- 產品與解決方案
- 行業解決方案
- 服務
- 支持
- 合作夥伴
- 關於我們
05-MSR係列路由器ARP支持授權表項典型配置舉例
本章節下載: 05-MSR係列路由器ARP支持授權表項典型配置舉例 (167.57 KB)
MSR係列路由器授權ARP功能的典型配置舉例
|
Copyright © 2014 杭州華三通信技術有限公司 版權所有,保留一切權利。 非經本公司書麵許可,任何單位和個人不得擅自摘抄、複製本文檔內容的部分或全部, 並不得以任何形式傳播。本文檔中的信息可能變動,恕不另行通知。 |
|
目 錄
本文檔介紹使用授權ARP功能的典型案例。
本文檔不嚴格與具體軟、硬件版本對應,如果使用過程中與產品實際情況有差異,請參考相關產品手冊,或以設備實際情況為準。
本文檔中的配置均是在實驗室環境下進行的配置和驗證,配置前設備的所有參數均采用出廠時的缺省配置。如果您已經對設備進行了配置,為了保證配置效果,請確認現有配置和以下舉例中的配置不衝突。
如圖1所示,Router A是DHCP服務器,Router B是DHCP客戶端,DHCP服務器為同一網段中的客戶端動態分配IP地址。要求:對DHCP服務器配置授權ARP功能保證客戶端的合法性,並對客戶端進行老化探測。
圖1 MSR路由器授權ARP功能在DHCP服務器上組網圖
在DHCP服務器上進行授權ARP功能配置,可以使通過DHCP服務器申請的合法用戶在服務器上存在對應的ARP表項,從而保證與外界通信;而沒有通過DHCP服務器申請地址的非法用戶,無法與外界進行通信。
本舉例是在Release 2311版本上進行配置和驗證的。
目前授權ARP僅支持三層以太網接口,包含二層切三層以太網接口,不支持VLAN虛接口。
# 配置接口的IP地址。
<RouterA> system-view
[RouterA] interface ethernet 0/1
[RouterA-Ethernet0/1] ip address 10.1.1.1 255.255.255.0
[RouterA-Ethernet0/1] quit
# 使能DHCP服務,配置地址池。
[RouterA] dhcp enable
[RouterA] dhcp server ip-pool 1
[RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-1] quit
# 進入以太網接口視圖。
[RouterA] interface ethernet 0/1
# 使能DHCP服務器支持授權ARP功能。
[RouterA-Ethernet0/1] dhcp update arp
# 使能接口授權ARP功能。
[RouterA-Ethernet0/1] arp authorized enable
配置DHCP服務器的用戶下線檢測功能。
[RouterA-Ethernet0/1] dhcp server client-detect enable
# 配置接口自動獲取IP地址
<RouterB> system-view
[RouterB] interface ethernet 0/1
[RouterB-Ethernet0/1] ip address dhcp-alloc
[RouterB-Ethernet0/1] quit
按照如上配置,Router B通過DHCP獲取IP地址,Router A記錄授權ARP表項。
# Router B以太網接口信息表示已經通過DHCP方式動態獲取IP地址。
<RouterB> display interface ethernet 0/1
Ethernet0/1 current state: UP
Line protocol current state: UP
Description: Ethernet0/1 Interface
The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.2/24, acquired via DHCP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e23a-ff64
IPv6 Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e23a-ff64
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s, Full-duplex, link type is autonegotiation
Output flow-control is disabled, input flow-control is disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0
Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0
Output queue : (FIFO queuing : Size/Length/Discards) 0/75/0
Last clearing of counters: Never
Last 300 seconds input rate 64.78 bytes/sec, 518 bits/sec, 1.01 packets/sec
Last 300 seconds output rate 3.31 bytes/sec, 26 bits/sec, 0.02 packets/sec
Input: 2159 packets, 133585 bytes, 2159 buffers
1415 broadcasts, 743 multicasts, 0 pauses
0 errors, 0 runts, 0 giants
0 crc, 0 align errors, 0 overruns
0 dribbles, 0 drops, 0 no buffers
Output:6 packets, 994 bytes, 6 buffers
6 broadcasts, 0 multicasts, 0 pauses
0 errors, 0 underruns, 0 collisions
0 deferred, 0 lost carriers
# Router B獲得Router A分配的IP後,在Router A上查看授權ARP信息。
<RouterA> display arp all
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
10.1.1.2 000f-e23a-ff64 N/A Eth0/1 N/A A
# 將Router B與Switch斷開連接,修改Router B的IP地址為靜態地址,且與Router A在同一網段,重新連接Router B與Switch,發現Router B與Router A不能互通。這是由於Router A接口上使能了授權ARP功能,就會禁止該接口學習動態ARP,同時Router B的IP地址為靜態地址,所以Router A也不會生成授權ARP表項。沒有ARP表項,Router A和Router B不能互通。
[RouterB-Ethernet0/1] interface ethernet0/1
[RouterB-Ethernet0/1] ip address 10.1.1.10 255.255.255.0
[RouterB-Ethernet0/1] quit
[RouterB] ping 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<RouterA> display arp all
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
· Router A:
#
sysname RouterA
#
dhcp server ip-pool 1
network 10.1.1.0 mask 255.255.255.0
#
interface Ethernet0/1
port link-mode route
ip address 10.1.1.1 255.255.255.0
arp authorized enable
dhcp update arp
dhcp relay client-detect enable
#
dhcp enable
#
· Router B:
#
sysname RouterB
#
interface Ethernet0/1
port link-mode route
ip address dhcp-alloc
#
如圖2所示,Router A是DHCP服務器,Router C是DHCP客戶端,Router C通過DHCP中繼從Router A獲取IP地址,現要求:在DHCP中繼Router B上啟用授權ARP功能保證客戶端的合法性,並對客戶端進行老化探測。
圖2 MSR路由器授權ARP功能在DHCP中繼上配置舉例組網圖
在DHCP中繼上進行授權ARP功能配置,可以使通過DHCP服務器申請的合法用戶在中繼上存在對應的ARP表項,從而保證與外界通信;而沒有通過DHCP服務器申請地址的非法用戶,無法無外界進行通信。
# 配置接口的IP地址。
<RouterA> system-view
[RouterA] interface ethernet 0/0
[RouterA-Ethernet0/0] ip address 10.1.1.1 255.255.255.0
[RouterA-Ethernet0/0] quit
# 使能DHCP服務。
[RouterA] dhcp enable
[RouterA] dhcp server ip-pool 1
[RouterA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[RouterA-dhcp-pool-1] gateway-list 10.10.1.1
[RouterA-dhcp-pool-1] quit
# 配置能夠到達DHCP中繼和DHCP客戶端網段的靜態路由。
[RouterA] ip route-static 10.10.1.0 24 10.1.1.2
# 使能DHCP服務。
<RouterB> system-view
[RouterB] dhcp enable
# 配置接口的IP地址。
[RouterB] interface ethernet 0/0
[RouterB-Ethernet0/0] ip address 10.1.1.2 24
[RouterB-Ethernet0/0] quit
[RouterB] interface ethernet 0/1
[RouterB-Ethernet0/1] ip address 10.10.1.1 24
# 配置Ethernet0/1接口工作在DHCP中繼模式。
[RouterB-Ethernet0/1] dhcp select relay
[RouterB-Ethernet0/1] quit
# 配置DHCP服務器的地址。
[RouterB] dhcp relay server-group 1 ip 10.1.1.1
[RouterB] interface Ethernet 0/1
[RouterB-Ethernet0/1] dhcp relay server-select 1
# 使能DHCP同步ARP表項功能。
[RouterB-Ethernet0/1] dhcp update arp
# 使能接口授權ARP功能。
[RouterB-Ethernet0/1] arp authorized enable
配置DHCP服務器的用戶下線檢測功能
[RouterB-Ethernet0/1] dhcp relay client-detect enable
# 配置接口自動獲取IP地址
<RouterC> system-view
[RouterC] interface ethernet 0/1
[RouterC-Ethernet0/1] ip address dhcp-alloc
[RouterC-Ethernet0/1] quit
按照如上配置,Router C通過DHCP獲取IP地址,Router B記錄授權ARP表項。
# Router C以太網接口信息表示已經通過DHCP方式動態獲取IP地址。
<RouterC> display interface Ethernet 0/1
Ethernet0/1 current state: UP
Line protocol current state: UP
Description: Ethernet0/1 Interface
The Maximum Transmit Unit is 1500
Internet Address is 10.10.1.2/24, acquired via DHCP
IP Packet Frame Type: PKTFMT_ETHNT_2,Hardware Address: 000f-e200-0003
IPv6 Packet Frame Type: PKTFMT_ETHNT_2,Hardware Address: 000f-e200-0003
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s, Full-duplex, link type is autonegotiation
Output flow-control is disabled, input flow-control is disabled
Output queue : (Urgent queuing : Size/Length/Discards)0/100/0
Output queue : (Protocol queuing : Size/Length/Discards)0/500/0
Output queue : (FIFO queuing : Size/Length/Discards)0/75/0
Last clearing of counters: Never
Last 300 seconds input rate 50.31 bytes/sec, 402 bits/sec, 0.81 packets/sec
Last 300 seconds output rate 0.00 bytes/sec, 0 bits/sec, 0.00 packets/sec
Input: 414 packets, 26097 bytes, 414 buffers
271 broadcasts, 142 multicasts, 0 pauses
0 errors, 0 runts, 0 giants
0 crc, 0 align errors, 0 overruns
0 dribbles, 0 drops, 0 no buffers
Output:6 packets, 994 bytes, 6 buffers
6 broadcasts, 0 multicasts, 0 pauses
0 errors, 0 underruns, 0 collisions
0 deferred, 0 lost carriers
# Router C獲得Router A分配的IP後,在Router B查看授權ARP信息。
<RouterB> display arp all
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
10.10.1.2 000f-e200-0003 N/A Eth0/1 N/A A
10.1.1.1 000f-e23a-ff83 N/A Eth0/0 18 D
# 將Router C與Switch斷開連接,修改Router C的IP地址為靜態地址,且與Router B在同一網段,重新連接Router B與Switch,發現Router C與Router B不能互通。這是由於Router B接口上使能了授權ARP功能,就會禁止該接口學習動態ARP,同時Router C的IP地址為靜態地址,所以Router B也不會生成關於Router C地址的授權ARP表項。沒有ARP表項,Router C和Router B不能互通。
[RouterC] interface ethernet0/1
[RouterC-Ethernet0/1] ip address 10.10.1.10 255.255.255.0
[RouterC-Ethernet0/1] quit
[RouterC] ping 10.10.1.1
PING 10.10.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.10.1.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
<RouterB> display arp all
Type: S-Static D-Dynamic A-Authorized
IP Address MAC Address VLAN ID Interface Aging Type
10.10.1.2 000f-e200-0003 N/A Eth0/1 N/A A
10.1.1.1 000f-e23a-ff83 N/A Eth0/0 18 D
· Router A:
#
sysname RouterA
#
dhcp server ip-pool 1
network 10.10.1.0 mask 255.255.255.0
gateway-list 10.10.1.1
#
interface Ethernet0/0
port link-mode route
ip address 10.1.1.1 255.255.255.0
#
ip route-static 10.10.1.0 255.255.255.0 10.1.1.2
#
dhcp enable
#
· Router B:
#
sysname RouterB
#
dhcp relay server-group 1 ip 10.1.1.1
#
interface Ethernet0/0
port link-mode route
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet0/1
port link-mode route
ip address 10.10.1.1 255.255.255.0
dhcp select relay
dhcp relay server-select 1
arp authorized enable
dhcp relay client-detect enable
dhcp update arp
#
dhcp enable
#
· Router C:
#
sysname RouterC
#
interface Ethernet0/1
port link-mode route
ip address dhcp-alloc
#
· H3C MSR 係列路由器 命令參考(V5)-R2311
· H3C MSR 係列路由器 配置指導(V5)-R2311
不同款型規格的資料略有差異, 詳細信息請向具體銷售和400谘詢。H3C保留在沒有任何通知或提示的情況下對資料內容進行修改的權利!
支持
