一.基本配置
top图:
DHCP server:
- #
- sysname dhcp-server
- #
- interface GigabitEthernet0/0/0
- ip address 20.1.1.1 255.255.255.0
- dhcp select global
- #
- dhcp enable
- #
- ip pool forvlan10
- gateway-list 192.168.10.254
- network 192.168.10.0 mask 255.255.255.0
- dns-list 8.8.8.8
- #
- ip pool forvlan20
- gateway-list 192.168.20.254
- network 192.168.20.0 mask 255.255.255.0
- excluded-ip-address 192.168.20.1
- dns-list 8.8.8.8
- #
核心路由器
- #
- sysname hexin-SW
- #
- interface GigabitEthernet0/0/0
- ip address 20.1.1.2 255.255.255.0
- #
- interface GigabitEthernet0/0/1
- ip address 10.1.1.1 255.255.255.0
- #
- ospf 1 router-id 5.5.5.5
- area 0.0.0.0
- network 10.1.1.0 0.0.0.255
- network 20.1.1.0 0.0.0.255
- #
汇聚层交换机:
- #
- sysname huiju-SW
- #
- undo info-center enable
- #
- vlan batch 5 10 20
- #
- dhcp enable
- #
- interface Vlanif10
- ip address 192.168.10.254 255.255.255.0
- dhcp select relay
- dhcp relay server-ip 20.1.1.1
- #
- interface Vlanif20
- ip address 192.168.20.254 255.255.255.0
- dhcp select relay
- dhcp relay server-ip 20.1.1.1
- #
- interface GigabitEthernet0/0/1
- port link-type access
- port default vlan 5
- #
- interface GigabitEthernet0/0/2
- port link-type trunk
- port trunk allow-pass vlan 2 to 4094
- #
- #
- ospf 1 router-id 2.2.2.2
- import-route direct
- area 0.0.0.0
- network 10.1.1.0 0.0.0.255
- #
-
接入层交换机:
- #
- sysname jieru-SW
- #
- undo info-center enable
- #
- vlan batch 10 20
- #
- interface Ethernet0/0/1
- port link-type access
- port default vlan 10
- #
- interface Ethernet0/0/2
- port link-type access
- port default vlan 20
- #
- #
- interface GigabitEthernet0/0/1
- port link-type trunk
- port trunk allow-pass vlan 2 to 4094
- #
二.DHCP安全问题及配置 DHCP Snooping
1.DHCP安全问题
DHCP应用服务在校园网运营过程中可能存在的问题?
非法的DHCP服务器
用户架设非法DHCP服务器 如果存在恶意用户私自架设了一台DHCP服务器,那么将会使用户获取到错误的IP地址,导致无法接入进校园网
用户私自配置IP
用户使用静态IP地址接入 部分用户手动配置IP地址,但DHCP服务器是不知道的,因此在为DHCP用户分配IP地址的时候,用户通过DHCP获取到的IP地址,在网络中是已经使用的,导致了IP地址冲突。
饿死攻击
属于Dos攻击的一种,攻击者通常构造DHCP client报文,冒充大量用户去请求IP地址,从而耗尽服务器IP资源。
2.安全配置,Snooping功能:
top图:
模拟非法的DHCP
- #
- sysname IlegalServer
- #
- dhcp enable
- #
- ip pool ilegal
- gateway-list 172.1.1.1
- network 172.1.1.0 mask 255.255.255.0
- dns-list 1.1.1.1
- #
- interface GigabitEthernet0/0/0
- ip address 170.1.1.1 255.255.255.0
- dhcp select interface
- #
此时vlan10 的用户就有可能获得错误的IP:
防止非法的DHCP服务器接入
接入层交换机:
- #
- sysname jieru-SW
- #
- undo info-center enable
- #
- vlan batch 10 20
- #
- dhcp enable
- #
- dhcp snooping enable 开启Snooping功能
- #
- vlan 10
- dhcp snooping enable
- vlan 20
- dhcp snooping enable
- #
- interface GigabitEthernet0/0/1
- port link-type trunk
- port trunk allow-pass vlan 2 to 4094
- dhcp snooping enable 启用Snooping功能
- dhcp snooping trusted 设置为信任端口,默认为untrust
- #
- interface GigabitEthernet0/0/2
- port link-type access
- port default vlan 10
- #
- interface GigabitEthernet0/0/3
- port link-type access
- port default vlan 10
- #
- interface GigabitEthernet0/0/4
- port link-type access
- port default vlan 10
- #
- interface GigabitEthernet0/0/5
- port link-type access
- port default vlan 20
- #
- interface GigabitEthernet0/0/6
- port link-type access
- port default vlan 20
- #
再次测试PC,获取IP
即使将DHCPserver关了,PC也不会获取到非法的服务器提供的IP。
抓包分析,可以发现交换机不转发discover报文给untrust端口
查看配Snooping置信息
防止用户私自配置IP
开启Snooping功能后,交换机会生成Snooping绑定表
私自配置的IP地址将不可用:
防饿死攻击
在接入层交换机下行端口设置该端口 获得 dhcp地址的最大数为1,防止饿死攻击
[jieru-SW-GigabitEthernet0/0/3]dhcp snooping max-user-number 1
评论记录:
回复评论: