cjh ensp实验:能过ACLv6实现限制非法DHCPv6服务器,(实现类似v4的dhcp snooping功能)
ensp实验:能过ACLv6实现限制非法DHCPv6服务器,(实现类似v4的dhcp snooping功能)
(DHCPv6客户端侦听的UDP端口号是546;服务器、中继侦听的UDP端口号是547)
R1_dhcp_Sever2023.01.19.00时17分02秒.txt
(1)拓扑图
(2)配置
R2:
ipv6
dhcp enable
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 192:168:1::1/96
dhcpv6 relay destination 172::200
#
interface GigabitEthernet0/0/1
ipv6 enable
ipv6 address 201::2/96
ipv6 route-static :: 0 201::1
R1-dhcp server:
ipv6
dhcp enable
#
dhcpv6 pool pool192
address prefix 192:168:1::/96
excluded-address 192:168:1::1 to 192:168:1::99
dns-server 1:1::1
dns-server 1:1::2
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 172::200/16
dhcpv6 server pool192 #注意,在模拟器中,如果R1的g0/0/0接口不配置此命令,则pc1是获取不到ipv6地址的。
ipv6 route-static :: 0 172::1
sw1:
ipv6
interface Vlanif200
ipv6 enable
ipv6 address 200::1/96
#
interface Vlanif201
ipv6 enable
ipv6 address 201::1/96
interface GigabitEthernet0/0/1
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 201
ipv6 route-static :: 0 200::2
ipv6 route-static 192:168:1:: 96 201::2
sw2:
ipv6
interface Vlanif172
ipv6 enable
ipv6 address 172::1/96
#
interface Vlanif200
ipv6 enable
ipv6 address 200::2/96
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 200
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 172
ipv6 route-static 192:168:1:: 96 200::1
ipv6 route-static 201:: 96 200::1
sw3:
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2
(3)当网络中没有非法dhcpv6服务器时,可以从合法的dhcpv6服务器获取到ipv6地址
[sw3]int GigabitEthernet 0/0/3
[sw3-GigabitEthernet0/0/3]shutdown
[R1_dhcp_Sever]display dhcpv6 pool pool192 allocated address
(4)当网络中有非法的dhcpv6时, 电脑从非法的dhcpv6服务器获取到了ipv6地址
[sw3]int GigabitEthernet 0/0/3
[sw3-GigabitEthernet0/0/3]undo shutdown
R3(模拟非法dhcpv6服务器):
ipv6
#
dhcp enable
#
dhcpv6 pool pool192
address prefix 191:192:168:1::/126
dns-server 11::1
dns-server 11::2
interface GigabitEthernet0/0/0
ipv6 enable
ipv6 address 191:192:168:1::1/126
dhcpv6 server pool192
DHCPv6的过程抓包:
(5)配置acl禁止电脑从非法的dhcpv6服务器那获取到ipv6地址
sw3:
acl ipv6 number 3001
rule 0 permit ipv6 source 172::200/128
rule 20 deny udp source-port eq 547 destination-port eq 546
rule 200 permit ipv6
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
traffic-filter outbound acl ipv6 3001
测试:从合法的dhcpv6获取到了ipv6地址
把合法dhcpv6服务器的链路断掉,看看pc1是否还能从其他dhcpv6服务器获取到ipv6地址?
[R1_dhcp_Sever]int GigabitEthernet 0/0/0
[R1_dhcp_Sever-GigabitEthernet0/0/0]shutdown
PC1还是获取到了ipv6地址。
尝试:
[sw3]ipv6
PC1还是获取到了ipv6地址。
实验失败,暂不知原因。
陈:此实验,使用真实物理机,非模拟器来测试,是可以的。可能是模拟器的ipv6的支持不是很好。
IPv6(列表、list、全)ipv6list
http://www.zh-cjh.com/wenzhangguilei/1534.html
文章归类、所有文章列表、LISTLIST
http://www.zh-cjh.com/wangzhangonggao/2195.html
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处: www.zh-cjh.com珠海陈坚浩博客 » ensp实验:能过ACLv6实现限制非法DHCPv6服务器,(实现类似v4的dhcp snooping功能)
作者: cjh
| 手机扫一扫,手机上查看此文章: |
一切源于价值!
其他 模板文件不存在: ./template/plugins/comment/pc/index.htm