ip dhcp excluded-address 192.168.23.1 192.168.23.20
(不由dhcp   server分配的地址)
!
ip dhcp pool vlan23
(定义地址池)
network 192.168.23.0 255.255.255.0
(定义地址池做用的网段及地址范围)
default-router 192.168.23.1
(定义客户端的默认网关)
domain-name sina.com.cn
(定义客户端所在域)
dns-server 192.168.23.2
(定义客户端的dns)
lease 5
(定义地址租约时间, 5天是为了在安全上考虑,客户端在可控的时间内相对固定)
ip dhcp snooping
(打开dhcp snooping功能,不能省略, 否则在sh ip dhcp snooping binding时将看到一个空的绑定表, 客户端会时断时续)
ip dhcp snooping vlan 23
(定义snooping作用的vlan)
ip dhcp snooping database flash:dhcp
(将绑定表保存在flash中,可以避免重启设备后,从新绑定)
ip arp inspection vlan 23
(定义arp inspection 作用的vlan,它是根据dhcp snooping binding表做判断的)
ip arp inspection validate src-mac dst-mac ip
(侦测有效客户端须满足src-mac dst-mac ip 均无错)
ip arp inspection log-buffer entries 1024
(inspection 日志大小)
ip arp inspection log-buffer logs 1024 interval 300
(inspection 日志刷新时间,interval太小会占用大量cpu时间)
!
!
!
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
(上面所有的是在端口因为被errdidable 后能在一段时间内自动恢复, 其中包括dhcp snooping与arp inspection在端口中设限制造成的端口自动关闭)
no file verify auto
logging on
(有的设备是默认打开的,在这写是因为当logging关闭时3550,3560,3750等均会占用大量cpu资源,一定勿忘打开,经测试,打开后一台3550-48下连10台48口设备,2个lan,480台计算机,正常使用.不打开,2台设备90 台计算机就能让其死机)
no spanning-tree loopguard default
({zh0}不要打开,因为当spanning-tree结构稍有改变,它都会blocking,然后unblocking一些端口,造成时断时续的现象)
ip source binding 0060.B322.2C2A vlan 23 192.168.23.8 interface Gi1/0/2
(设备或计算机需用静态地址的,在这儿定义)
!
interface GigabitEthernet1/0/2
switchport trunk encapsulation dot1q
switchport mode trunk
(下连设备,所以定义为trunk口)
ip arp inspection limit none
(由于下连设备,为了避免inspection让端口errdisable,所以对arp的侦测不做限制,若直接为接入设备, 可使用ip arp inspection limit rate)
相关命令:
sh logging 查看Dymatic Arp Inspection (DAI) 是否生效.
sh ip dhcp snooping binding 查看snooping是否生效
sh ip dhcp binding 看dhcp server 是否生效.
sh arp 看arp信息是否与 dhcp snooping binding表一致.
下级设备若支持dhcp snooping 可这样配置
ip dhcp snooping
int g0/1
(上连端口)
switchport trunk encapsulation dot1q
switchport mode trunk
ip dhcp snooping trust
(定义此端口为信任端口,从此口来的dhcp server数据有效,避免有人乱设dhcp server
不支持,根据设备用acl或其它禁止非信任端口发送dhcp server数据.