DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全

network · 发表于 2008-10-26 20:09:24

ARP攻击测试报告 [DHCP snooping && DAI Implement Report]

附件
2008-10-25 15:13
下载次数: 0

arp.pdf (1.44 MB)

network · 发表于 2008-12-21 07:21:26

在3560/3750+2950T-24环境下部署DHCP Snooping+DAI

前几年卖了很多校园网，一般都是3560G/3750G+2950T-24模式。

ARP攻击爆发，客户电话频频，用DHCP Snooping＋DAI是个不错的解决方法，但仔细看下，发现2950T-24不支持DAI，Faint一把

经某人思路提醒，能否在2950T－24上启用PVLAN实现端口隔离，在3560G/3750G上启用DAI功能，这样ARP攻击就没问题了，测试，确实没问题，但本地二层端口不通，search一下手册，发现命令
ip local-proxy-arp，在interface vlan接口下启用，OK。配置如下：

Current configuration : 2345 bytes
!
! Last configuration change at 14:30:26 GMT Wed Nov 5 2008
! NVRAM config last updated at 14:28:34 GMT Wed Nov 5 2008
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SW3750
!
enable secret 5 $1$sxfr$4l6Wm6DsHk3m6p/olRN260
!
no aaa new-model
clock timezone GMT 8
switch 1 provision ws-c3750g-24ts
ip subnet-zero
ip routing
no ip dhcp conflict logging
!
ip dhcp pool client

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1
!
ip dhcp snooping vlan 3
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 3
ip arp inspection validate ip

!
!
!
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 30
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!

interface GigabitEthernet1/0/1

switchport trunk encapsulation dot1q

switchport mode trunk
ip arp inspection limit none
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!

interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1

no ip address

shutdown
!
interface Vlan3

ip address 192.168.3.1 255.255.255.0

no ip redirects

ip local-proxy-arp

ip route-cache same-interface
!

interface Vlan108

ip address 192.168.108.1 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4

password cisco

no login
line vty 5 15

no login
!
!
end

network · 发表于 2008-12-21 07:21:41

2950T配置

Current configuration : 4418 bytes
!
version 12.1
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname C2950
!
enable password cisco
!
errdisable recovery cause dhcp-rate-limit
ip subnet-zero
!
ip dhcp snooping vlan 3
ip dhcp snooping
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
no spanning-tree vlan 361
no spanning-tree vlan 368
no spanning-tree vlan 369
no spanning-tree vlan 500
!
!
interface FastEthernet0/1
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/2
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/3
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/4
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/5
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/6
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/7
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/8
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/9
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/10
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/11
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/12
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/13
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/14
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/15
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/16
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/17
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/18
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/19
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/20
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/21
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/22
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/23
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface FastEthernet0/24
switchport access vlan 3
switchport protected
no ip address
spanning-tree portfast
ip dhcp snooping limit rate 10
!
interface GigabitEthernet0/1
switchport mode trunk
no ip address
ip dhcp snooping trust
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan108
ip address 192.168.108.2 255.255.255.0
no ip route-cache
!
ip http server
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
login
!
end

network · 发表于 2008-12-21 07:24:01

DHCP SNOOPING/DAI/IP SOURCE检查部署的思考

1.DHCP SNOOPING是根据DHCP信息构成一张表格里面包括端口号/VLAN ID/MAC地址/原地址的对应关系表格，这张表格是根据DHCP数据包动态生成的，可以为DAI提供基础数据。

2.DAI，动态ARP地址检查，针对非信任端口进行ARP数据包检查，所有非信任端口上接受到的ARP数据包都要和DHCP SNOOPING数据表进行核对，如果符合则通过，如果不符合则扔包。

3.IP SOURCE GUARD，原IP地址检查，所有的IP数据流都会检查其原IP地址、VLAN、端口信息与DHCP SNOOPING生成表格进行核对，如果符合则通过，如果不通过则drop。

注：DAI和IP SOURCE GUARD的区别是，DAI只针对ARP流量进行检查，而IP SOURCE GUARD是针对IP流量做检查，二者需要结合使用，才能很好的防止ARP地址欺骗攻击和原IP地址攻击。

典型的配置如下，供参考。

Switch#show run
Building configuration...

Current configuration : 5543 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$ii9B$JEMQimaQ3Sli/LlPdPr8R0
!
no aaa new-model
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 201
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 201
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface GigabitEthernet1/0/2
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 200
switchport mode access
ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/32
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access vlan 201
switchport mode access
ip verify source port-security
!
interface GigabitEthernet1/0/36
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/43
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/45
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/46
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/48
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/49
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/50
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/51
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/52
switchport access vlan 201
switchport mode access
!
interface Vlan1
ip address 10.128.0.201 255.255.255.0
!
interface Vlan200
ip address 10.200.128.254 255.255.255.0
!
interface Vlan201
ip address 10.200.160.254 255.255.255.0
ip helper-address 10.200.128.1
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
password tcs54321
line vty 0 4
password tcs54321
no login
line vty 5 15
password tcs54321
no login
!
end

Switch#

xzb824 · 发表于 2009-4-18 00:01:31

好东西！！！！！！！！！

lokimi · 发表于 2009-8-19 16:02:43

好东西,学习了!!!!!!!!!!!!!!!!!!!!!!!!!!!

lokimi · 发表于 2009-8-19 17:11:24

好东西,学习啊!!!!!!!!!!!!!!!!!!!!!!!!!

lokimi · 发表于 2009-8-19 17:13:08

好东西啊,学习!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

debuggirl · 发表于 2009-10-3 17:24:32

:) :)

debuggirl · 发表于 2009-10-3 17:24:54

good......thanks for sharing

账号		自动登录	找回密码
密码			注册