Principles of DHCP Service (Snooping \ Relay)

Others 2020-04-14 10:52:55 views: null

1. DHCP Basic
    1.1 Discovery stage, that is, the stage where the DHCP client discovers the DHCP server. 1.2 Providing stage, that is, the stage where the DHCP server provides the IP address. 1.3 Selection stage, that is, the stage in which the DHCP client selects the IP address. 1.4 Confirmation stage, which is the stage where the DHCP server confirms the assigned IP address. 2. DHCP Snooping 3. DHCP Relay (relay) 4. A little thought about DHCP Snooping and DHCP Relay
    
    
    


1. DHCP basics

       Stands for Dynamic Host Configuration Protocol DHCP ( D ynamic H OST C onfiguration P rotocol), for the terminal device is automatically assigned an IP address, such as PC, IPad, mobile phones and the like.
       The working process is simple and efficient, easy to master, first introduce the basic working principle of DHCP with a picture:

Introduction and practice of the working principles of DHCP, DHCP Snooping and DHCP relay

       It can be clearly seen from the figure that the process for the client to obtain IP address and other information through the DHCP protocol can be divided into four steps:

1.1 Discovery phase, that is, the phase in which the DHCP client discovers the DHCP server.

       The DHCP client sends a DHCP DISCOVER message to discover the DHCP server. Because the DHCP client does not know the IP address of the DHCP server, the DHCP client broadcasts a DHCP DISCOVER message (the destination IP address is 255.255.255.255 and the source IP address is 0.0.0.0). All DHCP servers in the same network segment Can receive this message.

1.2 Providing stage, that is, the stage where the DHCP server provides the IP address.

       After receiving the DHCP DISCOVER message, the server selects an address pool on the same network segment as the IP address of the interface receiving the  DHCP DISCOVER message, selects an available IP address from it, and sends it to the DHCP client through a DHCP OFFER message. The DHCP OFFER message carries configuration parameters such as the IP address (yiaddr field in the DHCP message) and the lease period that you want to assign to the client with the specified MAC address.

1.3 Selection stage, that is, the stage in which the DHCP client selects the IP address.

       Because the DHCP DISCOVER message is broadcast, if there are multiple DHCP servers in the same network segment, the server that received the DHCP DISCOVER message will respond to the DHCP OFFER message. If multiple DHCP servers respond to the DHCP client with DHCP OFFER messages, the DHCP client generally receives only the first received DHCP OFFER message.

       The DHCP REQUEST message is sent by broadcast to inform all DHCP servers that it will select the IP address provided by a certain DHCP server, and other DHCP servers can reassign the IP address once assigned to the client to other clients.

1.4 Confirmation stage, which is the stage where the DHCP server confirms the assigned IP address.

       When the DHCP server receives the DHCP REQUEST message sent by the DHCP client , the DHCP server responds to the DHCP ACK message, indicating that the IP address requested in the DHCP REQUEST  message is allocated to the client.

Summary: The four steps of the DHCP work process involve four types of data packets, namely DISCOVER, OFFER, REQUEST, and ACK.

2、DHCP Snooping

      In the actual network environment of the enterprise, it is often encountered that the computer obtains the wrong IP address, etc., which prevents the Internet from being accessed normally. This is because the DHCP server is illegally connected to the network (the most common illegal DHCP server is the TP-link home router) .
At this time, it is necessary to configure the DHCP snooping function on the network switch to prevent the illegal DHCP server from assigning IP addresses to the clients.

      DHCP Snooping is also simple in terms of configuration and working principle, continue to use a picture to explain:
Introduction and practice of the working principles of DHCP, DHCP Snooping and DHCP relay

      In the scenario where the layer 2 network access device (that is, the switch) enables DHCP snooping, the interface directly connected to the legitimate DHCP server is generally set as a trusted interface (such as the if1 interface in the above figure), and the other interfaces are set as untrusted interfaces (as shown in the above figure If2 interface in), the switch with DHCP snooping enabled will detect all types of DHCP packets received from each interface and discard them if it is received from an untrusted interface; so that the four types of DHCP packets can only be trusted The interface is forwarded or accepted to ensure that the DHCP client can only obtain an IP address from a legitimate DHCP server. The counterfeiter who set up the DHCP server privately cannot assign an IP address to the DHCP client.

Summary: DHCP Snooping is enabled on the switch, and the interface connected to the legitimate server is set as a trusted interface. Other interfaces are all untrusted interfaces by default.

3. DHCP Relay

      The DHCP client and server mentioned above are on the same network segment, which is more suitable for home networks and small business networks. However, in medium to large enterprise networks, there are many network segments, and it is not recommended to deploy a DHCP server on each network segment, which is neither economical nor easy to manage.
       The actual situation is that in a large network, a high-performance server is often used as a DHCP server, which only exists on one network segment. Since the work of DHCP is highly dependent on broadcasting, and we know that broadcast packets cannot be transmitted across network segments, under normal circumstances, clients on other network segments cannot obtain IP addresses.

      The emergence of DHCP Relay is to solve this problem, using a picture to illustrate:

Introduction and practice of the working principles of DHCP, DHCP Snooping and DHCP relay
      It is still the four steps you are familiar with before, but this time there is an additional DHCP relay device between the client and the server, usually the DHCP relay is the gateway device of each network segment in the network (that is, the layer 3 switch with the DHCP Relay function enabled ).

      The DHCP relay converts the broadcast message received from the client into a unicast message, so that the message can be transmitted across the network segment. Unicast packets mean a clear and unique destination IP address, so devices that enable DHCP relay must manually configure the IP address of the DHCP server.
       With DHCP relay, no matter how many IP network segments there are in the corporate network, we only need to deploy a DHCP server on one network segment, and the relay function is enabled by the gateway device on other network segments, so that the entire network can obtain IP through the DHCP server address.

      Summary: Enable the DHCP Relay function on each network segment of the Layer 3 switch, and manually specify the IP address of the DHCP server, so that the entire network can share a DHCP server.

4. A little thought about DHCP Snooping and DHCP Relay

      In a network where DHCP Relay is deployed, which devices should DHCP Snooping be enabled on?
As shown in the figure:
Introduction and practice of the working principles of DHCP, DHCP Snooping and DHCP relay
      there are three departments, that is, three network segments, and the DHCP server is a router, which does not belong to any one of the network segments.
In this network, DHCP Snooping should be enabled on every Layer 2 network that contains DHCP clients, and DHCP Snooping need not be enabled on Layer 2 networks that only contain DHCP servers.

      Remarks: It is easy to understand that DHCP Snooping is enabled on the client's Layer 2 network, but the reason behind the DHCP server's Layer 2 network without DHCP Snooping is a little more complicated.
The specific reason is that after the DHCP Relay is deployed, the various DHCP messages received by the DHCP server must be unicast messages converted by the relay device . The unicast messages have a clear and unique destination IP , and there will be no phishing at this time. Problems with the DHCP server .
      In fact, if DHCP Snooping is really enabled on the switch in the DHCP server layer 2 network, it will not affect the normal operation of DHCP, because the source port of the UDP layer in the unicast DHCP message sent from the relay device The number has been modified to UDP 67 by the relay device (and UDP 68 in the original message ). Once the switch detects this change, it will automatically ignore it and forward all types of DHCP messages normally without additional processing by DHCP snooping.

King Furi
Published 59 original articles · 21 praises · 20,000+ views
Private letter concerns

Guess you like

Origin blog.csdn.net/tony_vip/article/details/104377389
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com