DHCP + DHCP snooping study notes

Enterprise 2020-03-08 03:59:47 views: null

Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol), referred to as DHCP, is applied to a local area network protocol that allows a server to dynamically assign IP addresses and configuration information to the client.

DHCP located OSI model application layer , using the UDP protocol work, there are two main purposes, an intranet is a network service provider or automatically assigns IP addresses to the user, the other is an internal network administrators as all computers means for central management.

DHCP has several functions are as follows:

  1. Ensure that any IP address can only be used by a DHCP client at the same time.
  2. DHCP can be permanently assigned a fixed IP address to the user.
  3. DHCP can be obtained with other methods coexist host IP address (e.g., manually configure the IP address of the host).
  4. DHCP server should provide service to existing BOOTP clients.

DHCP IP address allocation:
1) automatic allocation (Automatic Allocation), DHCP server assign a permanent IP address for the host, once the DHCP client for the first time successfully leased from the DHCP server to the IP address, you can permanently the use of this address.

2) dynamic allocation (Dynamic Allocation), DHCP server specifies the IP address to a host having a time limit, the time expires, or when the host discard the clear address, which can be used by other hosts.

3) manual distribution (Manual Allocation), the client's IP address is assigned by the network administrator, DHCP server assigned IP address will only tell the client host.

Three types of addresses distribution, only the dynamic allocation can be reused address of the client no longer needed .

Format of DHCP messages is based on the BOOTP (Bootstrap Protocol) message format, which requires the device having a BOOTP relay agent function, and can interact with the DHCP server and BOOTP client. BOOTP relay agent function, so that no need to deploy a DHCP server on each physical network.

DHCP Relay: DHCP relay agent is to forward DHCP packets between the DHCP server and client. When the DHCP client and server are not on the same subnet, there must be a DHCP relay agent to forward DHCP request and response messages. DHCP relay agent forwards the data, with different normal routing forwarding, the route forwarding the normal transmission is relatively transparent, the device generally does not modify the contents of the IP packet. And after the DHCP relay agent receives a DHCP message, a DHCP message regenerate, then forwards.

It seems the DHCP client, DHCP relay agent as a DHCP server; DHCP server appears, DHCP relay agent as a DHCP client.

Relay Agent configuration commands:

//让DHCP数据包可以穿越路由
SW(config-if)#ip helper-address + 目标IP

working principle

1.DHCP Client by broadcasting issue DHCP Discover packets.

2. All DHCP Server can receive the DHCP Client DHCP Discover packet transmission, all the DHCP Server will give a response to the DHCP Client sends a DHCP Offer packet . DHCP Server will own IP address on the "option" field to DHCP Client distinguish there will be a record of the assigned IP address of the packet after issuing different DHCP Server, DHCP Server.

DHCP Client DHCP Offer packet processing first received 3. By default.

DHCP Client will issue a broadcast DHCP Request packet , IP addresses will be added in the options field selected DHCP Server and IP addresses needed.

After 4.DHCP Server DHCP Request packet is received, to determine the IP address options field is the same as its own address. If not identical, DHCP Server without any treatment only clear the appropriate IP address assignment records; if same, the DHCP Server will to DHCP Client response to a DHCP ACK packet , and increase the use of the IP address lease information in the options field.

After 5.DHCP Client receives the DHCP ACK message, DHCP Server checks whether the IP address can be assigned to use. If you can use the DHCP Client successfully obtained an IP address and automatically start the lease renewal process based on IP addresses; if the DHCP Client discovery assigned IP address is used , the DHCP Client issued a message to the DHCP Decline Server DHCP , DHCP notice disabling the Server IP address and DHCP Client to start a new address application process.

6.DHCP Client After successfully obtain an IP address at any time by sending the message DHCP Release to release its own IP address, the DHCP Server DHCP Release message is received, the corresponding IP address will be recovered and re-assigned.

DHCP lease

When the DHCP client to a DHCP server to lease IP address, DHCP clients use this address is only temporary. If the client does not renew its lease in the lease expires, the DHCP server to recover the IP address and the IP address provided to other DHCP clients. If the original DHCP client and IP address needs to be re-leased to another IP address from the DHCP server.

By default, Windows Server 2008 lease period for the wired network created for eight days, 6 hours Wi-Fi.

Counting from the DHCP client IP addresses to rent and officially started when, in use at the time the lease Chaoguo 50%, DHCP Client sends a message to DHCPRequest renew IP address to the DHCP Server unicast. If DHCP Client is successfully received DHCP Server DHCP ACK packet sent, according to the corresponding IP address lease time extension; if not received the DHCP ACK packet sent by the DHCP Server, the DHCP Client continue to use this IP address.

Using a term more than 87.5% at the moment, DHCP Client DHCPRequest sends packets to renew the IP address in broadcast mode to DHCP Server. If DHCP Client is successfully received DHCP Server DHCP ACK packet sent, according to the corresponding IP address lease time extension; if not received the DHCP ACK packet sent by the DHCP Server, the DHCP Client continue to use this IP address, IP address until when using the lease expires, DHCP Client will be sent to the DHCP Server DHCP release packets to release the IP address, IP address and start a new application process.

Attachment: more integrated experimental configuration (DHCP containing the relevant configuration) Welcome to my book CCNA comprehensive test

DHCP snooping

DHCP Snooping technology is the DHCP security features, through the establishment and maintenance of DHCP Snooping binding table filter untrusted DHCP information, this information refers to information from the DHCP distrust area. The MAC address of the DHCP Snooping Binding table contains trust region, IP address, lease, VLAN-ID interface information.

When the switch is turned on the DHCP-Snooping, DHCP packets have listener, and can be extracted from the received DHCP Request message or DHCP and the Ack records the IP address and MAC address information. In addition, DHCP-Snooping allows a physical port to port trusted or untrusted port. Trust ports can normally receive and forward the DHCP Offer packet , but do not trust port will be received by the DHCP Offer packet discarding . In this way, you can complete the shielding effect of the switch to fake DHCP Server, ensure that clients obtain IP addresses from valid DHCP Server.

We might analogy:
your roommate: DHCP server
roommate girlfriend: DHCP client
you: untrusted DHCP information

Suppose your roommate's girlfriend is a girl makes you very excited, you want to go after her but she did not suffer from contact information (in this example, slightly slag male ha ha).
By chance, you got her micro signal and as a friend. At this point, you pose as his boyfriend to give her a message: My phone is broken, now with roommate's cell phone and talking to you. South Gate playground at seven tonight we see it.

If she (the girlfriend roommate) trust this news and go out appointment, it will have been poaching risks, this situation is clearly the roommate did not want to see. To prevent this from happening, you should be warned girlfriend's roommate: In addition to my micro signal, others give you the messages do not believe it. In this way, they can avoid the risk of being undercut.

Namely: a trusted port can normally receive and forward the DHCP Offer packet , but do not trust port will be received by the DHCP Offer packet discarding .

After the default, open the DHCP snooping on the device, so the ports are untrusted ports, need to manually set the port trust.

Simulation
Here Insert Picture Description
topology shown in the figure, TP router
perform only the DHCP snooping configuration

SW-4

SW-4(config)#ip dhcp snooping
SW-4(config)#ip dhcp snooping vlan 10

SW-5

SW-5(config)#ip dhcp snooping
SW-5(config)#ip dhcp snooping vlan 10

View DHCP snooping configuration
Here Insert Picture Description
Here Insert Picture Description
Note: DHCP relay agent from the client receives the request packet add option 82 options, you can mark the position of the terminal equipment is located. Only trusted port to forward packets option 82, and untrusted ports can not be forwarded. DHCP device is ON, if the received packets with the option 82 will not recognize the option. To recognize the need to open the packet trust option 82 options.

Manually set the port trust

SW-4(config-if)#interface range e0/0-1
SW-4(config-if)#ip dhcp snooping trust

DHCP option 82 to set up a trust device is not turned on

SW(config)#ip dhcp relay information trust-all

Prevent hunger ***

DHCP user sends a request packet, DHCP Server to distribute IP to a user according to a request packet which the client mac address field, illegal users to request allocation of IP by forging client field mac address, which causes DHCP Server address pool is quickly consumed, will not obtain the normal user the IP, *** for this, the switch can use the following commands in global DHCP to prevent depletion ***

SW(config)#ip dhcp snooping verify mac-address

Such DHCP request packet through the switch when the switch back matching layer 2 frame header to the client mac address mac address is inside the field, and if not then the packet is discarded, thereby effectively preventing the DHCP address pool due to Server ** * address consumed.

DHCP packet forwarding rate limiting

//限制dhcp包的转发速率,超过后接口就shutdown,默认不限制
SW(config-if)#ip dhcp snooping limit rate 10
//自动恢复因超过转发速率而关闭的端口,默认恢复时间为300s
SW(config)#errdisable recovery cause dhcp-rate-limit
//修改恢复时间
SW(config)#errdisable recovery interval 30
//查看相关配置
SW(config)#do show errdisable recovery

Guess you like

Origin blog.51cto.com/14671287/2476251
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com