華為DHCPSnooping配置實例_第1頁
華為DHCPSnooping配置實例_第2頁
華為DHCPSnooping配置實例_第3頁
已閱讀5頁,還剩14頁未讀 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認領(lǐng)

文檔簡介

1、DHCP Snooping 配置時間:2021.03. 12創(chuàng)作:歐陽文介紹DHCP Snooping的原理和配置辦法,并給出配置舉例。配置DHCP Snooping的攻擊防備功能示例組網(wǎng)需求如圖913所示,SwitchA與SwitchB為接入設備,SwitchC為 DHCP RelavoClientl 與 Client2 辨別通過 GE0/0/1 與 GE0/0/2 接入 SwitchA, Client3 通過 GE0/0/1 接入 SwitchB,其中 Clientl與Client3通過DHCP方法獲取IPv4地址,而Client2 使用靜態(tài)配置的IPv4地址。網(wǎng)絡屮存在不法用戶的攻擊招致

2、 合法用戶不克不及正常獲取IP地址,管理員希望能夠避免網(wǎng) 絡中針對DHCP的攻擊,為DHCP用戶提供更優(yōu)質(zhì)的辦事。圖913配置DHCP Snooping的攻擊防備功能組網(wǎng)圖配置思路 采取如下的思路在SwitchC上進行配置。1使能DHCP Snooping功能并配置設備僅處理DHCPv4報 文。2. 配置接口的信任狀態(tài),以包管客戶端從合法的辦事器獲取IP地址。3. 使能ARP與DHCP Snooping的聯(lián)動功能,包管DHCP用戶在異常下線時實時更新綁定表。4. 使能根據(jù)DHCP Snooping綁定表生成接口的靜態(tài)MAC表項功能,以避免非DHCP用戶攻擊。5. 使能對DHCP報文進行綁定表匹

3、配檢查的功能,避免仿冒DHCP報文攻擊。6. 配置DHCP報文上送DHCP報文處理單位的最年夜允許速率,避免DHCP報文泛洪攻擊。7. 配置允許接入的最年夜用戶數(shù)以及使能檢測DHCPRequest報文幀頭MAC與DHCP數(shù)據(jù)區(qū)屮CHADDR字段 是否一致功能,避免DHCP Server辦事拒絕攻擊。操縱步調(diào)1. 使能 DHCP Snooping 功能。#使能全局DHCP Snooping功能并配置設備僅處理DHCPv4 報文。<HUAWEI> systemviewHUAWEI sysname SwitchCSwitchC dhcp enableSwitchC dhcp snoopi

4、ng enable ipv4#使能用戶側(cè)接口的DHCP Snooping功能。以GE0/0/1 接口為例,GE0/0/2的配置相同,此處省略。SwitchC interface gigabitethernet 0/0/1SwitchCGigabitEthernetO/0/1 dhcp snooping enableSwitchCGigabitEthernetO/O/1 quit2. 配置接口的信任狀態(tài):將連接DHCP Server的接口狀態(tài)配置為"Trusted”。3. SwitchC interface gigabitethernet 0/0/34. SwitchCGigabitE

5、thernet0/0/3 dhcp snoopingtrustedSwitchCGigabitEthernetO/0/3 quit5. 使能ARP與DHCP Snooping的聯(lián)動功能。SwitchC arp dhcpsnoopingdetect enable6. 使能根據(jù)DHCP Snooping綁定表生成接口的靜態(tài)MAC表項功能。#在用戶側(cè)接口進行配置。以GE0/0/1接口為例, GE0/0/2的配置相同,此處省略。SwitchC interface gigabitethernet 0/0/1 SwitchCGigabitEthernetO/0/1 dhcp snooping sticky

6、macSwitchCGigabitEthernetO/0/1 quit7. 使能對DHCP報文進行綁定表匹配檢查的功能。#在用戶側(cè)接口進行配置。以GE0/0/1接口為例, GE0/0/2的配置相同,此處省略。SwitchC interface gigabitethernet 0/0/1SwitchCGigabitEthernetO/0/1 dhcp snooping check dhcprequest enableSwitchCGigabitEthernetO/0/1 quit8. 配置DHCP報文上送DHCP報文處理單位的最年夜允許速率為90ppso9. SwitchC dhcp snoop

7、ing check dhcprate enable SwitchC dhcp snooping check dhcprate 9010.11.使能檢測DHCP Request報文屮GIADDR字段是否非零 的功能。#在用戶側(cè)接口進行配置。以GE0/0/1接口為例, GE0/0/2的配置相同,此處省略。SwitchC interface gigabitethernet 0/0/1 SwitchCGigabitEthernetO/0/1 dhcp snooping check dhcpgiaddr enable SwitchCGigabitEthernetO/O/1 quit配置接口允許接入的最年

8、夜用戶數(shù)并使能對CHADDR 字段檢查功能。#在用戶側(cè)接口進行配置。以GE0/0/1接口為例,GE0/0/2的配置相同,此處省略。SwitchC interface gigabitethernet 0/0/1 SwitchCGigabitEthernetO/0/1 dhcp snooping maxusernumber 20SwitchCGigabitEthernetO/0/1 dhcp snooping check dhcpchaddr enableSwitchCGigabitEthernetO/0/1 quit12.配置拋棄報文告警和報文限速告警功能。#使能拋棄報文告警功能,并配置拋棄報文

9、告警閾值。 以GE0/0/1接口為例,GE0/0/2的配置相同,此處省 略。SwitchC interface gigabitethernet 0/0/1LSwitchCGigabitEthernetO/O/1dhcp snoopingalarm dhcpchaddr enableLSwitchCGigabitEthernetO/O/1dhcp snoopingalarm dhcprequest enableSwitchCGigabitEthernetO/0/1dhcp snoopingalarm dhcpreply enableSwitchCGigabitEthernetO/0/1dhcp

10、snoopingalarm dhcpchaddr threshold 120SwitchCGigabitEthernetO/0/1 dhcp snoopingalarm dhcprequest threshold 120SwitchCGigabitEthernetO/0/1 dhcp snoopingalarm dhcpreply threshold 120 SwitchCGigabitEthernetO/0/1 quit#使能報文限速告警功能,并配置報文限速告警閾值。SwitchC dhcp snooping alarm dhcprate enableSwitchC dhcp snoopin

11、g alarm dhcprate threshold13.驗證配置結(jié)果# 執(zhí)行命令 display dhcp snooping configuration 檢查DHCP Snooping的配置信息。SwitchC display dhcp snooping configurationdhcp snooping dhcp snooping dhcp snooping dhcp snooping dhcp snoopingenable ipv4 check dhcprate check dhcprate alarm dhcprate alarm dhcprateenable90enablethre

12、shold 500arp dhcpsnoopingdetect enableinterface GigabitEthernetO/0/1dhcpsnoopingenabledhcpsnoopingcheckdhcpgiaddr enabledhcpsnoopingcheckdhcprequest enabledhcpsnoopingalarmdhcprequest enabledhcpsnoopingalarmdhcprequest threshold 120dhcpsnoopingcheckdhcpchaddr enabledhcpsnoopingalarmdhcpchaddr enable

13、dhcpsnoopingalarmdhcpchaddr threshold 120dhcpsnooping alarm dhcpreply enabledhcpsnooping alarm dhcpreply threshold 120dhcpsnooping maxusernumber 20interface GigabitEthernetO/0/2dhcpsnoopingenabledhcpsnoopingcheckdhcpgiaddr enabledhcpsnoopingcheckdhcprequest enabledhcpsnoopingalarmdhcprequest enabled

14、hcpsnoopingalarmdhcprequest threshold 120dhcpsnoopingcheckdhcpchaddr enabledhcpsnoopingalarmdhcpchaddr enabledhcpsnoopingalarmdhcpchaddr threshold 120dhcpsnoopingalarmdhcpreply enabledhcpsnoopingalarmdhcpreply threshold 120dhcpsnooping maxusernumber 20 interface GigabitEthernetO/0/3dhcp snooping tru

15、sted# 執(zhí)行命令 display dhcp snooping interface 檢查 接口下的DHCP Snooping運行信息。SwitchC display dhcp snooping interface gigabitethernet 0/0/1DHCP snooping running informa tion for int erf aceGigabitEthernetO/0/1 :DHCP snooping:Enable:NoTrusted interfaceDhcp user max number: 20Current dhcp and nd user number: 0C

16、heck dhcpgiaddr:EnableCheck dhcpchaddr:EnableAlarm dhcpchaddr:EnableAlarm dhcpchaddr threshold: 120Discarded dhcp packets for check chaddr : 0Check dhcprequest:EnableAlarm dhcprequestEnableAlarm dhcprequest threshold: 120Discarded dhcp packets for check request : 0Check dhcprate:Disable (defauIt)Ala

17、rm dhcprate:Disable (defauIt)Alarm dhcprate threshold: 500Discarded dhcp packets for rate limit : 0Alarm dhcpreply:EnableAlarm dhcpreply threshold: 120Discarded dhcp packets for check reply : 0 SwitchC display dhcp snooping interface gigabitethernet 0/0/3DHCP snooping running information for interfa

18、ceGigabitEthernetO/O/3 :DHCP snooping:Disable (defauIt):YesTrusted interfaceDhcp user max number(defauIt)Current dhcp and nd user numberCheck dhcpgiaddrDisable (defauIt)Check dhcpchaddrDisable (defauIt)Alarm dhcpchaddrDisable (defauIt)Check dhcprequestDisable (defauIt)Alarm dhcprequestDisable (defau

19、It)Check dhcprateDisable (defauIt)Alarm dhcprateDisable (defauIt)Alarm dhcprate thresholdDiscarded dhcp packets for :rate limitAlarm dhcpreply:1024:0500:0Disable (default)配置文件# SwitchC的配置文件#sysname SwitchC# dhcp enable# dhcp snooping enable ipv4dhcp snooping check dhcprate enabledhcp snooping check

20、dhcprate 90dhcp snooping alarm dhcprate enabledhcp snooping alarm dhcprate threshold 500arp dhcpsnoopingdetect enable# interface GigabitEthernetO/0/1dhcpsnoopingstickymacdhcpsnoopingenabledhcpsnoopingcheck dhcpgiaddr enabledhcpsnoopingcheck dhcprequest enabledhcpdhcpsnooping alarm dhcprequest enablesnooping alarm dhcprequest threshold 120dhcpsnooping

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預覽,若沒有圖紙預覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責。
  • 6. 下載文件中如有侵權(quán)或不適當內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準確性、安全性和完整性, 同時也不承擔用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論