anti-arpscan recovery enable 启用ANTI-ARP
恢复功能
anti-arpscan recovery time 60 设定ANTI-ARP
端口恢复时间为60秒
sed threshold 10 设定ANTI-ARP 端口每秒收到ARP包上限为10个,超过为丢弃。
6.进入端口配置模式(config-if)
st supertrust-port 设置上联口为超级信任端口,不对ARP和IP包做限制
端口的DHCP报文进行侦听,防止私设DHCP服务器,或 RP可以防止ARP欺骗,以及ARP扫描。
SS3-4F-3F-3950-26-13#show ip dhcp snooping DHCP Snooping is enabled DHCP Snooping binding arp: disabled DHCP Snooping maxnum of action info:10 DHCP Snooping limit rate: 100(pps), switch ID: 0003.0F0B.FB95 DHCP Snooping droped packets: 0, discarded packets: 0 DHCP Snooping alarm count: 5, binding count: 0, expired binding: 0, request binding: 0 interface trust action recovery alarm num bind num --------------- ---------- ---------- ---------- ---------- ---------- Ethernet0/0/1 untrust blackhole 300 0 0 Ethernet0/0/2 untrust blackhole 300 0 0 Ethernet0/0/3 untrust blackhole 300 0 0 Ethernet0/0/4 untrust blackhole 300 0 0 Ethernet0/0/5 untrust blackhole 300 0 0 Ethernet0/0/6 untrust blackhole 300 0 0 Ethernet0/0/7 untrust blackhole 300 0 0 Ethernet0/0/8 untrust blackhole 300 0 0 Ethernet0/0/9 untrust blackhole 300 0 0 Ethernet0/0/10 untrust blackhole 300 0 0 Ethernet0/0/11 untrust blackhole 300 0 0 Ethernet0/0/12 untrust blackhole 300 1 0
Ethernet0/0/13 untrust blackhole 300 4 0 Ethernet0/0/14 untrust blackhole 300 0 0 Ethernet0/0/15 untrust blackhole 300 0 0 Ethernet0/0/16 untrust blackhole 300 0 0 Ethernet0/0/17 untrust blackhole 300 0 0 Ethernet0/0/18 untrust blackhole 300 0 0 Ethernet0/0/19 untrust blackhole 300 0 0 Ethernet0/0/20 untrust blackhole 300 0 0 Ethernet0/0/21 untrust blackhole 300 0 0 Ethernet0/0/22 untrust blackhole 300 0 0 Ethernet0/0/23 untrust blackhole 300 0 0 Ethernet0/0/24 untrust blackhole 300 0 0 Ethernet0/0/25 trust none 0 0 0 Ethernet0/0/26 trust none 0 0 0 SS3-4F-3F-3950-26-13# show ip dhcp snooping inter eth 0/0/13 interface Ethernet0/0/13 user config: trust attribute: untrust action: blackhole binding dot1x: disabled binding user: enabled recovery interval:300(s) Alarm info: 4 -------------------------------------------------------- DHCP Snooping:Ethernet0/0/13 (02:12:03:45: )action: blackhole, (02:12:08:45: )re covery action: 'del blackhole' Done blachhole VID:565 MAC: 00E0.4CB3.9DDA -------------------------------------------------------- DHCP Snooping:Ethernet0/0/13 (02:12:08:58: )action: blackhole, (02:12:13:58: )re covery action: 'del blackhole' Done blachhole VID:565 MAC: 00E0.4CB3.9DDA -------------------------------------------------------- DHCP Snooping:Ethernet0/0/13 (02:12:14:03: )action: blackhole, (02:12:19:03: )re covery action: 'del blackhole' Done blachhole VID:565 MAC: 00E0.4CB3.9DDA -------------------------------------------------------- DHCP Snooping:Ethernet0/0/13 (02:12:19:09: )action: blackhole, (02:12:24:09: )re covery action: 'del blackhole' Done blachhole VID:565 MAC: 00E0.4CB3.9DDA Binding info: 0 Expired Binding: 0 Request Binding: 0
SS3-4F-3F-3950-26-13# show ip dhcp snooping inter eth 0/0/12 interface Ethernet0/0/12 user config: trust attribute: untrust action: blackhole binding dot1x: disabled binding user: enabled recovery interval:300(s) Alarm info: 1 -------------------------------------------------------- DHCP Snooping:Ethernet0/0/12 (02:01:35:37: )action: blackhole, (02:01:40:37: )re covery action: 'del blackhole' Done blachhole VID:565 MAC: 0000.E28C.2A0C Binding info: 0 Expired Binding: 0 Request Binding: 0
3.4测试报告(DCS-3950)
文档说明:
本文档主要是对神州数码DCS-3950交换机如何防止ARP攻击进行测试,以便于用户能够更深入的了解该功能的实现过程。
测试项目 测试地点 测试DELL D630笔记本一台、IBM R51笔记本一台和DCS-3950交换机一CAIN软件(版本4.9) 某网络馆 关于DCS-3950交换机如何防止ARP攻击 设备 台(版本DCS-3950-26C_1.3.16.3) 测试软件
测试一:两台笔记本通过DHCP方式获取IP,且交换机未启用ARP防护命令
描述:将DELL D630连接E0/0/1端口,IBM R51连接E0/0/2端口,交换机的E0/0/26端口上联至校园网络。两台笔记本电脑通过DHCP服务器自动获取IP地址,然后在DELL D630上启用CAIN ARP攻击软件进行测试。
步骤一:DCS-3950交换机配置: switch#show run
Current configuration: !
hostname switch !
Vlan 1 vlan 1 ! !
Interface Ethernet0/0/1 !
Interface Ethernet0/0/2 !
Interface Ethernet0/0/3 ! ……
Interface Ethernet0/0/26 !
interface Vlan1 interface vlan 1
步骤二:将两台笔记本电脑连接至交换机指定端口并查看获取IP地址及ARP信息
DELL D630笔记本信息如下图所示:
相关推荐:
loading