企業網cisco交換機dhcp snooping和IP source guard禁止手動配置IP

網絡拓撲結構：

場景介紹:

核心層： 各個vlan接口網關均在覈心層
匯聚層： 兩臺堆疊，port-channel 上聯到核心層，port-channel 下聯到接入層，不運行動態路由
接入層： 兩端口port-channel，分別鏈接至兩臺匯聚交換機

目的：
通過dhcp snooping 防止內部企業網私自接入dhcp server；
通過啓用IP source guard防止內部用戶私自手動配置ip地址。

接入層dhcp snooping 配置：

2F-NEW-ACC-SW-1(config)#ip dhcp snooping
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 24
2F-NEW-ACC-SW-1(config)# ip dhcp snooping vlan 25
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/47
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface GigabitEthernet1/0/48
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust
2F-NEW-ACC-SW-1(config)#interface Po1
2F-NEW-ACC-SW-1(config-if)#ip dhcp snooping trust

核心層需要如下配置：(否則客戶端獲取不到IP地址)

6S-CORE-SW-1(config)#interface vlan 24
6S-CORE-SW-1(config)# ip dhcp relay information trusted
6S-CORE-SW-1(config)#interface vlan 25
6S-CORE-SW-1(config)# ip dhcp relay information trusted

看一下效果：

2F-NEW-ACC-SW-1#sh ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
24-25
DHCP snooping is operational on following VLANs:
24-25
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 50f7.22c7.8d00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
GigabitEthernet1/0/47      yes        yes             unlimited
  Custom circuit-ids:
GigabitEthernet1/0/48      yes        yes             unlimited
  Custom circuit-ids:
Port-channel1              yes        yes             unlimited
Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------
  Custom circuit-ids:

2F-NEW-ACC-SW-1#sh ip dhcp snooping  binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  ----------                                                                                        ----------
2C:60:0C:73:EA:FC   172.16.24.17     688869      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/17
00:0B:82:86:10:35   172.16.24.136    609318      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/20
A8:1E:84:A6:74:7E   172.16.25.12     690293      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/30
1C:39:47:E4:7D:1D   172.16.25.11     688206      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/28
A4:4C:C8:10:63:EE   172.16.24.150    688220      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/7
1C:39:47:E3:5C:C3   172.16.25.14     690459      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/29
D4:81:D7:FF:04:08   172.16.24.33     684055      dhcp-snooping   24    GigabitEt                                                                                        hernet1/0/15
A8:60:B6:2E:C7:A9   172.16.25.127    690215      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/44
A8:60:B6:38:2F:A9   172.16.25.132    689510      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/43
F0:76:1C:E2:64:4C   172.16.25.10     689447      dhcp-snooping   25    GigabitEt                                                                                        hernet1/0/34
 --More--

IP Source Guard 配置：
Ip Souce Guard 需要藉助於dhcp snooping,因此配置ip source guard 之前，必須先啓用 dhcp snooping.
Ip Source Guard配置很簡單，只需在對應的接口下啓用即可：

2F-NEW-ACC-SW-1(config)#interface gigabitEthernet 1/0/1
2F-NEW-ACC-SW-1(config-if)#switchport port-security
2F-NEW-ACC-SW-1(config-if)#ip verify source port-security

看一下效果：

2F-NEW-ACC-SW-1#sh ip ver source
Interface  Filter-type  Filter-mode  IP-address       Mac-address        Vlan
---------  -----------  -----------  ---------------  -----------------  ----
Gi1/0/1    ip-mac       inactive-no-snooping-vlan
Gi1/0/2    ip-mac       active       deny-all         deny-all           24
Gi1/0/3    ip-mac       inactive-no-snooping-vlan
Gi1/0/4    ip-mac       active       deny-all         deny-all           24
Gi1/0/5    ip-mac       active       deny-all         deny-all           24
Gi1/0/6    ip-mac       active       deny-all         deny-all           24
Gi1/0/7    ip-mac       active       172.16.24.150    A4:4C:C8:10:63:EE  24
Gi1/0/8    ip-mac       inactive-no-snooping-vlan
Gi1/0/9    ip-mac       active       deny-all         deny-all           24
Gi1/0/10   ip-mac       inactive-no-snooping-vlan
Gi1/0/11   ip-mac       active       deny-all         deny-all           24
Gi1/0/12   ip-mac       active       deny-all         deny-all           24
Gi1/0/13   ip-mac       active       deny-all         deny-all           24
Gi1/0/14   ip-mac       inactive-no-snooping-vlan
Gi1/0/15   ip-mac       active       172.16.24.33     D4:81:D7:FF:04:08  24
Gi1/0/16   ip-mac       inactive-no-snooping-vlan
Gi1/0/17   ip-mac       active       172.16.24.17     2C:60:0C:73:EA:FC  24
Gi1/0/18   ip-mac       inactive-no-snooping-vlan
Gi1/0/19   ip-mac       inactive-no-snooping-vlan
Gi1/0/20   ip-mac       active       172.16.24.136    00:0B:82:86:10:35  24

Filter mode: 全部爲Active 狀態
IP 地址一欄中， 顯示正常IP的既可以正常上網,deny-all 的可能是手動配置的IP地址 .