DHCP SNOOPING/DAI/IP SOURCE检查部署的思考

network · 发表于 2007-6-28 05:56:35

为了减少静态IP的麻烦,用到DHCP给客户机自动分配IP,但如果存在非法的DHCP服务器会出现冲突,使用DHCP SNOOPING技术可以确何DHCP的合法性。
使用的方法是采用DHCP方式为用户分配IP，然后限定这些用户只能使用动态IP的方式，如果改成静态IP的方式则不能连接上网络；也就是使用了DHCP SNOOPING功能。
例子：
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
!
hostname C4-2_4506
!
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero

no ip domain-lookup
!
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip

errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id
!
!

interface GigabitEthernet2/1 // 对该端口接入的用户进行限制，可以下联交换机
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!

interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
!
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
--More--

编者注：对不需要明确地址的所有人的时候是一个很好的解决办法。另外，可以查看www.cisco.com的
IP Source Guard
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.

network · 发表于 2007-9-4 06:49:45

DHCP Snooping (防止DHCP服务器欺骗攻击）
实现方法：
IOS全局命令：
ip dhcp snooping vlan 100,200 /*定义哪些VLAN启用DHCP嗅探
ip dhcp snooping
接口命令：
ip dhcp snooping trust
no ip dhcp snooping trust (Default)
ip dhcp snooping limit rate 10 (pps) /*一定程度上防止DHCP拒绝服务攻击*/

Dynamic ARP Inspection (DAI) （防止ARP欺骗地址冲突）
实现方法：
该方法只适合内部核心交换机采用cisco三层交换机：
采用静态分配Ip地址的网络做 Ip+mac绑定的配置如下：

ip dhcp snooping vlan 10,20
ip dhcp snooping
ip arp inspection vlan 10,20
ip arp inspection vlan 10,20 logging dhcp-bindings all
ip arp inspection validate src-mac dst-mac ip
ip arp inspection filter PERMIT_HOST vlan 10,20
!
arp access-list PERMIT_HOST
permit ip host 192.168.10.10 mac host 0015.c57b.faac
permit ip host 192.168.10.11 mac host 0015.c57b.abcd

采用dhcp pool的配置只需要增加
ip dhcp snooping database flash:dhcp_snooping_data

注：以上IP 和 MAC绑定的方法比以前使用 arp 0000.1111.1111 192.168.1.1 需要全部把 255个ip全部绑定要简单的多

这些是我们公司用的方案，你参考一下。

network · 发表于 2007-10-5 03:07:40

DHCP SNOOPING/DAI/IP SOURCE检查部署的思考

转贴自：bbs.thinkcore.net

DHCP SNOOPING/DAI/IP SOURCE检查部署的思考

1.DHCP SNOOPING是根据DHCP信息构成一张表格里面包括端口号/VLAN ID/MAC地址/原地址的对应关系表格，这张表格是根据DHCP数据包动态生成的，可以为DAI提供基础数据。

2.DAI，动态ARP地址检查，针对非信任端口进行ARP数据包检查，所有非信任端口上接受到的ARP数据包都要和DHCP SNOOPING数据表进行核对，如果符合则通过，如果不符合则扔包。

3.IP SOURCE GUARD，原IP地址检查，所有的IP数据流都会检查其原IP地址、VLAN、端口信息与DHCP SNOOPING生成表格进行核对，如果符合则通过，如果不通过则drop。

注：DAI和IP SOURCE GUARD的区别是，DAI只针对ARP流量进行检查，而IP SOURCE GUARD是针对IP流量做检查，二者需要结合使用，才能很好的防止ARP地址欺骗攻击和原IP地址攻击。

典型的配置如下，供参考。

Switch#show run
Building configuration...

Current configuration : 5543 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$ii9B$JEMQimaQ3Sli/LlPdPr8R0
!
no aaa new-model
switch 1 provision ws-c3750g-48ts
system mtu routing 1500
ip subnet-zero
no ip domain-lookup
!
ip dhcp snooping vlan 201
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 201
!
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface GigabitEthernet1/0/2
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 200
switchport mode access
ip dhcp snooping trust
!
interface GigabitEthernet1/0/4
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/32
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access vlan 201
switchport mode access
ip verify source port-security
!
interface GigabitEthernet1/0/36
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/43
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/45
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/46
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/48
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/49
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/50
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/51
switchport access vlan 201
switchport mode access
!
interface GigabitEthernet1/0/52
switchport access vlan 201
switchport mode access
!
interface Vlan1
ip address 10.128.0.201 255.255.255.0
!
interface Vlan200
ip address 10.200.128.254 255.255.255.0
!
interface Vlan201
ip address 10.200.160.254 255.255.255.0
ip helper-address 10.200.128.1
!
ip classless
ip http server
ip http secure-server
!
!
!
control-plane
!
!
line con 0
password tcs54321
line vty 0 4
password tcs54321
no login
line vty 5 15
password tcs54321
no login
!
end

Switch#

network · 发表于 2007-10-5 04:11:22

dhcp snooping + dai测试问题

配置DHCP SNOOPING
C6509上配置：
enable
ip dhcp snooping vlan 100,200 /*定义哪些VLAN启用DHCP嗅探
no ip dhcp snooping information option
ip dhcp snooping
conf t
int gi8/3
ip dhcp snooping trust
ip dhcp snooping limit rate 10 (pps) /*后来发现加了这一条并发用户一多会造成一部分人上不了网，获取不到IP地址，最后去掉，默认是unlimit*/
int gi8/1
ip dhcp snooping trust

c2960上配置：
int gi0/1
ip dhcp snooping trust

目前网络运行正常。

配置DHCP SNOOPING+DAI
由于C2960不支持DAI，但想将DAI移至C6509上面，做测试，配置如下：
C6509上配置：
enable
ip dhcp snooping vlan 100,200
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 100,200 /*定义对哪些VLAN进行ARP报文检测*/
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
conf t
int gi8/3
ip dhcp snooping trust
ip arp inspection trust
ip arp inspection limit rate 15 (pps) /*定义接口每秒ARP报文数量：此为默认值*/
int gi8/1
ip dhcp snooping trust

c2960上配置：
int gi0/1
ip dhcp snooping trust
测试结果：
在2960上接测试PC，获取IP地址，然后手动改IP地址，发现手动改的IP地址上不了网，DAI测试结果达到，以为大功告成，没想到第二天用户一上班，此时并发用户一多，出现大面积上不了网，获取不到IP地址。Show ip arp inspection发现有很多的DROP包。
如果在C6509上接C2960的GI8/1口上加以下配置：
ip arp inspection trust
测试发现show ip arp inspection就没有drop包了，基乎都是forwarded,但加上去了后，测试PC手动改IP还是可以上网，达不到DAI的效果*/

现情况：向CISCO开CASE，得到答复是C2960不支持DAI，无法做到效果。但为什么在并发用户数少的情况下（大约十来个），DAI还是起作用了呢。纳闷，现咨询一下大家，有没有办法在现在的网络环境中实现DAI的效果。每个端口做ACL客户已否定这种做法。
因几次测试给客户造成了一些影响，客户要求有把握时再安排测试。

图片附件: [结构图] 结构图.jpg (2007-2-6 12:06 PM, 12.21 K)

network · 发表于 2007-10-5 04:17:59

静态配置VLAN/端口/MAC/IP地址绑定的功能

虽然这个功能是DAI的一个子集，文档上面写着必须要用DHCP SNOOPING，但我觉得可以不需要DHCP 服务器，可以单独使用，因此，在某些特定的小规模的场合还是有用的，共享一下

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 180
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip dhcp snooping limit rate 100
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0100.0022.0010 vlan 180 10.35.180.2 interface gigabitethernet0/2
Switch(config)# ip source binding 0100.0558.493e vlan 180 10.35.180.3 interface gigbitethernet0/3
Switch(config)# end

账号		自动登录	找回密码
密码			注册

DHCP SNOOPING/DAI/IP SOURCE检查 部署的思考

DHCP Snooping (防止DHCP服务器欺骗攻击）