DHCP Snooping
阿新 • • 發佈:2018-05-21
網絡、交換機、DHCPDHCP Snooping
DHCP被用於動態地址分發,極大的降低了終端接入網絡的簡易性,但是協議本身沒有任何的安全保護機制,非常容易被針對攻擊。同一廣播域中一旦出現虛假DHCP Server,終端獲取的地址將極有可能是虛假DHCP Server推送的IP地址,導致廣播域中很大一部分終端無法上網。
DHCP Snooping功能概述
- 對非信任接口收到的DHCP等報文過濾
- 限制DHCP速率
- 維護DHCP snooping binding database
- DAI需要DHCP snooping binding database的信息
DHCP Snooping報文過濾
當DHCP Snooping功能在相應vlan開啟後,在不信任的接口在收到以下報文會產生丟棄行為
- 當收到(例如:DHCPOFFER、DHCPACK、DHCPNAK、DHCPLEASEQUERY報文)
- 當收到源MAC地址和DHCP客戶端硬件地址不匹配
- 當收到DHCPRELEASE、DHCPDECLINE報文但是和DHCP Snooping數據庫中的綁定條目不匹配
- 當收到DHCP packets含有options-82選項
DHCP Snooping 82選項插入
開啟DHCP Snooping的就交換機在收到DHCP報文時會對報文插入82選項
- option-82信息包含交換機MAC、端口身份、vlan-mod-port(如下圖)
- 如果開啟802.1x,option-82內包含Radius認證信息
- 包含中繼地址
DHCP Snooping database
所有綁定信息都會存儲在數據庫中(如下圖)
默認DHCP Snooping開啟功能
Option | Default Value/State |
---|---|
DHCP snooping | Disabled |
DHCP snooping host tracking feature | Disabled |
DHCP snooping information option | Enabled |
DHCP option-82 on untrusted port feature | Disabled |
DHCP snooping limit rate | None |
DHCP snooping trust | Untrusted |
DHCP snooping vlan | Disabled |
DHCP snooping spurious server detection | Disabled |
DHCP snooping detect spurious interval | 30 minutes |
DHCP Snooping配置
拓撲
配置
Client
Client#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Client(config)#inter e0/0
Client(config)#ip add dhcp #接口地址啟用dhcp
SW1:
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#inter e0/0
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#inter e0/1
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#ip dhcp snooping #全局開啟dhcp snooping功能
SW1(config)#do show ip dhcp snooping | include Switch #查看dhcp snooping是否開啟
Switch DHCP snooping is enabled
SW1(config)ip dhcp snooping information option
SW1(config-vlan)#do show ip dhcp snooping | include 82 #查看option82是否打開
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW1(config)#ip dhcp snooping verify mac-address #開啟mac-ip綁定驗證功能
SW1(config-vlan)#do show ip dhcp snooping | include hwaddr #查看上述功能是否打開
Verification of hwaddr field is enabled
SW1(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW1(config)#ip dhcp snooping vlan 10 #在特定vlan啟動dhcp snooping
SW1(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
SW1(config-if)#ip dhcp snooping trust #將連接上遊交換機接口配置為可信接口
SW1(config-if)#ip dhcp snooping limit rate 60 #根據需求配置DHCP限速
SW2:
SW2:
SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#vlan 10
SW2(config-vlan)#exit
SW2(config)#inter e0/0
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#inter e0/1
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#ip dhcp snooping #全局開啟dhcp snooping功能
SW2(config)#do show ip dhcp snooping | include Switch #查看dhcp snooping是否開啟
Switch DHCP snooping is enabled
SW2(config)ip dhcp snooping information option
SW2(config-vlan)#do show ip dhcp snooping | include 82 #查看option82是否打開
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW2(config)#ip dhcp snooping verify mac-address #開啟mac-ip綁定驗證功能
SW2(config-vlan)#do show ip dhcp snooping | include hwaddr #查看上述功能是否打開
Verification of hwaddr field is enabled
SW2(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW2(config)#ip dhcp snooping vlan 10 #在特定vlan啟動dhcp snooping
SW2(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Allow option Rate limit (pps)
----------------------- ------- ------------ ----------------
SW2(config-if)#ip dhcp snooping trust #將連接上遊交換機接口配置為可信接口
SW2(config-if)#ip dhcp snooping limit rate 60 #根據需求配置DHCP限速
SW2(config-if)#inter e0/0
SW2(config-if)#ip dhcp snooping information option allow-untrusted #將連接下遊交換機接口配置允許含option82數據包通過(默認非信任端口自動丟棄)
Server:
DHCP#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
DHCP(config)#inter e0/0
DHCP(config-if)#ip address 192.168.2.1 255.255.255.0
DHCP(config-if)#no shut
DHCP(config)#ip dhcp pool test #配置DHCP Server
DHCP(dhcp-config)#network 192.168.2.0 255.255.255.0
DHCP(dhcp-config)#default-router 192.168.2.1
DHCP(dhcp-config)#dns-server 114.114.114.114
DHCP(dhcp-config)#exit
DHCP(config)#ip dhcp relay information trust-all #所有IOS配置的DHCP Server對於DHCP插入option82選項的報文檢查中繼選項,如果中繼選項為0.0.0.0丟棄報文。(另外一種接解決方案可以關閉插入option82選項在交換機上,大神說關閉這個選項影響性能詳見:https://supportforums.cisco.com/t5/lan-switching-and-routing/dhcp-snooping/td-p/1622877)
DHCP Snooping 終結
除了上述一些功能外,dhcp snooping還有以下的特性
- DHCP Snooping Host Tracking #Release 12.2(33)SXJ2後支持利用cache記錄vlan-mac-port綁定用於DHCP轉發相應報文
- DHCP Snooping database遠程數據庫 #從遠程tftp服務器讀取配置信息
詳細文檔見官網(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1140196)
DHCP Snooping