在35603750+2950T-24环境下部署DHCP Snooping+DAI.doc

在3560/3750+2950T-24环境下部署DHCP Snooping+DAI 2009-01-08 07:39 在3560/3750+2950T-24环境下部署DHCP Snooping+DAI前几年卖了很多校园网，一般都是3560G/3750G+2950T-24模式。ARP攻击爆发，客户电话频频，用DHCP Snooping＋DAI是个不错的解决方法，但仔细看下，发现2950T-24不支持DAI，Faint一把,经某人思路提醒，能否在2950T－24上启用PVLAN实现端口隔离，在3560G/3750G上启用DAI功能，这样ARP攻击就没问题了，测试，确实没问题，但本地二层端口不通，search一下手册，发现命令ip local-proxy-arp，在interface vlan接口下启用，OK。配置如下： hostname SW3750 clock timezone GMT 8switch 1 provision ws-c3750g-24tsip subnet-zeroip routingno ip dhcp conflict logging!ip dhcp pool client network default-router !ip dhcp snooping vlan 3ip dhcp snooping information option allow-untrustedip dhcp snoopingip arp inspection vlan 3ip arp inspection validate ip !!!errdisable recovery cause dhcp-rate-limiterrdisable recovery cause arp-inspectionerrdisable recovery interval 30no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!! interface GigabitEthernet1/0/1 switchport trunk encapsulation dot1q switchport mode trunkip arp inspection limit none!interface GigabitEthernet1/0/2............!interface GigabitEthernet1/0/28!interface Vlan1 no ip address shutdown!interface Vlan3 ip address no ip redirects ip local-proxy-arp ip route-cache same-interface! interface Vlan108 ip address ! end 2950T配置 Current configuration : 4418 bytes!hostname C2950!enable password cisco!errdisable recovery cause dhcp-rate-limitip subnet-zero!ip dhcp snooping vlan 3ip dhcp snooping!!spanning-tree mode pvstno spanning-tree optimize bpdu transmissionspanning-tree extend system-idno spanning-tree vlan 361no spanning-tree vlan 368no spanning-tree vlan 369no spanning-tree vlan 500!!interface FastEthernet0/1switchport access vlan 3switchport protectedno ip addressspanning-tree portfastip dhcp snooping limit rate 10!interface FastEthernet0/2switchport access vlan 3switchport protectedno ip addressspanning-tree portfastip dhcp snooping limit rate 10!interface