开启Cisco交换机IP Source Guard功能

开启Cisco交换机IP Source Guard功能-------------------------------------------------------------------------------- 日期：2009-4-3 浏览次数：8469出处：一、IP地址盗用IP地址的盗用方法多种多样，其常用方法主要有以下几种：1、静态修改IP地址对于任何一个TCP/IP实现来说，IP地址都是其用户配置的必选项。

如果用户在配置TCP/IP或修改TCP/IP配置时，使用的不是授权分配的IP地址，就形成了IP地址盗用。

由于IP地址是一个逻辑地址，因此无法限制用户对于其主机IP地址的静态修改。

2、成对修改IP-MAC地址对于静态修改IP地址的问题，现在很多单位都采用IP与MAC绑定技术加以解决。

针对绑定技术，IP盗用技术又有了新的发展，即成对修改IP-MAC地址。

现在的一些兼容网卡，其MAC地址可以使用网卡配置程序进行修改。

如果将一台计算机的IP地址和MAC 地址都改为另外一台合法主机的IP地址和MAC地址，其同样可以接入网络。

另外，对于那些MAC地址不能直接修改的网卡来说，用户还可以采用软件的办法来修改MAC地址，即通过修改底层网络软件达到欺骗上层网络软件的目的。

3、动态修改IP地址某些攻击程序在网络上收发数据包，可以绕过上层网络软件，动态修改自己的IP地址（或IP-MAC地址对），以达到IP欺骗。

二、IP Source Guard技术介绍IP源防护（IP Source Guard，简称IPSG）是一种基于IP/MAC的端口流量过滤技术，它可以防止局域网内的IP地址欺骗攻击。

IPSG能够确保第2层网络中终端设备的IP地址不会被劫持，而且还能确保非授权设备不能通过自己指定IP地址的方式来访问网络或攻击网络导致网络崩溃及瘫痪。

交换机内部有一个IP源绑定表（IP Source Binding Table）作为每个端口接受到的数据包的检测标准，只有在两种情况下，交换机会转发数据：所接收到的IP包满足IP源绑定表中Port/IP/MAC的对应关系所接收到的是DHCP数据包其余数据包将被交换机做丢弃处理。

cisco交换机安全配置设定命令详解cisco交换机安全配置设定命令详解一、交换机访问控制安全配置1、对交换机特权模式设置密码尽量采用加密和md5hash方式switch(config)#enablesecret5pass_string其中0SpecifiesanUNENCRYPTEDpasswordwillfollow5SpecifiesanENCRYPTEDsecretwillfollow建议不要采用enablepasswordpass_sting密码，破解及其容易!2、设置对交换机明文密码自动进行加密隐藏switch(config)#servicepassword-encryption3、为提高交换机管理的灵活性，建议权限分级管理并建立多用户switch(config)#enablesecretlevel75pass_string7/7级用户进入特权模式的密码switch(config)#enablesecret5pass_string15/15级用户进入特权模式的密码switch(config)#usernameuserAprivilege7secret5pass_userA switch(config)#usernameuserBprivilege15secret5pass_userB /为7级，15级用户设置用户名和密码，Ciscoprivilegelevel 分为0-15级，级别越高权限越大switch(config)#privilegeexeclevel7commands/为7级用户设置可执行的命令,其中commands可以根据分配给用户的权限自行定义4、本地console口访问安全配置switch(config)#lineconsole0switch(config-line)#exec-timeout50/设置不执行命令操作的超时时间，单位为分钟和秒switch(config-line)#loggingsynchronous/强制对弹出的干扰日志信息进行回车换行，使用户输入的命令连续可见设置登录console口进行密码验证方式(1):本地认证switch(config-line)#password7pass_sting/设置加密密码switch(config-line)#login/启用登录验证方式(2):本地AAA认证switch(config)#aaanew-model/启用AAA认证switch(config)#aaaauthenticationloginconsole-ingroupacsserverlocalenable/设置认证列表console-in优先依次为ACSServer，local用户名和密码，enable特权密码switch(config)#lineconsole0switch(config-line)#loginauthenticationconsole-in/调用authentication设置的console-in列表5、远程vty访问控制安全配置switch(config)#access-list18permithostx.x.x.x/设置标准访问控制列表定义可远程访问的PC主机switch(config)#aaaauthenticationloginvty-ingroupacsserverlocalenable/设置认证列表vty-in,优先依次为ACSServer，local用户名和密码，enable特权密码switch(config)#aaaauthorizationcommands7vty-ingroupacsserverlocalif-authenticated/为7级用户定义vty-in授权列表，优先依次为ACSServer,local授权switch(config)#aaaauthorizationcommands15vty-ingroupacsserverlocalif-authenticated/为15级用户定义vty-in授权列表，优先依次为ACSServer,local 授权switch(config)#linevty015switch(config-line)#access-class18in/在线路模式下调用前面定义的标准ACL18switch(config-line)#exec-timeout50/设置不执行命令操作的超时时间，单位为分钟和秒switch(config-line)#authorizationcommands7vty-in/调用设置的授权列表vty-inswitch(config-line)#authorizationcommands15vty-inswitch(config-line)#loggingsynchronous/强制对弹出的干扰日志信息进行回车换行，使用户输入的命令连续可见switch(config-line)#loginauthenticationvty-in/调用authentication设置的vty-in列表switch(config-line)#transportinputssh/有Telnet协议不安全，仅允许通过ssh协议进行远程登录管理6、AAA安全配置switch(config)#aaagroupservertacacs+acsserver/设置AAA服务器组名switch(config-sg-tacacs+)#serverx.x.x.x/设置AAA服务器组成员服务器ipswitch(config-sg-tacacs+)#serverx.x.x.xswitch(config-sg-tacacs+)#exitswitch(config)#tacacs-serverkeypaa_string/设置同tacacs-server服务器通信的密钥二、交换机网络服务安全配置禁用不需要的各种服务协议switch(config)#noservicepadswitch(config)#noservicefingerswitch(config)#noservicetcp-small-serversswitch(config)#noserviceudp-small-serversswitch(config)#noserviceconfigswitch(config)#noserviceftpswitch(config)#noiphttpserverswitch(config)#noiphttpsecure-server/关闭http,https远程web管理服务，默认cisco交换机是启用的三、交换机防攻击安全加固配置MACFlooding(泛洪)和Spoofing(欺骗)攻击预防方法：有效配置交换机port-securitySTP攻击预防方法：有效配置rootguard,bpduguard,bpdufilterVLAN，DTP攻击预防方法：设置专用的nativevlan;不要的接口shut或将端口模式改为accessDHCP攻击预防方法：设置dhcpsnoopingARP攻击预防方法：在启用dhcpsnooping功能下配置DAI和port-security在级联上层交换机的trunk下switch(config)#intgix/x/xswitch(config-if)#swmodetrunkswitch(config-if)#swtrunkencapsdot1qswitch(config-if)#swtrunkallowedvlanx-xswitch(config-if)#spanning-treeguardloop/启用环路保护功能，启用loopguard时自动关闭rootguard接终端用户的端口上设定switch(config)#intgix/x/xswitch(config-if)#spanning-treeportfast/在STP中交换机端口有5个状态：disable、blocking、listening、learning、forwarding，只有处于forwarding状态的端口才可以发送数据。

1.1 IP Source Guard简介1.1.1 概述IP Source Guard功能用于对接口收到的报文进行过滤控制，通常配置在接入用户侧的接口上，以防止非法用户报文通过，从而限制了对网络资源的非法使用（比如非法主机仿冒合法用户IP接入网络），提高了接口的安全性。

IP Source Guard绑定表项可以通过手工配置和动态获取两种方式生成。

图1-1 IP Source Guard功能示意图1.6 IP Source Guard典型配置举例1.6.1 IPv4静态绑定表项配置举例1. 组网需求如图1-2所示，Host A、Host B分别与Device B的接口GigabitEthernet2/0/2、GigabitEthernet2/0/1相连；Host C与Device A的接口GigabitEthernet2/0/2相连。

Device B接到Device A的接口GigabitEthernet2/0/1上。

各主机均使用静态配置的IP地址。

要求通过在Device A和Device B上配置IPv4静态绑定表项，满足以下各项应用需求：∙ Device A的接口GigabitEthernet2/0/2上只允许Host C发送的IP报文通过。

∙ Device A的接口GigabitEthernet2/0/1上只允许Host A发送的IP报文通过。

∙ Device B的接口GigabitEthernet1/0/1上允许Host B发送的IP报文通过。

2. 组网图图1-2 配置静态绑定表项组网图3. 配置步骤(1) 配置Device A# 配置各接口的IP地址（略）。

# 在接口GigabitEthernet2/0/2上配置IPv4接口绑定功能，绑定源IP地址和MAC 地址。

<DeviceA> system-view[DeviceA] interface gigabitethernet 2/0/2[DeviceA-GigabitEthernet2/0/2] ip verify source ip-address mac-address# 配置IPv4静态绑定表项，在Device A的GigabitEthernet1/0/2上只允许MAC地址为0001-0203-0405、IP地址为192.168.0.3的数据终端Host C发送的IP报文通过。

默认情况下，交换机在二层接口上转发数据时，只查看数据包的MAC地址，并不会查看数据包的IP地址，如果要让交换机根据数据包的IP或者同时根据IP与MAC做出转发决定，有多种方法可以实现。

如根据IP 转发，可以通过在接口上应用Port ACL来实现，如果要根据MAC转发，可以通过应用port-security来实现，但无论是Port ACL还是port-security，都存在一些局限性，下面介绍一种扩展性较高的安全防护特性- IP Source Guard，IP Source Guard可以根据数据包的IP地址或IP与MAC地址做出转发决定，如果数据包的IP或MAC是不被允许的，那么数据包将做丢弃处理。

因为IP Source Guard需要根据数据包的IP或者同时根据IP与MAC做出转发决定，所以IP Source Guard 在工作时，需要有一张IP和MAC的转发表，在这张表中，明确记录着哪些IP是可以转发的，哪些MAC可以被转发，其它不能被转发的统统丢弃。

这表转发表称为IP source binding table，并且只能被IP source guard使用。

而IP source binding table表，只有在交换机上开启DHCP snooping功能后，才会生成。

IP Source Guard的这张转发表的条目可以自动学习，也可以手工静态添加，如果是自动学习，是靠DHCP snooping功能学习的，所以只有客户端是通过DHCP请求获得地址，并且DHCP服务器的回复是经过交换机时，才能被DHCP snooping学习到。

当在交换机上同时开启了IP Source Guard与DHCP snooping后，交换机将在开启了的接口上拒绝所有流量通过，只放行DHCP流量，并且会自动应用一条ACL到接口上，也只有ACL允许的IP才能通过，这条ACL无法在正常配置中查看，只能通过表的方式查看。

在网络中，防火墙、交换机和路由器通常是网络安全的重要组成部分。

以下是一个简单的示例，演示如何配置一个具有防火墙功能的路由器和交换机。

请注意，实际配置可能会根据您的网络架构和设备型号而有所不同。

设备列表：路由器：使用Cisco设备作为示例，实际上可以是其他厂商的路由器。

路由器IP地址：192.168.1.1交换机：同样，使用Cisco设备作为示例。

交换机IP地址：192.168.1.2防火墙规则：允许内部网络向外部网络发出的通信。

阻止外部网络对内部网络的未经请求的通信。

配置示例：1. 配置路由器：Router(config)# interface GigabitEthernet0/0Router(config-if)# ip address 192.168.1.1 255.255.255.0Router(config-if)# no shutdownRouter(config)# interface GigabitEthernet0/1Router(config-if)# ip address [外部IP地址] [外部子网掩码]Router(config-if)# no shutdownRouter(config)# ip route 0.0.0.0 0.0.0.0 [外部网关]2. 配置防火墙规则：Router(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 anyRouter(config)# access-list 101 deny ip any 192.168.1.0 0.0.0.255Router(config)# access-list 101 permit ip any anyRouter(config)# interface GigabitEthernet0/1Router(config-if)# ip access-group 101 in3. 配置交换机：Switch(config)# interface Vlan1Switch(config-if)# ip address 192.168.1.2 255.255.255.0Switch(config-if)# no shutdown配置说明：路由器通过两个接口连接内部网络（192.168.1.0/24）和外部网络。

转－－guard配置Guard 配置Step by Step1. Guard的连接和初始配置对Guard的起始配置是需要通过串行线连接的，使用admin用户名，缺省口令为rhadmin。

Console8 ,N , 1 , Flow control: None ) Properties SettingsInsert the following values and click OK:Emulation: VT100Telnet terminal ID: VT100Backscroll buffer lines: 500login prompt: admin/rhadmin2. Guard命令行配置网络部分连接物理端口：Interfaces: Eth0(百兆带外)－常用, Eth1 (千兆带外)Giga0 与 Giga1 ( 首选带内 copper / fiber )配置管理端口，带内GE端口的相关地址。

user@GUARD # Config terminaluser@GUARD-conf#interface giga1 ( 网络端口,可配置子接口)user@GUARD-conf-if-giga1# ip address 61.55.134.243 255.255.255.248user@GUARD-conf-if-giga1# no shutdownuser@GUARD-conf-if-giga1# exituser@GUARD-conf#interface eth0 ( 管理端口 ,注意接对端口)user@GUARD-conf-if-eth0# ip address 221.192.133.111 255.255.254.0user@GUARD-conf-if-eth0# no shutdownuser@GUARD-conf-if-eth0# exit启动SSH和WBM服务，并标明允许SSH, WEB访问的源地址。

第29章IP Source Guard配置本章主要介绍IP Source Guard功能的使用和配置方法。

本章主要内容：●IP Source Guard功能简介●IP Source Guard基本指令描述●IP Source Guard配置示例●IP Source Guard监控和调试29.1IP Source Guard功能简介通过IP Source Guard绑定功能，可以对端口转发的报文进行过滤控制，防止非法IP地址和MAC地址的报文通过端口，提高了端口的安全性。

端口接收到报文后，通过查找IP Source Guard绑定表项，根据端口上所指定的过滤方式，对报文进行如下处理：⏹当端口的过滤方式为IP过滤时：如果报文中的源IP地址与绑定表项中记录的IP地址相同，端口将转发该报文；若不相同，则丢弃；⏹当端口的过滤方式为IP+MAC过滤时：如果报文中的源MAC地址和源IP地址与绑定表项中记录的MAC地址和IP地址相同，端口将转发该报文；若不相同，则丢弃。

IP Source Guard绑定表项有两个来源，一是IP Source Guard自己手工配置的静态绑定表项，二是直接引用DHCP Snooping所维护的表项。

29.2IP Source Guard基本指令描述注：命令描述前带“*”符号的表示该命令有配置实例详细说明。

注意：一．RM1800-21-AC，RM1800-22-AC和RM1800-23-AC三款设备不支持ip source guard所有配置。

二．以上关于端口的配置只能在LAN上配置生效不能在W AN上配置。

⏹ip source binding在端口开启IP Source Guard功能的情况下，会将配置的绑定表写入交换芯片硬件中，从而实现IP 报文的过滤，具体写入交换芯片硬件的条数由交换芯片硬件分配给IP Source Guard的资源数决定。

如果分配给IP Source Guard功能的交换芯片硬件资源已使用完，还需要添加绑定条目或开启其它端口上的IP Source Guard绑定功能，则需要添加交换芯片硬件资源或删除一些绑定条目，重启设备后才可以继续分配。

您好：感谢您使用H3C的系列产品和长期以来对我们工作的支持！！推荐您使用ip源防护来防止ARP攻击比较好：如果您网络内使用DHCP分配，则使用动态ip源防护；如果您网络内的PC都是使用手工分配IP地址，这推荐您使用静态源防护，具体操作请参考以下内容:1.1 IP Source Guard简介通过IP Source Guard绑定功能，可以对端口转发的报文进行过滤控制，防止非法IP地址和MAC地址的报文通过端口，提高了端口的安全性。

端口接收到报文后查找IP Source Guard绑定表项，如果报文中的特征项与绑定表项中记录的特征项匹配，则端口转发该报文，否则做丢弃处理。

IP Source Guard支持的报文特征项包括：源IP地址、源MAC地址，可支持端口与如下特征项的组合（下文简称绑定表项）：●源IP●源MAC●源IP＋源MAC该特性提供两种绑定机制：一种是通过手工配置方式提供绑定表项，称为静态绑定；另外一种由DHCP Snooping提供绑定表项，称为动态绑定。

而且，绑定是针对端口的，一个端口被绑定后，仅该端口被限制，其他端口不受该绑定影响。

注意：IP Source Guard功能与端口加入聚合组互斥。

1.2 配置静态绑定表项表1-1 配置静态绑定表项说明：●绑定策略：不支持一个端口上相同表项的重复绑定；相同的表项可以在多个端口上绑定。

●合法绑定表项的MAC地址不能为全0、全F（广播MAC）和组播MAC，IP地址必须为A、B、C三类地址之一，不能为127.x.x.x和0.0.0.0。

1.3 配置动态绑定功能端口上使能动态绑定功能后，根据设备对各动态绑定类型的支持情况，IP Source Guard会选择接收并处理相应的DHCP Snooping表项。

表项内容包括MAC地址、IP地址、VLAN信息、端口信息及表项类型。

IP Source Guard把这些动态获取的表项添加到动态绑定表项中，实现过滤端口转发报文的功能。

配置局域网的安全特性，防止地址乱配，ARP攻击等弊病！1、启用DHCP SNOOPING全局命令：ip dhcp snooping vlan 10,20,30no ip dhcp snooping information optionip dhcp snooping database flash:dhcpsnooping.text //将snooping表保存到单独文档中，防止掉电后消失。

ip dhcp snooping接口命令:ip dhcp snooping trust //将连接DHCP服务器的端口设置为Trust，其余unTrust（默认）2、启用DAI，防止ARP欺骗和中间人攻击！通过手工配置或者DHCP监听snooping，交换机将能够确定正确的端口。

如果ARP应答和snooping不匹配，那么它将被丢弃，并且记录违规行为。

违规端口将进入err-disabled状态，攻击者也就不能继续对网络进行进一步的破坏了！全局命令ip arp inspection vlan 30接口命令（交换机之间链路配置DAI信任端口，用户端口则在默认的非信任端口）：ip arp inspection trustip arp inspection limit rate 1003、启用IPSG前提是启用IP DHCP SNOOPING，能够获得有效的源端口信息。

IPSG是一种类似于uRPF （单播反向路径检测）的二层接口特性，uRPF可以检测第三层或路由接口。

接口命令：switchport mode accswitchport port-securityip verify source vlan dhcp-snooping port-security4、关于几个静态IP的解决办法可通过ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi0/8通过arp access-list添加静态主机:arp access-list static-arppermit ip host 192.168.1.1 mac host 0000.0000.0003ip arp inspection filter static-arp vlan 30DHCP 中绑定固定IP：ip dhcp pool testhost 192.168.1.18 255.255.255.0 （分给用户的IP）client-identifier 0101.0bf5.395e.55（用户端mac）client-name test思科交换机在全局配置模式下开启IP DHCP SNOOPING后，所有端口默认处于DHCP SNOOPING UNTRUSTED模式下，但DHCP SNOOPINGINFORMATION OPTION功能默认是开启的，此时DHCP报文在到达一个SNOOPING UNTRUSTED 端口时将被丢弃。

RG-NBS5750-E系列交换机NBS5750_RGOS11.4(1)B70文档版本 ：V1.0copyright © 2018锐捷网络版权声明copyright © 2018锐捷网络保留对本文档及本声明的一切权利。

未得到锐捷网络的书面许可，任何单位和个人不得以任何方式或形式对本文档的部分内容或全部进行复制、摘录、备份、修改、传播、翻译成其他语言、将其全部或部分用于商业用途。

以上均为锐捷网络的商标。

本文档提及的其他所有商标或注册商标，由各自的所有人拥有。

免责声明您所购买的产品、服务或特性等应受商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，锐捷网络对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

锐捷网络保留在没有任何通知或者提示的情况下对文档内容进行修改的权利。

本手册仅作为使用指导。

锐捷网络在编写本手册时已尽力保证其内容准确可靠，但并不确保手册内容完全没有错误或遗漏，本手册中的所有信息也不构成任何明示或暗示的担保。

前 言读者对象本书适合下列人员阅读●网络工程师●技术推广人员●网络管理员技术支持●锐捷睿易官方网站：/●锐捷睿易在线客服：●锐捷网络官方网站服务与支持版块：/service.aspx●7×24小时技术服务热线：400-100-0078●睿易网络技术论坛：/●常见问题搜索：/service/know.aspx●锐捷网络技术支持与反馈信箱：*********************.cn本书约定1. 命令行格式约定命令行格式意义如下：粗体：命令行关键字（命令中保持不变必须照输的部分）采用加粗字体表示。

斜体：命令行参数（命令中必须由实际值进行替代的部分）采用斜体表示[ ] ：表示用[ ] 括起来的部分，在命令配置时是可选的。

{ x | y | ... }：表示从两个或多个选项中选取一个。

IP Source Guard配置说明IP Source Guard原文说明：IP Source Guard解释----IP Source Guard是一种二层网络安全技术，应用在一个非路由端口下，可以通过dhcp状态表或手工绑定的ip binding进行流量的严格限制。

应用后，在端口下会被产生一个隐藏的port acl，该acl将限制只有ip source binding的数据流可以流过该端口----IP Source Guard可以应用在accesss端口，也可以应用在trunk端口下----使用IP Source Guard时，必须配合ip dhcp snooping使用，当应用在access端口下时，打开该端口所属VLAN的ip dhcp snooping，应用在trunk口下时，打开终端连接端口所属VLAN的ip dhcp snooping----IP Source Guard可以基于ip地址进行流量过滤（只要ip地址符合即可通过）；也可以基于ip 和mac 进行过滤（必须ip和mac同时匹配才可以通过），页脚内容1IP Source Guard配置及步骤说明以下所有的说明基于以下拓扑：拓扑说明：一台核心交换机，提供vlan 30，vlan 40的网关，通过trunk与接入层交换机连接，所有的配置在核心交换机上完成，接入层交换机上使用了两个vlan(30,40)，user1 和user2分别位于vlan 30和vlan 401.打开dhcp snooping功能命令：(config)#ip dhcp snooping2.在需要进行IP Source Guard的vlan下打开dhcp snooping功能，针对某个vlan进行实施，如果有多个vlan，则需要打开多个vlan的dhcp snooping功能（这里举例vlan 40）命令：(config)# ip dhcp snooping vlan 403.进行IP和MAC地址绑定，例如：命令：ip source binding 00C0.9F40.148E vlan 40 10.30.3.2 interface Gi3/24/*在vlan 40内，将00C0.9F40.148E 与10.30.3.2进行绑定，并应用到端口gi3/24*/页脚内容24.在端口启用ip source guard （参数port-security表示同时基于ip和mac地址过滤）命令：ip verify source vlan dhcp-snooping port-security/*IOS版本的不同，这命令行可能不一致，有些版本命令行为ip verify source port-security */5.检查命令：show ip source bindingShow ip verify source6.检查终端ping的情况页脚内容3。

Cisco 300 Series SwitchesCisco Small BusinessEasy-to-Use Managed Switches that Provide the Ideal Combination of Features and AffordabilityTo stay ahead in a competitive marketplace, small businesses need to make every dollar count. That means getting the most value from your technology investments, but it also means making sure that employees have fast, reliable access to the business tools and information they need. Every minute an employee waits for an unresponsive application – and every minute your network is down – has an impact on your bottom line. The importance of maintaining a strong and dependable business network only grows as your business adds more employees, applications, and network complexity.When your business needs advanced security and features but value is still a top consideration, you’re ready for the new generation of Cisco® Small Business managed switches: the Cisco 300 Series.Cisco 300 Series SwitchesThe Cisco 300 Series, part of the Cisco Small Business line of network solutions, is a portfolio of affordable managed switches that provides a reliable foundation for your business network. These switches deliver the features you need to improve the availability of your critical business applications, protect your sensitive information, and optimize your network bandwidth to deliver information and applications more effectively. Easy to set up and use, the Cisco 300 Series provides the ideal combination of affordability and capabilities for small businesses, and helps you create a more efficient, better-connected workforce.The Cisco 300 Series is broad portfolio of fixed-configuration managed Ethernet switches. Models are available with 8 to 48 ports of Fast Ethernet and 10 to 52 ports of Gigabit Ethernet connectivity, providing optimal flexibility to create exactly the right network foundation for your business. However, unlike other small business switching solutions that provide managed network capabilities only in the costliest models, all Cisco 300 Series Switches support the advanced security management capabilities and network features you need to support business-class data, voice, security, and wireless technologies. At the same time, these switches are simple to deploy and configure, allowing you to take advantage of the managed network services your business needs.Business ApplicationsWhether you need a basic high-performance network to connect employee computers or a solution to deliver data, voice, and video services, the Cisco 300 Series offers a solution to meet your needs. Possible deployment scenarios include:●Secure desktop connectivity: Cisco 300 Series Switches can simply and securely connectemployees working in small offices with each other and with all of the servers, printers, and other devices they use. High performance and reliable connectivity helps speed file transfers and data processing, improves network uptime, and keeps your employees connected and productive.●Secure Wireless connectivity: With its advanced Security features, Power over Ethernet, AutoSmartports, QoS, VLAN and Access Control features, the Cisco 300 Series Switches are the perfect foundation to add Business Grade wireless to an SMB network.●Unified communications: As a managed network solution, the Cisco 300 Series provides theperformance and advanced traffic-handling intelligence you need to deliver all communications and data over a single network. Cisco offers a complete portfolio of IP telephony and other unifiedcommunications products designed for small businesses. Cisco 300 Series Switches have been rigorously tested to help ensure easy integration and full compatibility with these and other products, providing a complete small business solution.●Highly secure guest connectivity. Cisco 300 Series Switches let you extend highly secure networkconnectivity to guests in a variety of settings, such as a hotel, an office waiting room, or any other area open to nonemployee users. Using powerful but easy-to-configure security and traffic segmentation capabilities, you can isolate your vital business traffic from guest services and keep guests’ network sessions private from each other.Features and BenefitsCisco 300 Series Switches provide security, performance, traffic management, and other capabilities –optimized and customized, and at the right price for small businesses. The Cisco 300 Series provides:●High performance and reliability: Cisco 300 Series Switches have been rigorously tested to deliverthe high availability and performance you expect from a Cisco switch. The solutions speed up file transfer times and improve slow, sluggish networks, while keeping your vital business applications available and preventing costly downtime. As a managed switching solution, the Cisco 300 Series also gives you the flexibility to manage and prioritize high-bandwidth traffic such as voice. That means you can empower your employees with state-of-the-art communication and productivity solutions, without draining the performance of your other business applications.●Fast, easy setup and configuration: Cisco 300 Series Switches are designed to be easy to use andmanage by small businesses and the partners who serve them. The included device manager software provides an intuitive, web-based interface to simplify setup, security, and quality of service (QoS) traffic prioritization, allowing even users without IT expertise to configure the switch in minutes. Cisco also provides a Cisco FindIT Network Discovery Utility. This utility that works through a simple toolbar on the user’s web browser to discover Cisco devices in the network and display basic information, such as serial numbers and IP addresses, to aid in the configuration and deployment of Cisco Small Business products. For more information, and to download the utility, please visit /go/findit.These switches use Cisco Discovery Protocol as well as Link Layer Discovery Protocol (LLDP-MED) to automatically detect all the devices connected to your network, and then automatically configure themselves for the appropriate connectivity and instructs the devices to use appropriate voice VLAN orQoS parameters. For more advanced capabilities and hands-on control, the switches supportSmartport roles which configure the ports with specific levels of Security, QoS, and availabilityaccording to the type of connected device, based on Cisco best practices and pretested configurations.The Auto Smartports feature applies the intelligence delivered through the Smartport roles and applies it automatically to the port based on the devices discovered over CDP or LLDP-MED. This facilitates zero touch deployments. Although the Cisco 300 Series is designed to be deployed without using a command-line interface (CLI), Cisco Textview is available for those who prefer to use text-based configuration. Together, these features reduce the time your staff must devote to network deployment, management, and troubleshooting.●Strong security: The Cisco 300 Series Switches provide a high level of security and give you fine-grained control to safeguard your network from unauthorized users. Advanced security featuresinclude:◦Embedded security to protect management data traveling to and from the switch and encrypt network communications.◦Extensive access control lists (ACLs) to restrict sensitive portions of the network from unauthorized users and guard against network attacks.◦Guest virtual LANs (VLANs) to let you provide Internet connectivity to nonemployee users while isolating critical business services from guest traffic.◦Support for advanced network security applications such as IEEE 802.1X port security to tightly limit access to specific segments of your network. Web based authentication provides a consistentinterface to authenticate all types of host devices and operating systems, without the complexity of deploying IEEE 802.1X clients on each endpoint.◦Time based ACLs and Port Operation restrict access to the network during predesignated times, such as business hours.◦Security mechanisms such as, Bridge Protocol Data Unit (BPDU) Guard andbroadcast/multicast/unknown unicast storm control, protect the network from invalid configurations or malicious intent.◦Secure Core Technology (SCT) helps ensure that the switch will receive and process management and protocol traffic no matter how much traffic is received.◦Advanced defense mechanisms, including Dynamic ARP Inspection (DAI), IP Source Guard, and Dynamic Host Configuration Protocol (DHCP) snooping, detect and block deliberate network attacks.Combinations of these protocols are also referred to as IPMB (IP-MAC-port binding).◦IPv6 First Hop Security extends the advanced threat protection to IPv6. This comprehensive security suite includes ND inspection, RA guard, DHCPv6 guard and neighbor binding integrity check,providing unparalleled protection against a vast range of address spoofing and man in the middle attack on IPv6 networks.◦DOS (denial-of-service) attack prevention maximizes network uptime in the presence of an attack. ◦Protection of management sessions using Radius, TACACS+ and local database authentication as well as secure management sessions over SSL, SSH, and SNMPv3.●Power over Ethernet: Cisco 300 Series Switches are available with up to 48 PoE ports of FastEthernet or Gigabit Ethernet connectivity. This capability simplifies advanced technology deployments such as IP telephony, wireless, and IP surveillance by allowing you to connect and power network endpoints over a single Ethernet cable. With no need to install separate power supplies for IP phones or wireless access points, you can take advantage of advanced communications technologies more quickly, and at a lower cost. Some models support both IEEE 802.3af PoE and IEEE 802.3at PoE+ while others support IEEE 802.3af PoE only.●IP telephony support: Cisco 300 Series Switches include embedded QoS intelligence to prioritizedelay-sensitive services such as voice and video, simplify unified communications deployments, and help ensure consistent network performance for all services. For example, automated voice VLAN capabilities let you plug any IP phone (including third-party phones) into your IP telephony network and receive an immediate dial tone. The switch automatically configures the device with the right VLAN and QoS parameters to prioritize voice traffic.●Networkwide Automatic Voice Deployment: Using a combination of CDP, LLDP-MED, AutoSmartports, and VSDP (Voice Services Discovery Protocol – a unique patent-pending Cisco protocol), customers can deploy an end-to-end voice network dynamically. The switches in the networkautomatically converge around a single voice VLAN and QoS parameters and then propagate them out to the phones on the ports where they are discovered. For example, automated voice VLAN capabilities let you plug any IP phone (including third-party phones) into your IP telephony network and receive an immediate dial tone. The switch automatically configures the device with the right VLAN and QoS parameters to prioritize voice traffic.●Advanced network management capabilities: As managed switches, the Cisco 300 Series lets youuse a variety of advanced features to control traffic over your network. Features include:◦Static routing/Layer 3 switching between VLANs: This capability allows you to segment your network into separate workgroups and communicate across VLANs without degrading applicationperformance. As a result, you can manage internal routing with your switches and dedicate your router to external traffic and security, helping your network run more efficiently.◦IPv6 support: As the IP network addressing scheme evolves to accommodate more devices, you can make sure that your network is ready. The Cisco 300 Series provides native support for IPv6, the newest version of the Internet Protocol, as well as the previous IPv4 standard. As a result, you will be able to move up to the next generation of networking applications and operating systems without an extensive equipment upgrade.◦Dual image support: With the ability to maintain dual images of your switches, you can perform software upgrades without having to take the network offline and without worrying about an outage during an upgrade.◦Dual Configuration files support: Allows configuring the device, validating that it is configured correctly and then saving this configuration to become effective after reboot. Additionally, a mirror configuration file, providing automatic back-up of the latest stable configuration file maximizesnetwork uptime.◦Remote management: Using Simple Network Management Protocol (SNMP), you can set up and manage all switches and other Cisco devices in your network remotely, instead of having to directly connect to them.◦Additional management options: The switches can be fully managed using the Web GUI or using a full command-line interface (CLI).●Optimal energy efficiency: Cisco 300 Series Switches are designed with a variety of power-savingfeatures across all models, providing the industry’s broadest portfolio of “green” s witches. These switches optimize power use to protect the environment and reduce energy costs, withoutcompromising performance. Power-saving features include:◦The latest application-specific integrated circuits (ASICs), using low-power 65-nanometer technology (these chipsets allow for lower power consumption and thinner, more efficient designs).◦Support for the Energy Efficient Ethernet (IEEE 802.3az) standard, which reduces energy consumption by monitoring the amount of traffic on an active link and putting the link into a sleep state during quiet periods.◦Automatic power shutoff on ports when a link is down.◦Embedded intelligence to adjust signal strength based on cable length.◦Fanless design in most models, which reduces power consumption, increases reliability, and provides quieter operation.◦LEDs can be turned off to conserve power.●Expansion ports: The Cisco 300 Series provides more ports per Gigabit Ethernet switch thantraditional switch models, giving you more flexibility to connect and empower your business. Gigabit Ethernet models feature 28- and 52-port switches, versus traditional devices that offer 20 or 44 ports with four shared ports giving you more value. The Cisco 300 Series also offers mini gigabit interface converter (mini-GBIC) expansion slots that give you the option to add fiber-optic or Gigabit Ethernet uplink connectivity to the switch. With the ability to increase the connectivity range of the switches, you have more flexibility to design your network around your unique business environment, and to easily connect switches on different floors or across the business.●Multiple languages: The Cisco 300 Series is available in seven languages: English, French, German,Italian, Spanish, Japanese, and simplified Chinese. All product user interfaces and documentation are translated, giving you the ability to select your preferred language.●Peace of mind and investment protection: Cisco 300 Series Switches offer the reliable performance,investment protection, and peace of mind you expect from a Cisco switch. When you invest in the Cisco 300 Series, you gain the benefit of:◦Cisco limited lifetime warranty with next business day advance replacement (where available).◦Rigorous testing to help ensure easy integration and compatibility with other Cisco networking and communications products, including the complete Cisco Small Business portfolio.●Service and Support: Cisco 300 Series Switches are backed by the Cisco Small Business SupportService, which provides affordable peace-of-mind coverage. This subscription-based service helps you protect your investment and derive maximum value from Cisco Small Business products. Delivered by Cisco and backed by your trusted partner, this comprehensive service includes software updates, access to the Cisco Small Business Support Center, and extends technical service to three years.Cisco Small Business products are supported by professionals in Cisco Small Business Support Center locations worldwide who are specifically trained to understand your needs. The Cisco Small Business Support Community, an online forum, enables you to collaborate with your peers and reach Cisco technical experts for support information.●Cisco Limited Lifetime Hardware Warranty: Cisco 300 Series Switches offer a limited lifetimehardware warranty with next business day advance replacement (where available, otherwise same day ship) and a limited lifetime warranty for fans and power supplies. In addition, Cisco offers software application updates for bug fixes for the warranty term, and telephone technical support at no charge for the first 12 months following the date of purchase. To download software updates, go to:/cisco/web/download/index.html.Product warranty terms and other information applicable to Cisco products are available at/go/warranty.Product SpecificationsTable 1 gives the product specifications for the Cisco 300 Series Switches.Table 1. Product SpecificationsStandard MIBs (continued) SNMPv2-MIBSNMPv2-SMISNMPv2-TMRMON-MIB.mydcb-raj-DCBX-MIB-1108-MIBrfc1724-MIBRFC-1212.my_for_MG-Softrfc1213-MIBrfc1757-MIBRFC-1215.mySNMPv2-CONF.mySNMPv2-TC.myrfc2674-MIBrfc2575-MIBrfc2573-MIBrfc2233-MIBrfc2013-MIB rfc1907-MIB rfc2571-MIB rfc2572-MIB rfc2574-MIB rfc2576-MIB rfc2613-MIB rfc2665-MIB rfc2668-MIB rfc2737-MIB rfc2925-MIB rfc3621-MIB rfc4668-MIB rfc4670-MIB trunk-MIB tunnel-MIB udp-MIBPrivate MIBs CISCOSB-lldp-MIBCISCOSB-brgmulticast-MIBCISCOSB-bridgemibobjects-MIBCISCOSB-bonjour-MIBCISCOSB-dhcpcl-MIBCISCOSB-MIBCISCOSB-wrandomtaildrop-MIBCISCOSB-traceroute-MIBCISCOSB-telnet-MIBCISCOSB-stormctrl-MIBCISCOSB-ssh-MIBCISCOSB-socket-MIBCISCOSB-sntp-MIBCISCOSB-smon-MIBCISCOSB-phy-MIBCISCOSB-multisessionterminal-MIBCISCOSB-mri-MIBCISCOSB-jumboframes-MIBCISCOSB-gvrp-MIBCISCOSB-endofmib-MIBCISCOSB-dot1x-MIBCISCOSB-deviceparams-MIBCISCOSB-cli-MIBCISCOSB-cdb-MIBCISCOSB-brgmacswitch-MIBCISCOSB-3sw2swtables-MIBCISCOSB-smartPorts-MIBCISCOSB-tbi-MIBCISCOSB-macbaseprio-MIBCISCOSB-policy-MIBCISCOSB-env_mibCISCOSB-sensor-MIBCISCOSB-aaa-MIBCISCOSB-application-MIBCISCOSB-bridgesecurity-MIBCISCOSB-copy-MIBCISCOSB-CpuCounters-MIBCISCOSB-Custom1BonjourService-MIB CISCOSB-ip-MIBCISCOSB-iprouter-MIB CISCOSB-ipv6-MIBCISCOSB-mnginf-MIB CISCOSB-lcli-MIBCISCOSB-localization-MIB CISCOSB-mcmngr-MIB CISCOSB-mng-MIBCISCOSB-physdescription-MIB CISCOSB-Poe-MIBCISCOSB-protectedport-MIB CISCOSB-rmon-MIBCISCOSB-rs232-MIBCISCOSB-SecuritySuite-MIB CISCOSB-snmp-MIBCISCOSB-specialbpdu-MIB CISCOSB-banner-MIB CISCOSB-syslog-MIB CISCOSB-TcpSession-MIB CISCOSB-traps-MIBCISCOSB-trunk-MIBCISCOSB-tuning-MIB CISCOSB-tunnel-MIB CISCOSB-udp-MIBCISCOSB-vlan-MIBCISCOSB-ipstdacl-MIBCISCO-SMI-MIBCISCOSB-DebugCapabilities-MIB CISCOSB-CDP-MIBCISCOSB-vlanVoice-MIB CISCOSB-EVENTS-MIB CISCOSB-sysmng-MIB CISCOSB-sct-MIBCISCO-TC-MIBCISCO-VTP-MIBCISCO-CDP-MIBCISCOSB-eee-MIBCISCOSB-ssl-MIBOrdering InformationTable 2 provides ordering information for the Cisco 300 Series Switches. Table 2. Cisco 300 Series Switches Ordering InformationEach combo mini-GBIC port has one 10/100/1000 Ethernet port and one mini-GBIC/SFP Gigabit Ethernet slot, with one port active at a time.Table 3. MFE and MGE Transceiver Ordering InformationA Powerful, Affordable Foundation for Your Small Business NetworkAs you strive to make your employees as productive and effective as possible, your business applications and information – and the network that delivers them – become an ever more vital part of your business. You need a technology foundati on that can meet your business’s needs today and in the future, and that delivers the right feature set at the right price. The Cisco 300 Series portfolio of managed switches provides the reliability, performance, security, and capabilities you need to power your business.For More InformationTo find out more about the Cisco 300 Series, visit /go/300switches.。

目录1 IP Source Guard配置························································································································· 1-11.1 IP Source Guard简介 ························································································································ 1-11.1.1 概述 ········································································································································ 1-11.1.2 绑定功能介绍 ·························································································································· 1-21.2 配置IPv4绑定功能····························································································································· 1-31.2.1 配置IPv4静态绑定功能··········································································································· 1-31.2.2 配置IPv4动态绑定功能··········································································································· 1-31.3 配置IPv6绑定功能····························································································································· 1-41.3.1 配置IPv6静态绑定功能··········································································································· 1-41.3.2 配置IPv6动态绑定功能··········································································································· 1-51.4 IP Source Guard显示和维护 ············································································································· 1-51.5 IP Source Guard典型配置举例·········································································································· 1-61.5.1 IPv4静态绑定表项配置举例 ··································································································· 1-61.5.2 与DHCP Snooping配合的IPv4动态绑定功能配置举例 ·························································· 1-71.5.3 与DHCP Relay配合的IPv4动态绑定功能配置举例 ································································ 1-91.5.4 IPv6静态绑定表项配置举例 ································································································· 1-101.5.5 与DHCPv6 Snooping配合的IPv6动态绑定表项配置举例····················································· 1-101.5.6 与ND Snooping配合的IPv6动态绑定表项配置举例 ····························································· 1-121.6 常见配置错误举例 ··························································································································· 1-131.6.1 静态绑定表项配置和动态绑定功能配置失败········································································· 1-131 IP Source Guard配置•本文所指的交换机（switch）或设备（device）可以代表WX3000E系列有线无线一体化交换机的交换引擎。