静态IP防ARP欺骗配置:
一、启用arp-check的功能在全局配置模式下开启ARP-CHECK功能
S2126G-2(config)#port-security arp-check
二、启用anti-arp-spoofing功能
S2126G-2(config-if)#anti-ARP-Spoofing ip 网关地址
三、启用端口安全并手动绑定IP与MAC
S2126G-2(config)#int f 0/3 //进入接口3
S2126G-2(config-if)#switchport port-security //启用端口安全 S2126G-2(config-if)#switchport port-security mac-address 4444.4444.4444 ip-address 192.168.44.55 //在接口下绑定PC的IP与MAC S2126G-2(config-if)# switchport port-security maximum 1 //设置此端口最多学习1个MAC地址,那么此接口不会再去学习其它的MAC地址了。注:若此接口增加PC。必须在交换机的对应接口上将IP与MAC绑定一下。例如: PC的IP:192.168.44.57 MAC:2222.2222.2222
S2126G-2(config)#int f 0/3
S2126G-2(config-if)#switchport port-security maximum 2 // 将最大学习MAC地址的值改设为2,否则将无法绑定新机器
S2126G-2(config-if)#switchport port-security mac-address 2222.2222.2222 ip-address 192.168.44.57
配置文件如下:
Building configuration...
Current configuration : 451 bytes
!
version 1.0
!
hostname S2126G-2
vlan 1
!
port-security arp-check
interface fastEthernet 0/3
Anti-ARP-Spoofing ip 192.168.44.1
switchport port-security
switchport port-security maximum 2
switchport 192.168.44.55
port-security mac-address 4444.4444.4444 ip-address
switchport 192.168.44.57
port-security mac-address 2222.2222.2222 ip-address
!
end
Switch#
动态IP防ARP欺骗配置:
一、启用arp-check的功能在全局配置模式下开启ARP-CHECK功能
S2126G-2(config)#port-security arp-check
二、启用DHCP中继
S2126G-2(config)#service dhcp
S2126G-2(config)#ip helper-address 192.168.44.5
三、启用端口安全
S2126G-2(config)#int f 0/3
S2126G-2(config-if)#switchport port-security
四、启用端口自动绑定功能
S2126G-2(config-if)#service dhcp address-bind port
配置文件如下:
S2126G-2#sh ru
System software version : 1.68 Build Apr 25 2007 Release
Building configuration...
Current configuration : 195 bytes
!
version 1.0
!
hostname S2126G-2
vlan 1
!
port-security arp-check
service dhcp
service dhcp address-bind port
ip helper-address 192.168.44.5
interface fastEthernet 0/5
switchport port-security
因篇幅问题不能全部显示,请点此查看更多更全内容