機房防ARP,防偷IP 設定。

By hack520 on

要求每台機子獨立vlan,且不能浪費公網IP.

機房分配:1.1.1.0/28

登陸路由新建VLAN,ether3 是和交換機的對聯口,有多少IP做多少個VLAN

/interface vlan
add interface=ether3 name=vlan100 vlan-id=100
add interface=ether3 name=vlan101 vlan-id=101
add interface=ether3 name=vlan102 vlan-id=102
add interface=ether3 name=vlan103 vlan-id=103
add interface=ether3 name=vlan104 vlan-id=104
add interface=ether3 name=vlan105 vlan-id=105
add interface=ether3 name=vlan106 vlan-id=106
add interface=ether3 name=vlan107 vlan-id=107
add interface=ether3 name=vlan108 vlan-id=108
add interface=ether3 name=vlan109 vlan-id=109
add interface=ether3 name=vlan110 vlan-id=110
add interface=ether3 name=vlan111 vlan-id=111
add interface=ether3 name=vlan112 vlan-id=112
add interface=ether3 name=vlan113 vlan-id=113
add interface=ether3 name=vlan114 vlan-id=114
add interface=ether3 name=vlan115 vlan-id=115

新增Gateway IP.取分配網段254 即可,反正是假Gateway,然後應用到每個VLAN.

/ip address
add address=1.1.1.254 interface=vlan100 network=1.1.1.254
add address=1.1.1.254 interface=vlan101 network=1.1.1.254
add address=1.1.1.254 interface=vlan102 network=1.1.1.254
add address=1.1.1.254 interface=vlan103 network=1.1.1.254
add address=1.1.1.254 interface=vlan104 network=1.1.1.254
add address=1.1.1.254 interface=vlan105 network=1.1.1.254
add address=1.1.1.254 interface=vlan106 network=1.1.1.254
add address=1.1.1.254 interface=vlan107 network=1.1.1.254
add address=1.1.1.254 interface=vlan108 network=1.1.1.254
add address=1.1.1.254 interface=vlan109 network=1.1.1.254
add address=1.1.1.254 interface=vlan110 network=1.1.1.254
add address=1.1.1.254 interface=vlan111 network=1.1.1.254
add address=1.1.1.254 interface=vlan112 network=1.1.1.254
add address=1.1.1.254 interface=vlan113 network=1.1.1.254
add address=1.1.1.254 interface=vlan114 network=1.1.1.254
add address=1.1.1.254 interface=vlan115 network=1.1.1.254

登入交換機,在交換機和路由的對聯口設置trunk.

interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ vlan100 vlan101 vlan102 vlan103 vlan104 vlan105 vlan106 vlan107 vlan108 vlan109 vlan110 vlan111 vlan112 vlan113 vlan114 vlan115 ];
}
}
}
}
top
edit vlan
set vlan100 vlan-id 100
set vlan100 vlan-id 101
set vlan100 vlan-id 102
set vlan100 vlan-id 103
set vlan100 vlan-id 104
set vlan100 vlan-id 105
set vlan100 vlan-id 106
set vlan100 vlan-id 106
set vlan100 vlan-id 107
set vlan100 vlan-id 108
set vlan100 vlan-id 109
set vlan100 vlan-id 110
set vlan100 vlan-id 111
set vlan100 vlan-id 112
set vlan100 vlan-id 113
set vlan100 vlan-id 114
set vlan100 vlan-id 115

針對服務器網絡端口設定vlan

ge-0/0/2 接了一台服務器

set vlan vlan100 interface ge-0/0/2
commit

然後回到路由,給在交換機2號口的服務器分配IP.例如1.1.1.2-1.1.1.5 給在VLAN100的機子用。

/ip route
add distance=1 dst-address=1.1.1.2/32 gateway=vlan100
add distance=1 dst-address=1.1.1.3/32 gateway=vlan100
add distance=1 dst-address=1.1.1.4/32 gateway=vlan100
add distance=1 dst-address=1.1.1.5/32 gateway=vlan100

然後服務器設置IP

IP:

1.1.1.2

255.255.255.0

1.1.1.1 即可使用。無法ARP,也無法偷其他未分配的IP。

作者:hack520

文章链接:機房防ARP,防偷IP 設定。

短连接:https://zhu.vn/?p=1755

发表评论