DHCP Snooping是一种DHCP安全特性,通过MAC地址限制、DHCP Snooping安全绑定、IP MAC绑定、Option82特性等功能过滤不信任的DHCP消息,解决了设备应用DHCP时遇到DHCP DoS攻击、DHCP Server仿冒攻击、ARP中间人攻击及IP/MAC Spoofing攻击的问题。组网需求如图1所示,USG作为DHCP Relay,部署在DHCP Client和DHCP Server之间,避免网络受到各种DHCP攻击。防止的攻击类型如下:DHCP Server仿冒者攻击中间人攻击与IP/MAC Spoofing攻击改变CHADDR值的DoS攻击仿冒DHCP续租报文攻击发送DHCP Request报文攻击图1 配置设备的DHCP Snooping功能组网图

华为交换机dhcp怎么建立(华为防火墙配置DHCP)(1)

网络规划根据网络情况和需求,网络规划如下:为了防范各种DHCP攻击,需要在全局视图和接口视图下开启DHCP Snooping功能。为了避免受到DHCP Server仿冒者的攻击,需要把用户侧的接口配置为Untrusted模式,把DHCP Server侧的接口配置为Trusted模式,所有从Untrusted接口收到的DHCP Relay报文全部丢弃。为了避免受到中间人与IP/MAC Spoofing攻击,需要使用DHCP Snooping绑定功能,只有接收到报文的信息和绑定表中的内容一致才会被转发,否则报文将被丢弃。为了避免受到攻击者改变CHADDR值的攻击,需要检查DHCP Request报文中的CHADDR字段。如果该字段跟数据帧头部的源MAC相匹配,便转发报文;否则,丢弃报文。为了避免受到攻击者仿冒DHCP续租报文进行攻击,需要检查DHCP Request报文和使用DHCP Snooping绑定功能,只有接收到的报文的信息和绑定表中的内容一致才会被认为是正常的申请报文,报文被转发,否则报文将被丢弃。为了避免DHCP Request报文攻击,可以配置DHCP上送速率检查。在DHCP报文被大量丢弃时,配置设备向网管的告警的功能,以便管理员及时了解情况,采取对应措施。操作步骤1配置DHCP Relay功能,实现网络的DHCP功能。# 配置接口GigabitEthernet 0/0/2的IP地址。<USG> system-view[USG] sysname DHCP-Relay[DHCP-Relay] interface GigabitEthernet 0/0/2[DHCP-Relay-GigabitEthernet 0/0/2] ip address 100.1.1.1 24[DHCP-Relay-GigabitEthernet 0/0/2] quit# 在接口GigabitEthernet 0/0/1上配置DHCP Relay功能,使其和DHCP Client属于同一个网段。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay–GigabitEthernet 0/0/1] ip address 10.1.1.1 24[DHCP-Relay-GigabitEthernet 0/0/1] dhcp select relay[DHCP-Relay-GigabitEthernet 0/0/1] ip relay address 100.1.1.22 开启DHCP Snooping功能。# 启用全局和接口的DHCP Snooping功能。[DHCP-Relay] dhcp snooping enable[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping enable[DHCP-Relay-GigabitEthernet0/0/1] quit[DHCP-Relay] interface GigabitEthernet 0/0/2[DHCP-Relay-GigabitEthernet0/0/2] dhcp snooping enable[DHCP-Relay-GigabitEthernet0/0/2] quit3 配置Trusted接口,防止DHCP Server仿冒者攻击。# 将连接DHCP Server侧的接口配置为“Trusted”,将连接DHCP Client侧的接口设置为“Untrusted”(接口上启用DHCP Snooping功能后,接口模式默认为“Untrusted”)。[DHCP-Relay] interface GigabitEthernet 0/0/2[DHCP-Relay-GigabitEthernet0/0/2] dhcp snooping trusted[DHCP-Relay-GigabitEthernet0/0/2] quit4 配置对特定报文的检查和DHCP Snooping绑定表。# 在DHCP Client侧的接口进行ARP报文和IP报文检查,这样可以防止中间人攻击与IP/MAC Spoofing攻击。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check arp enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check ip enable[DHCP-Relay-GigabitEthernet0/0/1] quit# 在DHCP Client侧的接口进行DHCP Request报文检查,这样可以防止仿冒DHCP续租报文的攻击。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable[DHCP-Relay-GigabitEthernet0/0/1] quit# 在DHCP Client侧的接口进行CHADDR检查,这样可以防止改变CHADDR值的DoS攻击。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable[DHCP-Relay-GigabitEthernet0/0/1] quit5 配置DHCP上送速率限制,防止DHCP Request报文攻击。# 配置DHCP上送速率检查,这样可以防止DHCP Request报文攻击。[DHCP-Relay] dhcp snooping check dhcp-rate 90[DHCP-Relay] dhcp snooping check dhcp-rate enable6 配置Option82功能。# 配置DHCP报文中携带接口信息,以便建立精确的绑定表信息。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp option82 insert enable[DHCP-Relay-GigabitEthernet0/0/1] quit7 配置丢弃没有表项的报文,保证网络的安全。# 配置对全局ARP报文和IP报文的转发行为。[DHCP-Relay] dhcp snooping nomatch-packet arp action discard[DHCP-Relay] dhcp snooping nomatch-packet ip action discard# 配置对接口ARP报文和IP报文的转发行为。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping nomatch-packet arp action discard[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping nomatch-packet ip action discard[DHCP-Relay-GigabitEthernet0/0/1] quit8 配置向网管告警功能。# 开启向网管告警。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm arp enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable[DHCP-Relay-GigabitEthernet0/0/1] quit[DHCP-Relay] dhcp snooping check dhcp-rate alarm enable# 配置告警阈值。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 10[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm arp threshold 10[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 10[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 10[DHCP-Relay-GigabitEthernet0/0/1] quit[DHCP-Relay] dhcp snooping check dhcp-rate alarm threshold 40结果验证在DHCP-Relay上执行display dhcp snooping global命令可以看到全局和接口视图下已经开启DHCP Snooping功能,并查看向网管告警的统计信息。[DHCP-Relay] display dhcp snooping globaldhcp snooping enabledhcp snooping nomatch-packet ip action discarddhcp snooping nomatch-packet arp action discarddhcp snooping check dhcp-rate enabledhcp snooping check dhcp-rate alarm enabledhcp snooping check dhcp-rate 90dhcp snooping check dhcp-rate alarm threshold 40查看DHCP Snooping绑定表的表项信息。[DHCP-Relay] display dhcp snooping bind-table staticbind-table:ifname vrf vsi p/cvlan mac-address ip-address tp lease-------------------------------------------------------------------------------GE0/0/1 0000 - 0000/0000 00e0-fc5e-008a 010.001.001.001 S 0-------------------------------------------------------------------------------binditem count: 1 binditem total count: 1 显示接口上的DHCP Snooping相关信息。[DHCP-Relay] display dhcp snooping interface GigabitEthernet 0/0/1dhcp snooping enabledhcp snooping check arp enabledhcp snooping alarm arp enabledhcp snooping alarm arp threshold 10dhcp snooping nomatch-packet arp action discarddhcp snooping check ip enabledhcp snooping nomatch-packet ip action discarddhcp snooping alarm dhcp-reply enabledhcp snooping alarm dhcp-reply threshold 10dhcp snooping check dhcp-chaddr enabledhcp snooping alarm dhcp-chaddr enabledhcp snooping alarm dhcp-chaddr threshold 10dhcp snooping check dhcp-request enabledhcp snooping alarm dhcp-request enabledhcp snooping alarm dhcp-request threshold 10arp total 0ip total 0dhcp-request total 0chaddr&src mac total 0dhcp-reply total 0 [DHCP-Relay] display dhcp option82 interface GigabitEthernet 0/0/1dhcp option82 insert enable interface GigabitEthernet0/0/1[DHCP-Relay] display dhcp snooping interface GigabitEthernet 0/0/2dhcp snooping enabledhcp snooping trustedarp total 0ip total 0dhcp-request total 0chaddr&src mac total 0dhcp-reply total 0

,