【抄袭】思科交换机DAI(动态ARP监控)配置测试
一.概述
1.DAI作用
①.使用DAI,管理员可以指定交换机的端口为信任和非信任端口:
信任端口可以转发任何ARP信息
非信任端口的ARP消息要进行ARP检测验证
②.交换机执行如下的ARP验证:
静态ARP监控:为一个静态的IP地址配置一个静态ARP访问控制列表
动态ARP监控:为DHCP指派的IP地址引用DHCP snooping绑定数据库
2.DAI配置步骤
①确认DHCP snooping技术已经被激活,并且已经完全填充数据库。
—没有DHCP服务器,也需要配置DHCP snooping
②指定某端口为信任端口,也就是接受这个接口上的ARP欺骗威胁。
—交换机级联的trunk接口必须配置为信任接口
③默认其他接口为非信任端口
④在每一个端口上设置ARP限速(可选)
—防止进行arp扫描
⑤配置一个ARP访问控制列表,静态IP映射到MAC.(可选)
⑥调整error-disable行为。
⑦在特定VLAN中启用ARP Inspect功能。
3.测试拓扑
二.基本配置
1.DHCPserver
hostname DHCPserver
interface Ethernet0/0
ip address 192.168.10.8 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
ip dhcp relay information trust-all
ip dhcp excluded-address 192.168.10.8
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.254
ip dhcp excluded-address 192.168.10.253
ip dhcp excluded-address 192.168.20.253
ip dhcp pool vlan10Pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool vlan20Pool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254
2.host SW1
hostname SW1
VLAN 10
VLAN 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface range Ethernet0/1-2
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface Ethernet0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface Vlan10
ip address 192.168.10.253 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.253 255.255.255.0
ip helper-address 192.168.10.8
no shutdown
!配置DHCP snooping
ip dhcp snooping
clock timezone GMT +8
do clock set 21:05:00 18 Apr 2020
ip dhcp snooping database unix:/dhcp.db
int rang e0/0, e0/2
ip dhcp snooping trust
int rang e0/1, e0/3
ip dhcp snooping limit rate 3
exit
ip dhcp snooping vlan 10,20
3.host SW2
hostname SW2
VLAN 10
VLAN 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface Ethernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface Vlan10
ip address 192.168.10.254 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.10.8
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!配置DHCP snooping
ip dhcp snooping
clock timezone GMT +8
do clock set 21:05:00 18 Apr 2020
ip dhcp snooping database unix:/dhcp.db
int e0/0
ip dhcp snooping trust
int rang e0/1-2
ip dhcp snooping limit rate 3
exit
ip dhcp snooping vlan 10,20
4.验证
①Client1能正常获取IP地址
Client1#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.10.1 YES DHCP up up
Client1#
②Client2能正常获取IP地址
Client2#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.20.1 YES DHCP up up
Client2#
③Client3能正常获取IP地址
Client3#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.10.2 YES DHCP up up
Client3#
④Client4能正常获取IP地址
Client4#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.20.2 YES DHCP up up
Client4#
三.配置交换机的ARP监控
1.配置启用DAI交换机之间的互联链路接口为信任端口
SW1和SW2
int e0/0
ip arp inspection trust
2.对非信任端口ARP进行限速
SW1和SW2
int range E0/1-3
ip arp inspection limit rate 10
3.为非信任端口上的所有静态主机配置ARP监控豁免的ACL
SW1
arp access-list xll-ARP-Filter
permit ip host 192.168.10.8 mac host aabb.cc00.4000
ip arp inspection filter xll-ARP-Filter vlan 10
备注:如果ip arp inspection filter xll-ARP-Filter vlan 10 static,则只检测静态绑定的,不检测由DHCP snooping动态生成的库。
4.设置违规端口error-disable自动恢复时间为180秒
SW1和SW2
errdisable recovery cause arp-inspection
errdisable recovery interval 180
5.在特定vlan启用ARP监控
SW1和SW2
ip arp inspection vlan 10,20
四.验证
1.Client1~4都能ping通DHCPserver
Client1#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/5 ms
Client1#
Client2#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Client2#
Client3#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Client3#
Client4#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Client4#
DHCPserver(config)#int e0/0
DHCPserver(config-if)#mac
DHCPserver(config-if)#mac?
mac-address mace
2.如果手工修改DHCPserver的E0/0接口mac地址,SW1会报错
DHCPserver(config-if)#mac-a
DHCPserver(config-if)#mac-address 1.1.1
DHCPserver(config-if)#
SW1(config)#
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc80.2000/192.168.10.254/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc80.1000/192.168.10.253/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc00.7000/192.168.10.3/22:25:04 GMT Sat Apr 18 2020])
SW1(config)#do sho
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc00.5000/192.168.10.4/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/ffff.ffff.ffff/192.168.10.8/22:25:04 GMT Sat Apr 18 2020])