network's PC
switchport mode access
# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 5
# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
# ip source guard
# 確認該介面下MAC所對應的IP位置,是由DHCP所配發,防止用戶隨意更改IP位置
ip verify source port-security
2.建立連接DHCP 伺服器使用埠的巨集
建立巨集指令為 switch(config)#macro name macro-name
內容如下:
# macro:oa-switch
# connect backbone switch
ip arp inspection trust
ip arp inspection limit rate 500 burst interval 3
ip dhcp snooping limit rate 500 // 防止DHCP DOS攻擊,限制Switch轉送DHCP request的速率
ip dhcp snooping trust
3.整體的設定如下:
switch(config)#ip dhcp snooping vlan 1
switch(config)#ip dhcp snooping
switch(config)#ip arp inspection validate src-mac dst-mac
switch(config)#errdisable recovery cause arp-inspection
switch(config)#errdisable recovery interval 3600
4.將交換器上各埠分別套用 1,2 所建立的巨集
switch(config-if)#macro apply macro-name
其他
取消 oa-clinet 巨集的巨集
內容如下
# macro:no-oa-clinet
# remove macro oa-client
# Enable port security limiting port to a single
# MAC address -- that of desktop
no switchport port-security maximum 5
# Ensure port-security age is greater than one minute
# and use inactivity timer
no switchport port-security violation restrict
no switchport port-security aging time 2
no switchport port-security aging type inactivity
no switchport port-security
no switchport mode access
# ip source guard
no ip verify source port-security
no macro description
取消 oa-switch 巨集的巨集
內容如下
# macro:no-oa-switch
# disable oa-switch macro
no ip arp inspection trust
no ip arp inspection limit rate 500 burst interval 3
no ip dhcp snooping limit rate 500
no ip dhcp snooping trust
相關的查詢指令:
show ip dhcp snooping
show ip dhcp snooping binding
show cdp neighbors
show arp-list
show ip arp inspection interfaces
show port-security
沒有留言:
張貼留言