标签:DHCP
DHCP攻击方式:1、饿死攻击:MAC地址限制,不断获取IP地址,这种结合交换机端口安全技术防范
2、DHCP Server仿冒者攻击:信任(Trusted)/不信任(Untrusted)
3、中间人攻击/IP/MAC Spoofing攻击:DHCP Snooping绑定表
4、改变CHADDR值的DoS攻击:检查DHCP报文的CHADDR字段(不断申请IP地址)
DHCP Server仿冒者攻击:
由于DHCP使用discovery广播包、offer报文提供IP/mask GW,requset先来先得地址,ACK确认包
ARP欺骗,MAC地址绑定
[SwitchA] dhcp enable
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] dhcp select interface
[SwitchA-Vlanif100] dhcp server excluded-ip-address 10.1.1.100 10.1.1.200 排除地址
[SwitchA-Vlanif100] dhcp server lease day 10 修改租期
[SwitchA-Vlanif100] dhcp server static-bind ip-address 10.1.1.100 mac-address dcd2-fc96-e4c0 为客户端分配固定的IP地址
reset ip pool interface vlanif100 conflict 清除冲突地址
[SwitchA] dhcp snooping enable ipv4 配置设备仅处理IPv4报文,节约设备的CPU利用率
[SwitchA] interface gigabitethernet 2/0/1 配置接口GE2/0/1为DHCP Snooping信任接口
[SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted
[SwitchA-GigabitEthernet2/0/1] quit
[SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface gigabitethernet 1/0/3 vlan 10 静态绑定
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] arp anti-attack check user-bind enable 即对ARP报文进行绑定表匹配检查功能
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] dhcp snooping enable 用户侧接口的DHCP Snooping功能
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] dhcp snooping enable
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] vlan 10
[SwitchA-vlan10] ip source check user-bind enable IPSG功能
[SwitchA-vlan10] dhcp snooping enable VLAN 10下的DHCP Snooping功能
[SwitchA-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/4 配置信任接口
display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1 查看接口下ARP报文丢弃计数
display ip pool interface vlanif10 used 查看地址池中已经使用的IP地址信息
display dhcp static user-bind all 查看静态绑定表信息
配置DHCP中继
[access] dhcp enable
[access] interface vlan 20
[access-Vlanif20] dhcp select relay //配置DHCP中继
[access-Vlanif20] dhcp relay server-ip 10.20.1.1 //配置DHCP服务器IP地址
[access-Vlanif20] quit
[Switch] port-group portgroup1 创建永久端口组portgroup1。
[Switch-port-group-portgroup1] group-member GE1/0/1 to GE1/0/3 物理端口加入portgroup1中
[Switch-port-group-portgroup1] undo negotiation auto 批量配置接口工作在非自协商模式
[Switch-port-group-portgroup1] duplex full 批量配置接口为全双工模式
[Switch-port-group-portgroup1] speed 100 批量配置接口速率为100Mbit/s
[Switch-port-group-portgroup1] undo portswitch 配置单个接口切换到三层模式
[Switch-port-group-portgroup1]combo-port copper 修改为电口模式
[Switch] mac-address static 4-4-4 gigabitethernet 1/0/2 vlan 2 在Switch上添加服务器对应的静态MAC地址表项
[Switch] mac-address blackhole 非法PC的MAC地址 其对应vlan 防止非法MAC地址攻击
[Switch] vlan 2 最多可以学习100个MAC地址,超过最大MAC地址学习数量的报文丢弃并进行告警提示
[Switch-vlan2] mac-limit maximum 100 action discard
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard
display mac-address static vlan 2 查看静态MAC表是否添加成功
display mac-address blackhole命令,查看黑洞MAC表是否添加成功
端口安全
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port-security enable 开启端口安全
[Switch-GigabitEthernet1/0/1] port-security mac-address sticky 使sticky MAC功能
[Switch-GigabitEthernet1/0/1] port-security max-mac-num 1 默认限制数为1
标签:DHCP
原文地址:http://blog.51cto.com/maguangjie/2082693
