介绍DHCP Snooping的原理和配置方法,并给出配置举例。
配置DHCP Snooping的攻击防范功能示例
组网需求
如图9-13所示,SwitchA与SwitchB为接入设备,SwitchC为DHCP Relay。Client1与Client2分别通过GE0/0/1与GE0/0/2接入SwitchA,Client3通过GE0/0/1接入SwitchB,其中Client1与Client3通过DHCP方式获取IPv4地址,而Client2使用静态配置的IPv4地址。网络中存在非法用户的攻击导致合法用户不能正常获取IP地址,管理员希望能够防止网络中针对DHCP的攻击,为DHCP用户提供更优质的服务。
图9-13 配置DHCP Snooping的攻击防范功能组网图
配置思路
采用如下的思路在SwitchC上进行配置。
1.使能DHCP Snooping功能并配置设备仅处理DHCPv4报文。
2.配置接口的信任状态,以保证客户端从合法的服务器获取IP地址。
3.使能ARP与DHCP Snooping的联动功能,保证DHCP用户在异常下线时实时更新绑定表。
4.使能根据DHCP Snooping绑定表生成接口的静态MAC表项功能,以防止非DHCP用户攻击。
5.使能对DHCP报文进行绑定表匹配检查的功能,防止仿冒DHCP报文攻击。
6.配置DHCP报文上送DHCP报文处理单元的最大允许速率,防止DHCP报文泛洪攻击。
7.配置允许接入的最大用户数以及使能检测DHCP Request报文帧头MAC与DHCP数据区中CHADDR字段是否一致功能,防止DHCP Server服务拒绝攻击。
操作步骤
1.使能DHCP Snooping功能。
# 使能全局DHCP Snooping功能并配置设备仅处理DHCPv4报文。
[HUAWEI] sysname SwitchC [SwitchC] dhcp enable [SwitchC] dhcp snooping enable ipv4 # 使能用户侧接口的DHCP Snooping功能。以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] dhcp snooping enable [SwitchC-GigabitEthernet0/0/1] quit 2.配置接口的信任状态:将连接DHCP Server的接口状态配置为“Trusted”。 3.[SwitchC] interface gigabitethernet 0/0/3 4.[SwitchC-GigabitEthernet0/0/3] dhcp snooping trusted [SwitchC-GigabitEthernet0/0/3] quit 5.使能ARP与DHCP Snooping的联动功能。 [SwitchC] arp dhcp-snooping-detect enable 6.使能根据DHCP Snooping绑定表生成接口的静态MAC表项功能。 # 在用户侧接口进行配置。以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] dhcp snooping sticky-mac [SwitchC-GigabitEthernet0/0/1] quit 7.使能对DHCP报文进行绑定表匹配检查的功能。 # 在用户侧接口进行配置。以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable [SwitchC-GigabitEthernet0/0/1] quit 8.配置DHCP报文上送DHCP报文处理单元的最大允许速率为90pps。 9.[SwitchC] dhcp snooping check dhcp-rate enable [SwitchC] dhcp snooping check dhcp-rate 90 10.使能检测DHCP Request报文中GIADDR字段是否非零的功能。 # 在用户侧接口进行配置。以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable [SwitchC-GigabitEthernet0/0/1] quit 11.配置接口允许接入的最大用户数并使能对CHADDR字段检查功能。 # 在用户侧接口进行配置。以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] dhcp snooping max-user-number 20 [SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable [SwitchC-GigabitEthernet0/0/1] quit 12.配置丢弃报文告警和报文限速告警功能。 # 使能丢弃报文告警功能,并配置丢弃报文告警阈值。以GE0/0/1接口为例,GE0/0/2的配置相同,此处省略。 [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable [SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable [SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable [SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120 [SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 120 [SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 120 [SwitchC-GigabitEthernet0/0/1] quit # 使能报文限速告警功能,并配置报文限速告警阈值。 [SwitchC] dhcp snooping alarm dhcp-rate enable [SwitchC] dhcp snooping alarm dhcp-rate threshold 500 13.验证配置结果 # 执行命令display dhcp snooping configuration查看DHCP Snooping的配置信息。 [SwitchC] display dhcp snooping configuration # dhcp snooping enable ipv4 dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping alarm dhcp-rate enable dhcp snooping alarm dhcp-rate threshold 500 arp dhcp-snooping-detect enable # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/3 dhcp snooping trusted # # 执行命令display dhcp snooping interface查看接口下的DHCP Snooping运行信息。 [SwitchC] display dhcp snooping interface gigabitethernet 0/0/1 DHCP snooping running information for interface GigabitEthernet0/0/1 : DHCP snooping : Enable Trusted interface : No Dhcp user max number : 20 Current dhcp and nd user number : 0 Check dhcp-giaddr : Enable Check dhcp-chaddr : Enable Alarm dhcp-chaddr : Enable Alarm dhcp-chaddr threshold : 120 Discarded dhcp packets for check chaddr : 0 Check dhcp-request : Enable Alarm dhcp-request : Enable Alarm dhcp-request threshold : 120 Discarded dhcp packets for check request : 0 Check dhcp-rate : Disable (default) Alarm dhcp-rate : Disable (default) Alarm dhcp-rate threshold : 500 Discarded dhcp packets for rate limit : 0 Alarm dhcp-reply : Enable Alarm dhcp-reply threshold : 120 Discarded dhcp packets for check reply : 0 [SwitchC] display dhcp snooping interface gigabitethernet 0/0/3 DHCP snooping running information for interface GigabitEthernet0/0/3 : DHCP snooping : Disable (default) Trusted interface : Yes Dhcp user max number : 1024 (default) Current dhcp and nd user number : 0 Check dhcp-giaddr : Disable (default) Check dhcp-chaddr : Disable (default) Alarm dhcp-chaddr : Disable (default) Check dhcp-request : Disable (default) Alarm dhcp-request : Disable (default) Check dhcp-rate : Disable (default) Alarm dhcp-rate : Disable (default) Alarm dhcp-rate threshold : 500 Discarded dhcp packets for rate limit : 0 Alarm dhcp-reply : Disable (default) 配置文件 # SwitchC的配置文件 # sysname SwitchC # dhcp enable # dhcp snooping enable ipv4 dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping alarm dhcp-rate enable dhcp snooping alarm dhcp-rate threshold 500 arp dhcp-snooping-detect enable # interface GigabitEthernet0/0/1 dhcp snooping sticky-mac dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/2 dhcp snooping sticky-mac dhcp snooping enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/3 dhcp snooping trusted # return
Copyright © 2019-2025 51dongshi.net 版权所有
违法及侵权请联系:TEL:177 7030 7066 E-MAIL:11247931@qq.com 本站由北京市万商天勤律师事务所王兴未律师提供法律服务
