DHCP Snooping
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了DHCP Snooping相关的知识,希望对你有一定的参考价值。
DHCP Snooping
DHCP被用于动态地址分发,极大的降低了终端接入网络的简易性,但是协议本身没有任何的安全保护机制,非常容易被针对攻击。同一广播域中一旦出现虚假DHCP Server,终端获取的地址将极有可能是虚假DHCP Server推送的IP地址,导致广播域中很大一部分终端无法上网。
DHCP Snooping功能概述
- 对非信任接口收到的DHCP等报文过滤
- 限制DHCP速率
- 维护DHCP snooping binding database
- DAI需要DHCP snooping binding database的信息
DHCP Snooping报文过滤
当DHCP Snooping功能在相应vlan开启后,在不信任的接口在收到以下报文会产生丢弃行为
- 当收到(例如:DHCPOFFER、DHCPACK、DHCPNAK、DHCPLEASEQUERY报文)
- 当收到源MAC地址和DHCP客户端硬件地址不匹配
- 当收到DHCPRELEASE、DHCPDECLINE报文但是和DHCP Snooping数据库中的绑定条目不匹配
- 当收到DHCP packets含有options-82选项
DHCP Snooping 82选项插入
开启DHCP Snooping的就交换机在收到DHCP报文时会对报文插入82选项
- option-82信息包含交换机MAC、端口身份、vlan-mod-port(如下图)
- 如果开启802.1x,option-82内包含Radius认证信息
- 包含中继地址
DHCP Snooping database
所有绑定信息都会存储在数据库中(如下图)
默认DHCP Snooping开启功能
Option | Default Value/State |
---|---|
DHCP snooping | Disabled |
DHCP snooping host tracking feature | Disabled |
DHCP snooping information option | Enabled |
DHCP option-82 on untrusted port feature | Disabled |
DHCP snooping limit rate | None |
DHCP snooping trust | Untrusted |
DHCP snooping vlan | Disabled |
DHCP snooping spurious server detection | Disabled |
DHCP snooping detect spurious interval | 30 minutes |
DHCP Snooping配置
拓扑
配置
Client
Client#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Client(config)#inter e0/0
Client(config)#ip add dhcp #接口地址启用dhcp
SW1:
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#inter e0/0
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#inter e0/1
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#ip dhcp snooping #全局开启dhcp snooping功能
SW1(config)#do show ip dhcp snooping | include Switch #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW1(config)ip dhcp snooping information option
SW1(config-vlan)#do show ip dhcp snooping | include 82 #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW1(config)#ip dhcp snooping verify mac-address #开启mac-ip绑定验证功能
SW1(config-vlan)#do show ip dhcp snooping | include hwaddr #查看上述功能是否打开
Verification of hwaddr field is enabled
SW1(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW1(config)#ip dhcp snooping vlan 10 #在特定vlan启动dhcp snooping
SW1(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
SW1(config-if)#ip dhcp snooping trust #将连接上游交换机接口配置为可信接口
SW1(config-if)#ip dhcp snooping limit rate 60 #根据需求配置DHCP限速
SW2:
SW2:
SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vlan 10
SW2(config-vlan)#exit
SW2(config)#inter e0/0
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#inter e0/1
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#ip dhcp snooping #全局开启dhcp snooping功能
SW2(config)#do show ip dhcp snooping | include Switch #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW2(config)ip dhcp snooping information option
SW2(config-vlan)#do show ip dhcp snooping | include 82 #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW2(config)#ip dhcp snooping verify mac-address #开启mac-ip绑定验证功能
SW2(config-vlan)#do show ip dhcp snooping | include hwaddr #查看上述功能是否打开
Verification of hwaddr field is enabled
SW2(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW2(config)#ip dhcp snooping vlan 10 #在特定vlan启动dhcp snooping
SW2(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
SW2(config-if)#ip dhcp snooping trust #将连接上游交换机接口配置为可信接口
SW2(config-if)#ip dhcp snooping limit rate 60 #根据需求配置DHCP限速
SW2(config-if)#inter e0/0
SW2(config-if)#ip dhcp snooping information option allow-untrusted #将连接下游交换机接口配置允许含option82数据包通过(默认非信任端口自动丢弃)
Server:
DHCP#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
DHCP(config)#inter e0/0
DHCP(config-if)#ip address 192.168.2.1 255.255.255.0
DHCP(config-if)#no shut
DHCP(config)#ip dhcp pool test #配置DHCP Server
DHCP(dhcp-config)#network 192.168.2.0 255.255.255.0
DHCP(dhcp-config)#default-router 192.168.2.1
DHCP(dhcp-config)#dns-server 114.114.114.114
DHCP(dhcp-config)#exit
DHCP(config)#ip dhcp relay information trust-all #所有ios配置的DHCP Server对于DHCP插入option82选项的报文检查中继选项,如果中继选项为0.0.0.0丢弃报文。(另外一种接解决方案可以关闭插入option82选项在交换机上,大神说关闭这个选项影响性能详见:https://supportforums.cisco.com/t5/lan-switching-and-routing/dhcp-snooping/td-p/1622877)
DHCP Snooping 终结
除了上述一些功能外,dhcp snooping还有以下的特性
- DHCP Snooping Host Tracking #Release 12.2(33)SXJ2后支持利用cache记录vlan-mac-port绑定用于DHCP转发相应报文
- DHCP Snooping database远程数据库 #从远程tftp服务器读取配置信息
详细文档见官网(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1140196)
以上是关于DHCP Snooping的主要内容,如果未能解决你的问题,请参考以下文章