DHCP Snooping

标签：网络、交换机、DHCP

DHCP被用于动态地址分发，极大的降低了终端接入网络的简易性，但是协议本身没有任何的安全保护机制，非常容易被针对攻击。同一广播域中一旦出现虚假DHCP Server，终端获取的地址将极有可能是虚假DHCP Server推送的IP地址，导致广播域中很大一部分终端无法上网。

DHCP Snooping功能概述

• 对非信任接口收到的DHCP等报文过滤
• 限制DHCP速率
• 维护DHCP snooping binding database
• DAI需要DHCP snooping binding database的信息

  DHCP Snooping报文过滤

  当DHCP Snooping功能在相应vlan开启后，在不信任的接口在收到以下报文会产生丢弃行为

• 当收到（例如：DHCPOFFER、DHCPACK、DHCPNAK、DHCPLEASEQUERY报文）
• 当收到源MAC地址和DHCP客户端硬件地址不匹配
• 当收到DHCPRELEASE、DHCPDECLINE报文但是和DHCP Snooping数据库中的绑定条目不匹配
• 当收到DHCP packets含有options-82选项

  DHCP Snooping 82选项插入

  开启DHCP Snooping的就交换机在收到DHCP报文时会对报文插入82选项

• option-82信息包含交换机MAC、端口身份、vlan-mod-port（如下图）
  
• 如果开启802.1x，option-82内包含Radius认证信息
• 包含中继地址

  DHCP Snooping database

  所有绑定信息都会存储在数据库中（如下图）

默认DHCP Snooping开启功能

DHCP Snooping配置

拓扑

配置

Client
Client#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Client(config)#inter e0/0
Client(config)#ip add dhcp    #接口地址启用dhcp

SW1:
SW1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#vlan 10
SW1(config-vlan)#exit
SW1(config)#inter e0/0
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#inter e0/1
SW1(config)#sw mo acc
SW1(config)#sw acc vlan 10
SW1(config)#ip dhcp snooping  #全局开启dhcp snooping功能
SW1(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW1(config)ip dhcp snooping information option
SW1(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW1(config)#ip dhcp snooping verify mac-address  #开启mac-ip绑定验证功能
SW1(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打开
Verification of hwaddr field is enabled
SW1(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW1(config)#ip dhcp snooping vlan 10    #在特定vlan启动dhcp snooping
SW1(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   

SW1(config-if)#ip dhcp snooping trust   #将连接上游交换机接口配置为可信接口
SW1(config-if)#ip dhcp snooping limit rate 60   #根据需求配置DHCP限速

SW2:
SW2:
SW2#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
SW2(config)#vlan 10
SW2(config-vlan)#exit
SW2(config)#inter e0/0
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#inter e0/1
SW2(config)#sw mo acc
SW2(config)#sw acc vlan 10
SW2(config)#ip dhcp snooping  #全局开启dhcp snooping功能
SW2(config)#do show ip dhcp snooping | include Switch    #查看dhcp snooping是否开启
Switch DHCP snooping is enabled
SW2(config)ip dhcp snooping information option
SW2(config-vlan)#do show ip dhcp snooping | include 82  #查看option82是否打开
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
SW2(config)#ip dhcp snooping verify mac-address  #开启mac-ip绑定验证功能
SW2(config-vlan)#do show ip dhcp snooping | include hwaddr  #查看上述功能是否打开
Verification of hwaddr field is enabled
SW2(config)#ip dhcp snooping database disk0:/dhcp.db #配置dhcp snooping database存放位置
SW2(config)#ip dhcp snooping vlan 10    #在特定vlan启动dhcp snooping
SW2(config)#do show ip dhcp snooping
Switch DHCP snooping is enabled
Switch DHCP gleaning is disabled
DHCP snooping is configured on following VLANs:
10
DHCP snooping is operational on following VLANs:
10
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: aabb.cc00.5000 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                  Trusted    Allow option    Rate limit (pps)
-----------------------    -------    ------------    ----------------   

SW2(config-if)#ip dhcp snooping trust   #将连接上游交换机接口配置为可信接口
SW2(config-if)#ip dhcp snooping limit rate 60   #根据需求配置DHCP限速
SW2(config-if)#inter e0/0
SW2(config-if)#ip dhcp snooping information option allow-untrusted  #将连接下游交换机接口配置允许含option82数据包通过（默认非信任端口自动丢弃）

Server:
DHCP#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
DHCP(config)#inter e0/0
DHCP(config-if)#ip address 192.168.2.1 255.255.255.0
DHCP(config-if)#no shut
DHCP(config)#ip dhcp pool test  #配置DHCP Server
DHCP(dhcp-config)#network 192.168.2.0 255.255.255.0
DHCP(dhcp-config)#default-router 192.168.2.1 
DHCP(dhcp-config)#dns-server 114.114.114.114
DHCP(dhcp-config)#exit
DHCP(config)#ip dhcp relay information trust-all #所有IOS配置的DHCP Server对于DHCP插入option82选项的报文检查中继选项，如果中继选项为0.0.0.0丢弃报文。（另外一种接解决方案可以关闭插入option82选项在交换机上，大神说关闭这个选项影响性能详见：https://supportforums.cisco.com/t5/lan-switching-and-routing/dhcp-snooping/td-p/1622877）

DHCP Snooping 终结

除了上述一些功能外，dhcp snooping还有以下的特性

• DHCP Snooping Host Tracking #Release 12.2(33)SXJ2后支持利用cache记录vlan-mac-port绑定用于DHCP转发相应报文
• DHCP Snooping database远程数据库 #从远程tftp服务器读取配置信息
  详细文档见官网（https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1140196）

DHCP Snooping

标签：网络、交换机、DHCP

原文地址：http://blog.51cto.com/7270589/2118629