cisco Configuring IP Source Guard User Guide

Fa'atulagaina le Puipuiga Punavai IP

“

Fa'amatalaga

• Oloa: IP Source Guard i masini Cisco NX-OS
• Galuega Fa'atino: Fa'amama fa'alava i luga ole laiga mo fefa'ataua'iga IP
• Manaomia muamua: DHCP faʻaaliga ma DHCP snooping mafai

Fa'amatalaga o oloa

E uiga i le IP Source Guard

IP Source Guard o se faʻamama faʻaulufale e faʻatagaina le faʻaogaina o le IP
faʻavae i luga ole tuatusi IP ma MAC tuatusi.

Manaoga mo le IP Source Guard

Ia mautinoa o le ipsg le tele o le itulagi o loʻo tuʻuina atu mo le teuina ma
fa'amalosia fa'amauga SMAC-IP.

Taiala ma Tapulaa

O le IP Source Guard o loʻo i ai taʻiala faʻapitoa ma
tapula'a.

Fa'atonu Fa'atonu

Ona o le faaletonu, ua le atoatoa le IP Source Guard i fesoʻotaʻiga uma ma
leai ni fa'amatalaga fa'amautu po'o fa'aletonu IP.

Fa'atonuga Fa'aaogā

Fa'aagaoi po'o le Fa'agata le Puipuiga o Puna'oa IP ile Layer 2
Fa'afeso'ota'i

1. Ulufale i le faiga o le fa'atulagaina o le lalolagi:
   configure terminal
2. Ulufale fa'aoga fa'aoga fa'aoga mo le fa'atonuga
   atina'e:
   interface ethernet slot/port
3. Fa'amalo pe tape le IP Source Guard i luga o le fa'aoga:
   [no] ip verify source dhcp-snooping-vlan

Fa'aopoopoina pe Ave'ese se Fa'aulufalega Punavai IP Static

1. Fa'aagaoi le IP Source Guard i luga ole fa'aoga:
   ip verify source dhcp-snooping vlan
2. Fa'aali le fa'atonuga o lo'o fa'agasolo mo le DHCP snooping:
   show running-config dhcp

FAQ

Q: O a mea e manaʻomia muamua mo le IP Source Guard?

A: Ia mautinoa o le ipsg le tele o le itulagi o loʻo tuʻuina atu mo le teuina ma
fa'amalosia fa'amauga SMAC-IP.

Q: O a tulaga fa'aletonu mo le IP Source Guard?

A: Ona o le faaletonu, IP Source Guard ua le atoatoa i luga o atinaʻe taʻitasi
e leai ni fa'amatalaga fa'amautu po'o fa'agata IP.

“`

Fa'atulagaina le Puipuiga Punavai IP
O lenei mataupu o loʻo faʻamatalaina pe faʻafefea ona faʻapipiʻi le IP Source Guard i masini Cisco NX-OS. O lenei mataupu e aofia ai vaega nei:
· E uiga i le IP Source Guard, i le itulau 1 · Manaʻomia mo le IP Source Guard, i le itulau 2 · Taʻiala ma le Tapulaʻa mo le Puipuiga o le IP Source, i le itulau 2 · Faʻatonu Faʻatonu mo le Puipuiga o le IP Source, i le itulau 3 · Faʻatonuina le IP Source Guard, i luga o le itulau 3 · Faʻaalia IP Source Guard Bindings, i le itulau 5 · Faʻamalo IP Source Guard Statistics, i le itulau 6ample mo IP Source Guard, i le itulau e 6 · Fa'amatalaga Faaopoopo, i le itulau e 6
E uiga i le IP Source Guard
O le IP Source Guard o se faʻamama faʻaulufale taʻitasi e faʻatagaina ai felauaiga IP pe a fetaui le tuatusi IP ma le tuatusi MAC o pepa taʻitasi ma se tasi o punaʻoa e lua o le faʻaogaina o tuatusi IP ma MAC:
· Fa'ailoga i le Dynamic Host Configuration Protocol (DHCP) snooping binding table · Static IP source entry e te fetuutuunai
O le filiga i luga ole IP fa'atuatuaina ma tuatusi MAC e fesoasoani e puipuia ai osofa'iga fa'aleaga, lea e fa'aoga ai e le tagata osofa'i le tuatusi IP o se tagata talimalo fa'amaonia e maua ai le fa'aogaina o feso'otaiga e le fa'atagaina. Ina ia faʻafefeina le IP Source Guard, e tatau i le tagata osofaʻi ona faʻasese uma le tuatusi IP ma le tuatusi MAC o se talimalo faʻamaonia. E mafai ona e fa'atagaina le IP Source Guard i luga ole Layer 2 feso'ota'iga e le fa'atuatuaina e le DHCP snooping. E lagolagoina e le IP Source Guard fesoʻotaʻiga ua faʻatulagaina e faʻaogaina i le auala avanoa ma le ogalaau. A e faʻatagaina muamua le IP Source Guard, o loʻo poloka uma feʻaveaʻi IP i totonu o le atinaʻe vagana ai mea nei:
· DHCP packets, lea e su'esu'eina e le DHCP ona fa'asolosolo i luma pe pa'u, e fa'atatau i fa'ai'uga o le su'esu'eina o le pepa.
· Ta'avale IP mai fa'amaumauga fa'amautu IP na e fa'atulagaina i le masini Cisco NX-OS
E fa'atagaina e le masini le fe'avea'i o le IP pe a fa'aopoopo e le DHCP snooping se fa'amaufa'ailoga o le laulau mo le tuatusi IP ma le tuatusi MAC o se pusa IP po'o le taimi fo'i ua e fa'atulagaina se fa'amatalaga fa'apogai IP.
Fa'atulagaina o le IP Source Guard 1

Manaoga mo le IP Source Guard

Fa'atulagaina le Puipuiga Punavai IP

O le masini e lafoa'i pusa IP pe a leai se tuatusi IP ma tuatusi MAC o le afifi e leai se mea e fa'amauina ai le laulau po'o se fa'amatalaga fa'apogai IP. Mo exampLe, faʻapea o le faʻaaliga ip dhcp snooping binding command o loʻo faʻaalia ai le faʻapipiʻiina o le laulau o loʻo i lalo:

MacAddress

IpAddress

—————— ———-

00:02:B3:3F:3B:99 10.5.5.2

LeaseSec Ituaiga

VLAN

—————————-

6943

dhcp-snooping 10

Fesootaiga ——–Ethernet2/3

Afai e maua e le masini se pusa IP ma se tuatusi IP o le 10.5.5.2, o le IP Source Guard e tuʻuina atu le paʻu pe afai o le tuatusi MAC o le paʻu o le 00:02:B3:3F:3B:99.

Manaoga mo le IP Source Guard
O le IP Source Guard e iai mea e manaʻomia muamua:
· E tatau ona e fa'aogaina le DHCP feature ma le DHCP snooping ae e te le'i fa'atulagaina le IP Source Guard. Va'ai Fa'atonu le DHCP.
· E tatau ona e fetuutuuna'i le tele o le itulagi ACL TCAM mo le IP Source Guard e fa'aaoga ai le fa'atonuga o mea faigaluega-list tcam region ipsg. Va'ai le Fa'atulagaina o ACL TCAM Region Sizes.

Fa'aaliga I le fa'aletonu o le tele o le ipsg itulagi e leai. E mana'omia le fa'asoaina atu o fa'amatalaga i lenei itulagi mo le teuina ma le fa'amalosia o fa'amauga SMAC-IP.

Taiala ma Tapulaa mo le Puipuiga Punaoa IP
O le IP Source Guard o loʻo i ai taʻiala faʻatulagaina ma tapulaʻa:
· IP Source Guard fa'atapula'aina le fa'aogaina o le IP i luga o se atina'e i na'o na puna'oa o lo'o i ai se tuatusi IP-MAC fa'apipi'i laulau fa'apipi'i po'o le tu'ufa'atasia o puna'oa IP. O le taimi muamua e te faʻatagaina ai le IP Source Guard i luga o se atinaʻe, e mafai ona e faʻalavelave i fefaʻatauaiga IP seia oʻo ina maua e 'au i luga o le atinaʻe se tuatusi IP fou mai le DHCP server.
· IP Source Guard e fa'alagolago i le DHCP snooping e fau ma tausia le laulau fa'apipi'i tuatusi IP-MAC po'o luga o le tausiga tusi o fa'amaumauga fa'amaumau IP.
· E le lagolagoina le IP Source Guard i ports extender fabric (FEX) poʻo ports faʻalauteleina module (GEM).
· E le lagolagoina le IP Source Guard ile EoR.
· O taʻiala nei ma tapulaʻa e faʻatatau ile Cisco Nexus 9200 Series switchs:
· E le'o fa'atūina le IPv6 fa'atasi ma le IPSG o lo'o fa'agaoioia ile atina'e sau.
· Ua lafo e le IPSG pepa ARP ile HSRP standby.
· Fa'atasi ai ma le DHCP snooping ma le IPSG ua mafai, pe afai o lo'o iai se fa'amaufa'ailoga mo le tagata talimalo, e tu'uina atu felauaiga i le 'au e tusa lava pe leai se ARP.

Fa'atulagaina o le IP Source Guard 2

Fa'atulagaina le Puipuiga Punavai IP

Fa'atonu Fa'atonu mo le IP Source Guard

· Amata ile Cisco NX-OS Release 9.3(5), IP Source Guard e lagolagoina i Cisco Nexus 9364C-GX, Cisco Nexus 9316D-GX, ma Cisco Nexus 93600CD-GX ki.
· IP Source Guard e le manaʻomia le vaneina o le TCAM i le Cisco Nexus 9300-X Cloud Scale Switches.
· Afai e mafai le IPSG, e le mafai ona faʻaogaina le puipuiga o le taulaga i luga o le faʻaoga.

Fa'atonu Fa'atonu mo le IP Source Guard
Ole laulau ole lisi o lo'o lisiina ai tulaga fa'aletonu mo tapula'a IP Source Guard.
Fuafuaga 1: Fa'agata Puipuiga Punavai IP
Parameters Default IP Source Guard Fa'aletonu i luga o feso'ota'iga ta'itasi fa'aulu mai IP Leai. E leai ni fa'amatalaga fa'amautu po'o fa'agata IP o lo'o i ai ona o le fa'aletonu.

Fa'atulagaina le Puipuiga Punavai IP

Fa'aagaoi po'o le Fa'agata le Puipuiga o Puna'oa IP ile Layer 2 Interface
E mafai ona e fa'agaoioia pe fa'agata le IP Source Guard i luga o le Layer 2 interface. Ona o le faaletonu, ua le atoatoa le IP Source Guard i luga o fesoʻotaʻiga uma.
Ae e te le'i amataina Ia mautinoa o lo'o fa'agaoioi le DHCP feature ma le DHCP snooping. Ia mautinoa o le ACL TCAM le tele o le itulagi mo IPSG (ipsg) ua faʻatulagaina.

Taualumaga

Laasaga 1 Laasaga 2

Poloaiga po o Gaioiga
fetuutuunai laina
ExampLe:
sui# fetuutuunai ki fa'amau(config)#

Fa'amoemoega Ulufale atu i le fa'atulagaina o le lalolagi.

feso'ota'iga ethernet slot/taulaga
ExampLe:
ki(config)# interface ethernet 2/3 ki(config-afai)#

Ulufale i le fa'aogaina o fa'aoga fa'aoga mo le fa'asinomaga fa'apitoa.

Fa'atulagaina o le IP Source Guard 3

Fa'aopoopoina pe Ave'ese se Fa'aulufalega Punavai IP Static

Fa'atulagaina le Puipuiga Punavai IP

Laasaga 3 Laasaga 4 Laasaga 5

Poloaiga po o Gaioiga
[leai] ip verify source dhcp-snooping-vlan
ExampLe:
sui(config-afai)# ip fa'amaonia puna'oa dhcp-snooping vlan

Faamoemoega
Fa'aagaoioi le IP Source Guard i luga ole fa'aoga. Le leai se ituaiga o lenei poloaiga e faʻagata ai le IP Source Guard i luga o le atinaʻe.

(Filifili) fa'aali le running-config dhcp
ExampLe:
sui(config-afai)# fa'aali running-config dhcp

Fa'aalia le fa'atonuga o lo'o fa'agasolo mo le DHCP snooping, e aofia ai le fa'atulagaina o le IP Source Guard.

(Filifili) kopi running-config startup-config

Kopi le fa'atulagaina o lo'o fa'agasolo i le fa'atonuga amata.

ExampLe:
sui(config-afai)# kopi running-config startup-config

Fa'aopoopoina pe Ave'ese se Fa'aulufalega Punavai IP Static
E mafai ona e fa'aopoopo pe aveese se fa'amatalaga fa'apogai IP i luga o le masini. Ona o le faaletonu, e leai ni fa'amatalaga fa'apogai IP.

Taualumaga

Laasaga 1 Laasaga 2 Laasaga 3 Laasaga 4

Poloaiga po o Gaioiga
fetuutuunai laina
ExampLe:
sui# fetuutuunai ki fa'amau(config)#

Fa'amoemoega Ulufale atu i le fa'atulagaina o le lalolagi.

[leai] ip source binding ip-address mac-address Fausia se fa'amatalaga fa'apogai IP mo le taimi nei

vlan vlan-id interface interface-ituaiga slot/port interface. Le leai se ituaiga o lenei poloaiga

ExampLe:

ave'ese le fa'ailoga IP fa'amautu.

switch(config)# ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3

(Filifili) fa'aali ip dhcp snooping binding [interface interface-type slot/port] ExampLe:
switch(config)# fa'aali ip dhcp snooping binding interface ethernet 2/3

Fa'aali fa'amauina tuatusi IP-MAC mo le fa'asinomaga ua fa'ailoa mai, e aofia ai fa'amaumauga fa'apogai IP. E aliali mai fa'amaumauga fa'amau ma le faaupuga i le koluma Type.

(Filifili) kopi running-config startup-config
ExampLe:

Kopi le fa'atulagaina o lo'o fa'agasolo i le fa'atonuga amata.

Fa'atulagaina o le IP Source Guard 4

Fa'atulagaina le Puipuiga Punavai IP

Fa'atulagaina o le IP Source Guard mo Taulaga ogalaau

Poloaiga po o Gaioiga
sui(config)# kopi running-config startup-config

Faamoemoega

Fa'atulagaina o le IP Source Guard mo Taulaga ogalaau
A faʻapipiʻi le IP Source Guard i luga o se taulaga, o le a pa'ū le taʻavale o loʻo sau i luga o lena taulaga seivagana ua i ai se DHCP snooping ulufale e faʻatagaina i totonu o le TCAM. Ae peitaʻi, pe a faʻapipiʻi le IP Source Guard i luga o pusa ogalaau ma e te le manaʻo e oʻo mai feoaiga i luga o nisi VLAN e faia lenei siaki (tusa lava pe le faʻaogaina le DHCP snooping ia i latou), e mafai ona e faʻamaonia se lisi o VLAN e le aofia ai.
Ae e te le'i amataina
Ia mautinoa o loʻo faʻaogaina le DHCP ma le DHCP snooping.

Taualumaga

Laasaga 1 Laasaga 2 Laasaga 3 Laasaga 4

Poloaiga po o Gaioiga
fetuutuunai laina
ExampLe:
sui# fetuutuunai ki fa'amau(config)#
[leai] ip dhcp snooping ipsg-e le aofia ai vlan vlan-lisi
ExampLe:
sui(config)# ip dhcp snooping ipsg-tuu ese vlan 1001-1256,3097
(Filifili) fa'aali ip ver source [ethernet slot/port | uafu-auala alavai-numera] EsoampLe:
sui(config)# faaali ip ver puna
(Filifili) kopi running-config startup-config
ExampLe:
sui(config)# kopi running-config startup-config

Fa'amoemoega Ulufale atu i le fa'atulagaina o le lalolagi.
Fa'amaoti le lisi o VLAN e fa'aesea mai le DHCP snooping check mo IP Source Guard i luga o pusa ogalaau.
Fa'aali po'o fea VLAN e le o aofia ai.
Kopi le fa'atulagaina o lo'o fa'agasolo i le fa'atonuga amata.

Fa'aali IP Source Guard Bindings
Fa'aaoga le fa'aaliga ip ver puna [ethernet slot/port | port-channel channel-number] faʻatonuga e faʻaalia le tuatusi IP-MAC faʻapipiʻi.

Fa'atulagaina o le IP Source Guard 5

Fa'amamaina o Fuainumera Fa'amaumauga a le Puipuiga o le IP

Fa'atulagaina le Puipuiga Punavai IP

Fa'amamaina o Fuainumera Fa'amaumauga a le Puipuiga o le IP
Ina ia fa'amama fa'amaumauga a le IP Source Guard, fa'aoga tulafono i lenei laulau. Poloaiga manino avanoa-lisi ipsg stats [numera faʻataʻitaʻiga | numera module]

Fa'amoemoega Fa'amama fa'amaumauga IP Source Guard.

Fa'atonu Example mo le IP Source Guard
O lenei exampLe faʻaalia pe faʻapefea ona fatuina se faʻamatalaga faʻapipiʻi IP ma faʻatagaina le IP Source Guard i luga o se atinaʻe:
ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3 interface ethernet 2/3
leai se tapuni ip fa'amaonia punaa dhcp-snooping-vlan fa'aali ip ver puna
Puipuia puna IP e le aofia ai vlans: ——————————————————Leai
————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————Ua mafai ona maua le puipuiga o le puna i luga o fesoʻotaʻiga nei: —————————————————
ethernet2/3

Faamatalaga Faaopoopo
Pepa Fa'atatau
Autu Fesootai ACL TCAM itulagi DHCP ma DHCP snooping

Igoa o le Pepa Fa'atonu IP ACL Fa'atonu le DHCP

Fa'atulagaina o le IP Source Guard 6

Pepa / Punaoa

cisco Faʻatonuina le IP Source Guard [pdf] Taiala mo Tagata Fa'aoga Fa'atulagaina le Puipuiga Punavai IP, Puipuiga Punavai IP, Puipuiga Puna, Leoleo

Fa'asinomaga

• Tusi Taiala