1. 程式人生 > >DHCP Snooping

DHCP Snooping

網絡、交換機、DHCP

DHCP Snooping

DHCP被用於動態地址分發,極大的降低了終端接入網絡的簡易性,但是協議本身沒有任何的安全保護機制,非常容易被針對攻擊。同一廣播域中一旦出現虛假DHCP Server,終端獲取的地址將極有可能是虛假DHCP Server推送的IP地址,導致廣播域中很大一部分終端無法上網。

DHCP Snooping功能概述
  • 對非信任接口收到的DHCP等報文過濾
  • 限制DHCP速率
  • 維護DHCP snooping binding database
  • DAI需要DHCP snooping binding database的信息
    DHCP Snooping報文過濾

    當DHCP Snooping功能在相應vlan開啟後,在不信任的接口在收到以下報文會產生丟棄行為

  • 當收到(例如:DHCPOFFER、DHCPACK、DHCPNAK、DHCPLEASEQUERY報文)
  • 當收到源MAC地址和DHCP客戶端硬件地址不匹配
  • 當收到DHCPRELEASE、DHCPDECLINE報文但是和DHCP Snooping數據庫中的綁定條目不匹配
  • 當收到DHCP packets含有options-82選項
    DHCP Snooping 82選項插入

    開啟DHCP Snooping的就交換機在收到DHCP報文時會對報文插入82選項

  • option-82信息包含交換機MAC、端口身份、vlan-mod-port(如下圖)
    技術分享圖片
  • 如果開啟802.1x,option-82內包含Radius認證信息
  • 包含中繼地址
    DHCP Snooping database

    所有綁定信息都會存儲在數據庫中(如下圖)

技術分享圖片

默認DHCP Snooping開啟功能
Option Default Value/State
DHCP snooping Disabled
DHCP snooping host tracking feature Disabled
DHCP snooping information option Enabled
DHCP option-82 on untrusted port feature Disabled
DHCP snooping limit rate None
DHCP snooping trust Untrusted
DHCP snooping vlan Disabled
DHCP snooping spurious server detection Disabled
DHCP snooping detect spurious interval 30 minutes
DHCP Snooping配置
拓撲

技術分享圖片

配置
Client
Client#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Client(config)#inter e0/0
Client(config)#ip add dhcp    #接口地址啟用dhcp
SW1:
SW1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#inter e0/0
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#inter e0/1
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#ip dhcp snooping  #全局開啟dhcp snooping功能
SW1(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否開啟
Switch DHCP snooping is enabled
SW1(config)ip dhcp snooping information option
SW1(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打開
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW1(config)#ip dhcp snooping verify mac-address  #開啟mac-ip綁定驗證功能
SW1(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打開
Verification of hwaddr field is enabled
SW1(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW1(config)#ip dhcp snooping vlan 10    #在特定vlan啟動dhcp snooping
SW1(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   

SW1(config-if)#ip dhcp snooping trust   #將連接上遊交換機接口配置為可信接口
SW1(config-if)#ip dhcp snooping limit rate 60   #根據需求配置DHCP限速
SW2:
SW2:
SW2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 10
SW2(config-vlan)#exit
SW2(config)#inter e0/0
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#inter e0/1
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#ip dhcp snooping  #全局開啟dhcp snooping功能
SW2(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否開啟
Switch DHCP snooping is enabled
SW2(config)ip dhcp snooping information option
SW2(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打開
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW2(config)#ip dhcp snooping verify mac-address  #開啟mac-ip綁定驗證功能
SW2(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打開
Verification of hwaddr field is enabled
SW2(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW2(config)#ip dhcp snooping vlan 10    #在特定vlan啟動dhcp snooping
SW2(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   

SW2(config-if)#ip dhcp snooping trust   #將連接上遊交換機接口配置為可信接口
SW2(config-if)#ip dhcp snooping limit rate 60   #根據需求配置DHCP限速
SW2(config-if)#inter e0/0
SW2(config-if)#ip dhcp snooping information option allow-untrusted  #將連接下遊交換機接口配置允許含option82數據包通過(默認非信任端口自動丟棄)
Server:
DHCP#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
DHCP(config)#inter e0/0
DHCP(config-if)#ip address 192.168.2.1 255.255.255.0
DHCP(config-if)#no shut
DHCP(config)#ip dhcp pool test  #配置DHCP Server
DHCP(dhcp-config)#network 192.168.2.0 255.255.255.0
DHCP(dhcp-config)#default-router 192.168.2.1 
DHCP(dhcp-config)#dns-server 114.114.114.114
DHCP(dhcp-config)#exit
DHCP(config)#ip dhcp relay information trust-all #所有IOS配置的DHCP Server對於DHCP插入option82選項的報文檢查中繼選項,如果中繼選項為0.0.0.0丟棄報文。(另外一種接解決方案可以關閉插入option82選項在交換機上,大神說關閉這個選項影響性能詳見:https://supportforums.cisco.com/t5/lan-switching-and-routing/dhcp-snooping/td-p/1622877)
DHCP Snooping 終結

除了上述一些功能外,dhcp snooping還有以下的特性

  • DHCP Snooping Host Tracking #Release 12.2(33)SXJ2後支持利用cache記錄vlan-mac-port綁定用於DHCP轉發相應報文
  • DHCP Snooping database遠程數據庫 #從遠程tftp服務器讀取配置信息
    詳細文檔見官網(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1140196)

DHCP Snooping