组网需求
如图所示,LSW1与LSW2是二层交换机,LSW3是用户网关,作为DHCP Relay向DHCP服务器转发DHCP报文,使得DHCP客户端可以从DHCP服务器上申请到IP地址等相关配置信息。
然而网络中可能会存在针对DHCP的攻击,例如:
- DHCP Server仿冒者攻击:在网络上随意添加一台DHCP服务器,它可以为客户端分配IP地址以及其他网络参数。如果该DHCP服务器为用户分配错误的IP地址和其他网络参数,将会对网络造成非常大的危害。
- DHCP报文泛洪攻击:若攻击者短时间内向设备发送大量的DHCP报文,将会对设备的性能造成巨大的冲击以致可能会导致设备无法正常工作。
- 仿冒DHCP报文攻击:如果攻击者冒充合法用户不断向DHCP Server发送DHCP Request报文来续租IP地址,会导致这些到期的IP地址无法正常回收,以致一些合法用户不能获得IP地址;而若攻击者仿冒合法用户的DHCP Release报文发往DHCP Server,将会导致用户异常下线。公众号同名
- DHCP Server服务拒绝攻击:当存在大量攻击者恶意申请IP地址或者某一攻击者通过不断改变CHADDR字段向DHCP Server申请IP地址,会导致DHCP Server中IP地址快速耗尽而不能为其他合法用户提供IP地址分配服务。
为了为DHCP用户提供更优质的服务,网络管理员可以通过配置DHCP Snooping功能,实现DHCP攻击防范。
配置思路
通过在DHCP Relay配置DHCP Snooping进行攻击防范:
- 配置DHCP功能,实现SwitchC转发不同网段的DHCP报文给DHCP服务器。
- 配置DHCP Snooping的基本功能,防止DHCP Server仿冒者攻击。同时可以使能ARP与DHCP Snooping的联动功能,保证DHCP用户在异常下线时实时更新绑定表。还可以配置丢弃GIADDR字段非零的DHCP报文,防止非法用户攻击。
- 配置DHCP报文上送DHCP报文处理单元的最大允许速率,防止DHCP报文泛洪攻击。同时可以使能丢弃报文告警功能,当丢弃的DHCP报文数达到告警阈值时产生告警信息。
- 使能对DHCP报文进行绑定表匹配检查的功能,防止仿冒DHCP报文攻击。同时可以使能与绑定表不匹配而被丢弃的DHCP报文数达到阈值时产生告警信息功能。
- 配置允许接入的最大用户数以及使能检测DHCP Request报文帧头MAC与DHCP数据区中CHADDR字段是否一致功能,防止DHCP Server服务拒绝攻击。同时可以使能数据帧头MAC地址与DHCP报文中的CHADDR字段不一致被丢弃的报文达到阈值时产生告警信息功能。
操作步骤
配置基本配置和DHCP
DHCP Server
<Huawei>sys <Huawei>sys DHCP Server [DHCP Server]vlan batch 10 100 [DHCP Server]dhcp enable [DHCP Server]interface GigabitEthernet 0/0/1 [DHCP Server-GigabitEthernet0/0/1]port link-type trunk [DHCP Server-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 [DHCP Server-GigabitEthernet0/0/1]quit [DHCP Server]ip pool 20wl [DHCP Server-ip-pool-20wl]network 192.168.1.0 mask 255.255.255.0 [DHCP Server-ip-pool-20wl]gateway-list 192.168.1.1 [DHCP Server-ip-pool-20wl]quit [DHCP Server]interface Vlanif100 [DHCP Server-Vlanif100]ip address 10.1.1.2 255.255.255.0 [DHCP Server-Vlanif100]dhcp select global [DHCP Server-Vlanif100]quit [DHCP Server]ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
LSW3
<Huawei>sys <Huawei>sys LWS3 [LWS3]vlan batch 10 100 [LWS3]dhcp enable [LWS3]interface GigabitEthernet0/0/1 [LWS3-GigabitEthernet0/0/1]port link-type trunk [LWS3-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 [LWS3-GigabitEthernet0/0/1]quit [LWS3]interface GigabitEthernet0/0/2 [LWS3-GigabitEthernet0/0/2]port link-type access [LWS3-GigabitEthernet0/0/2]port default vlan 10 [LWS3-GigabitEthernet0/0/2]quit [LWS3-GigabitEthernet0/0/3]interface GigabitEthernet0/0/3 [LWS3-GigabitEthernet0/0/3]port link-type access [LWS3-GigabitEthernet0/0/3]port default vlan 10 [LWS3-GigabitEthernet0/0/3]quit [LWS3]dhcp server group 20wl [LWS3-dhcp-server-group-20wl]dhcp-server 10.1.1.2 [LWS3-dhcp-server-group-20wl]quit [LWS3]interface Vlanif10 [LWS3-Vlanif10]ip address 192.168.1.1 255.255.255.0 [LWS3-Vlanif10]dhcp select relay [LWS3-Vlanif10]dhcp relay server-select 20wl [LWS3-Vlanif10]quit [LWS3-Vlanif100]interface Vlanif100 [LWS3-Vlanif100]ip address 10.1.1.1 255.255.255.0 [LWS3-Vlanif100]quit [LWS3]ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
PC DHCP获取IP地址
使能DHCP Snooping基本功能
使能全局DHCP Snooping功能。
[LWS3]dhcp snooping enable
使能用户侧接口的DHCP Snooping功能
[LWS3]interface gigabitethernet 0/0/2 [LWS3-GigabitEthernet1/0/2]dhcp snooping enable [LWS3-GigabitEthernet1/0/2]quit [LWS3]interface gigabitethernet 0/0/3 [LWS3-GigabitEthernet1/0/3]dhcp snooping enable [LWS3-GigabitEthernet1/0/3]quit
使能ARP与DHCP Snooping的联动功能。
[LWS3]arp dhcp-snooping-detect enable
使能检测DHCP Request报文中GIADDR字段是否非零的功能
[LWS3]interface gigabitethernet 0/0/2 [LWS3-GigabitEthernet0/0/2]dhcp snooping check dhcp-giaddr enable [LWS3-GigabitEthernet0/0/2]quit [LWS3]interface gigabitethernet 0/0/3 [LWS3-GigabitEthernet0/0/3]dhcp snooping check dhcp-giaddr enable [LWS3-GigabitEthernet0/0/3]quit
配置DHCP报文上送DHCP报文处理单元的最大允许速率并使能丢弃报文告警功能
配置DHCP报文上送DHCP报文处理单元的最大允许速率为90pps
[LWS3]dhcp snooping check dhcp-rate enable [LWS3]dhcp snooping check dhcp-rate 90
使能丢弃报文告警功能,并配置报文限速告警阈值
[LWS3]dhcp snooping alarm dhcp-rate enable [LWS3]dhcp snooping alarm dhcp-rate threshold 500
使能对DHCP报文进行绑定表匹配检查的功能并使能与绑定表不匹配而被丢弃的DHCP报文数达到阈值时产生告警信息功能
在用户侧接口进行配置
[LWS3]interface gigabitethernet 0/0/2 [LWS3-GigabitEthernet0/0/2]dhcp snooping check dhcp-request enable [LWS3-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-request enable [LWS3-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-request threshold 120 [LWS3-GigabitEthernet0/0/2]quit [LWS3]interface gigabitethernet 0/0/3 [LWS3-GigabitEthernet0/0/3]dhcp snooping check dhcp-request enable [LWS3-GigabitEthernet0/0/3]dhcp snooping alarm dhcp-request enable [LWS3-GigabitEthernet0/0/3]dhcp snooping alarm dhcp-request threshold 120 [LWS3-GigabitEthernet0/0/3quit
配置接口允许接入的最大用户数并使能对CHADDR字段检查功能,同时使能数据帧头MAC地址与DHCP报文中的CHADDR字段不一致被丢弃的报文达到阈值时产生告警信息功能。
在用户侧接口进行配置
[LWS3]interface gigabitethernet 0/0/2 [LWS3-GigabitEthernet0/0/2]dhcp snooping max-user-number 1 [LWS3-GigabitEthernet0/0/2]dhcp snooping check dhcp-chaddr enable [LWS3-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-chaddr enable [LWS3-GigabitEthernet0/0/2]dhcp snooping alarm dhcp-chaddr threshold 120 [LWS3-GigabitEthernet0/0/2]quit [LWS3]interface gigabitethernet 0/0/3 [LWS3-GigabitEthernet0/0/3]dhcp snooping max-user-number 1 [LWS3-GigabitEthernet0/0/3]dhcp snooping check dhcp-chaddr enable [LWS3-GigabitEthernet0/0/3]dhcp snooping alarm dhcp-chaddr enable [LWS3-GigabitEthernet0/0/3]dhcp snooping alarm dhcp-chaddr threshold 120 [LWS3-GigabitEthernet0/0/3]quit
验证配置结果
执行命令display dhcp snooping configuration,查看DHCP Snooping的配置信息
[LWS3]display dhcp snooping configuration # dhcp snooping enable ipv4 dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping alarm dhcp-rate enable dhcp snooping alarm dhcp-rate threshold 500 arp dhcp-snooping-detect enable # interface gigabitethernet 0/0/2 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping max-user-number 1 # interface gigabitethernet 0/0/3 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping max-user-number 1
执行命令display dhcp snooping interface,查看接口下的DHCP Snooping运行信息
可以看到Check dhcp-giaddr、Check dhcp-chaddr和Check dhcp-request字段都为Enable
[LWS3] display dhcp snooping interface gigabitethernet 0/0/1 DHCP snooping running information for interface GigabitEthernet0/0/1 : DHCP snooping : Enable Trusted interface : No Dhcp user max number : 1 Current dhcp and nd user number : 0 Check dhcp-giaddr : Enable Check dhcp-chaddr : Enable Alarm dhcp-chaddr : Enable Alarm dhcp-chaddr threshold : 120 Discarded dhcp packets for check chaddr : 0 Check dhcp-request : Enable Alarm dhcp-request : Enable Alarm dhcp-request threshold : 120 Discarded dhcp packets for check request : 0 Check dhcp-rate : Disable (default) Alarm dhcp-rate : Disable (default) Alarm dhcp-rate threshold : 500 Discarded dhcp packets for rate limit : 0 Alarm dhcp-reply : Disable (default)
