DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全

DAI施工文件 - 防ARP/MAC等,安全构建网络中关键的第一步: 基础架构的安全

DHCP执行测试报告 1
1 拓扑图 1
3 实施文档 4
3560 5
2960 15
4 技术参考 21


本报告为*****DHCP执行测试报告,目的在于测试利用思科DHCP Snooping,Dynamic ARP Inspection (DAI),IP Source Guard等技术组合运用于交换机上,从而实现防止在交换环境中实施“中间人”攻击、DHCP 攻击、地址欺骗等,更具意义的是通过上面技术的部署可以简化地址管理,直接跟踪用户 IP 和对应的交换机端口;防止 IP 地址冲突。同时对于大多数对二层网络造成很大危害的具有地址扫描、欺骗等特征的病毒可以有效的报警和隔离。
1 拓扑图




2 使用DHCP Snooping 、DAI、IP Source Guard技术能解决的有关问题
1.利用DHCP Snooping防范DHCP攻击
  采用 DHCP server 可以自动为用户设置网络 IP 地址、掩码、网关、 DNS 、 WINS 等网络参数,简化了用户网络设置,提高了管理效率。但在 DHCP 管理使用上也存在着一些另网管人员比较问题,常见的有:
  • DHCP server 的冒充。
  • DHCP server 的 Dos 攻击。
  • 有些用户随便指定地址,造成网络地址冲突。
  由于 DHCP 的运作机制,通常服务器和客户端没有认证机制,如果网络上存在多台 DHCP 服务器将会给网络照成混乱。由于用户不小心配置了 DHCP 服务器引起的网络混乱非常常见,足可见故意人为破坏的简单性。通常黑客攻击是首先将正常的 DHCP 服务器所能分配的 IP 地址耗尽,然后冒充合法的 DHCP 服务器。最为隐蔽和危险的方法是黑客利用冒充的 DHCP 服务器,为用户分配一个经过修改的 DNS server ,在用户毫无察觉的情况下被引导在预先配置好的假金融网站或电子商务网站,骗取用户帐户和密码,这种攻击是非常恶劣的。
   1.2 DHCP Snooping技术概况
  DHCP Snooping技术是DHCP安全特性,通过建立和维护DHCP Snooping绑定表过滤不可信任的DHCP信息,这些信息是指来自不信任区域的DHCP信息。DHCP Snooping绑定表包含不信任区域的用户MAC地址、IP地址、租用期、VLAN-ID 接口等信息,如下表所示:
S3560#sh ip dhcp snooping binding
MacAddress       IpAddress    Lease(sec)  Type       VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
08:00:46:AC:70:B8   692092    dhcp-snooping  2     FastEthernet0/47
Total number of bindings: 1
这张表不仅解决了 DHCP用户的IP和端口跟踪定位问题,为用户管理提供方便,而且还供给动态ARP检测DAI)和IP Source Guard使用。

1.3 防范方法
定义交换机上的信任端口和不信任端口,对于不信任端口的 DHCP 报文进行截获和嗅探, DROP 掉来自这些端口的非正常 DHCP 报文。通过交换机的端口安全性设置每个 DHCP 请求指定端口上使用唯一的 MAC 地址,通常 DHCP 服务器通过 DHCP 请求的报文中的 CHADDR 段判断客户端 MAC 地址,通常这个地址和客户端的真实 IP 相同,但是如果攻击者不修改客户端的 MAC 而修改 DHCP 报文中 CHADDR ,实施 Dos 攻击, Port Security 就不起作用了, DHCP Snooping技术可以检查 DHCP 请求报文中的 CHADDR 字段,判断该字段是否和 DHCP 嗅探表相匹配,防止攻击者修改 DHCP 报文中 CHADDR。
2.利用Dynamic ARP Inspection (DAI)技术防范ARP欺骗/ MITM(Man-In-The-Middle)攻击
  1.1 MITM(Man-In-The-Middle) 攻击原理
  按照 ARP 协议的设计,为了减少网络上过多的 ARP 数据通信,一个主机,即使收到的 ARP 应答并非自己请求得到的,它也会将其插入到自己的 ARP 缓存表中,这样,就造成了“ ARP 欺骗”的可能。如果黑客想探听同一网络中两台主机之间的通信(即使是通过交换机相连),他会分别给这两台主机发送一个 ARP 应答包,让两台主机都“误”认为对方的 MAC 地址是第三方的黑客所在的主机,这样,双方看似“直接”的通信连接,实际上都是通过黑客所在的主机间接进行的。黑客一方面得到了想要的通信内容,另一方面,只需要更改数据包中的一些信息,成功地做好转发工作即可。在这种嗅探方式中,黑客所在主机是不需要设置网卡的混杂模式的,因为通信双方的数据包在物理上都是发送给黑客所在的中转主机的。
  思科 Dynamic ARP Inspection (DAI)在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
• 在配置 DAI技术的接口上,用户端不能采用指定地址地址将接入网络。
• 由于 DAI检查 DHCP snooping绑定表中的IP和MAC对应关系,无法实施中间人攻击,攻击工具失效。
• 由于对 ARP请求报文做了速度限制,客户端无法进行认为或者病毒进行的IP扫描、探测等行为,如果发生这些行为,交换机马上报警或直接切断扫描机器。
• 用户获取 IP地址后,用户不能修改IP或MAC,如果用户同时修改IP和MAC必须是网络内部合法的IP和MAC才可,对于这种修改可以使用下面讲到的 IP Source Guard技术来防范。

3.利用IP Source Guard技术防范IP/MAC欺骗
   IP Source Guard 技术配置在交换机上仅支持在 2 层端口上的配置,通过下面机制可以防范 IP/MAC 欺骗:
• IP Source Guard 使用 DHCP sooping 绑定表信息。
• 配置在交换机端口上,并对该端口生效。
• 运作机制类似 DAI,但是 IP Source Guard不仅仅检查ARP报文,所有经过定义IP Source Guard检查的端口的报文都要检测。
• IP Source Guard检查 接口 所通过的流量的IP地址和MAC地址是否在DHCP sooping绑定表,如果不在绑定表中则阻塞这些流量。注意如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息。
通过在交换机上配置 IP Source Guard:
• 可以过滤掉非法的 IP地址,包含用户故意修改的和病毒、攻击等造成的。
• 解决 IP地址冲突问题。
• 提供了动态的建立 IP+MAC+PORT的对应表和绑定关系,对于不使用DHCP的服务器和一些特殊情况机器可以采用利用全局命令静态手工添加对应关系到绑定表中。
• 配置 IP Source Guard的接口初始阻塞所有非DHCP流量。
     综上所述通过配置思科交换机的上述特征,不仅解决了一些典型攻击和病毒的防范问题,也为传统 IP地址管理提供了新的思路。
• 故意不使用手工指定静态 IP地址和DHCP分配地址冲突
• 配置 DHCP server
• 使用静态指定 IP遇到的问题
• 不使用分配的 IP地址和服务器或其他地址冲突
• 不容易定位 IP地址和具体交换机端口对应表
使用静态地址的重要服务器和计算机,可以进行静态绑定 IP+MAC、IP+MAC+PORT,手工配置DAI和 IP Source Guard绑定表项, 来保护这些设备,同时也防止来自这些设备的攻击。
3 实施文档
2960  g0/1  trunk 到 3560

执行DHCP的用户ACCESS VLAN 29,这些接口,用户不可以改为静态IP,否则无法进入网络
DHCP server端口为trust,其他DHCP server无法接入网络

2960 access接口配置port-security和ip dhcp snooping ; trunk接口配置为ip dhcp snooping trust

3560 配置ip dhcp snooping ,配置DAI,access接口的配置同2960 ; trunk接口配置DAI

接DHCP服务器的交换机配置 DAI / IP DHCP SNOOPING ,接dhcp服务器的接口配置为ip dhcp snooping trust

Building configuration...

Current configuration : 12073 bytes
! Last configuration change at 23:47:22 bj Fri Jul 27 2007
! NVRAM config last updated at 23:47:46 bj Fri Jul 27 2007
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
hostname DFXY-29F-A-S3560-1
enable secret 5 <removed>
no aaa new-model
clock timezone bj 8
ip subnet-zero
ip routing
ip dhcp snooping vlan 29
ip dhcp snooping information option allow-untrusted
ip dhcp snooping
ip arp inspection vlan 29
ip arp inspection validate src-mac ip
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause arp-inspection
errdisable recovery cause loopback
errdisable recovery interval 120
no file verify auto
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree uplinkfast
vlan internal allocation policy ascending
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 244
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/3
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/4
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/5
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/6
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/7
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/8
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/9
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/10
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/11
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/12
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/13
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/14
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/15
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/16
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/17
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/18
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/19
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/20
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/21
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/22
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/23
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/24
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/25
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/26
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/27
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/28
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/29
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/30
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/31
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/32
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/33
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/34
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
interface GigabitEthernet0/35
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
interface GigabitEthernet0/36
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
interface GigabitEthernet0/37
switchport access vlan 244
switchport trunk encapsulation dot1q
switchport trunk native vlan 244
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
interface GigabitEthernet0/38
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/39
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/40
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/41
switchport mode access
spanning-tree portfast
interface GigabitEthernet0/42
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/43
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/44
description for only permit DHCP client connection
switchport access vlan 29
switchport mode access
switchport port-security
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/45
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/46
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/47
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
interface GigabitEthernet0/48
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
interface GigabitEthernet0/49
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/50
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
interface GigabitEthernet0/51
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
interface GigabitEthernet0/52
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ip dhcp snooping trust
interface Vlan1
ip address
interface Vlan29
ip address
ip helper-address
interface Vlan200
ip address
interface Vlan201
ip address
interface Vlan202
ip address
interface Vlan203
ip address
interface Vlan244
ip address dhcp
interface Vlan254
ip address
ip default-gateway
ip classless
ip route
ip http server
logging history notifications
logging trap warnings
logging source-interface Vlan254
snmp-server community <removed> RO
snmp-server enable traps tty
snmp-server host <removed>  tty
line con 0
line vty 0 4
password <removed>
line vty 5 15
no login
ntp clock-period 36028809
ntp server

Building configuration...

Current configuration : 6381 bytes
! Last configuration change at 22:57:00 bj Fri Jul 27 2007
! NVRAM config last updated at 22:57:11 bj Fri Jul 27 2007
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
no service password-encryption
hostname DFXY-29F-A-S2960-1
enable secret 5 <removed>
enable password <removed>
no aaa new-model
clock timezone bj 8
ip subnet-zero
ip dhcp snooping vlan 29
ip dhcp snooping
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause sfp-config-mismatch
errdisable recovery cause gbic-invalid
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause storm-control
errdisable recovery cause loopback
errdisable recovery interval 60
no file verify auto
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
spanning-tree uplinkfast
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/2
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/3
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/4
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/5
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/6
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/7
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/8
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/9
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/10
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/11
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/12
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/13
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/14
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/15
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/16
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/17
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/18
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/19
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/20
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/21
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/22
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/23
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface FastEthernet0/24
switchport access vlan 29
switchport mode access
switchport port-security
load-interval 30
spanning-tree portfast
ip dhcp snooping limit rate 10
interface GigabitEthernet0/1
switchport mode trunk
switchport nonegotiate
spanning-tree link-type point-to-point
ip dhcp snooping trust
interface GigabitEthernet0/2
switchport mode trunk
spanning-tree link-type point-to-point
interface Vlan1
no ip address
no ip route-cache
interface Vlan254
ip address
no ip route-cache
ip default-gateway
ip http server
logging history notifications
logging trap warnings
logging source-interface Vlan254
snmp-server community <removed> RO
snmp-server enable traps tty
snmp-server host <removed>  tty
line con 0
line vty 0 4
password <removed>
line vty 5 15
no login
ntp clock-period 36028877
ntp server
ntp server
4 技术参考


2、2960以上型号交换机配置DHCP Snooping,一定要将将数据库保存在flash里面,数据库里保存MAC--IP--VLAN--Interface的一一对应表;port-security已经限制了MAC数量,也就更精细的规范了这个数据库

3、3550以上型号交换机配置DHCP Snooping和DAI,DAI以DHCP Snooping所建立的数据库为基础,动态建立绑定关系,在接口上,可以通过DAI控制ARP报文数量


5、3560以上型号交换机,配置IP Source Guard(依赖于Snooping),支持access/trunk接口;2960以上交换机支持ip source 手动绑定

Dynamic ARP Inspection

Dynamic ARP Inspection is used to verify the sanity of IP to MAC address mappings specified in the ARP packets sent by connected hosts or nei***oring switches. This prevents man in the middle attacks that can be carried out by poisoning ARP caches with the help of ARP packets containing invalid IP to MAC address mappings.

Dynamic ARP Inspection (DAI)在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。

MAC地址欺骗ort Security  Cat2940以上;port-security只能配置与静态的ACCESS/TRUNK接口,动态access接口不支持

DHCP Server冒充:2950以上
DHCP Snooping绑定表包含不信任区域的用户MAC地址、IP地址、租用期、VLAN-ID 接口等信息,

IP/MAC欺骗的防范:IP Source Guard   Cat65????
如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息

MARS的要求:2960/12.2 版本以上

对于 DHCP server 的 Dos 攻击可以利用前面将的 Port Security 和后面提到的 DAI 技术,
对于有些用户随便指定地址,造成网络地址冲突也可以利用后面提到的 DAI 和 IP Source Guard 技术

DHCP Snooping防范:
DFXY-22F-A-S3560-1#sh ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0
这张表不仅解决了 DHCP用户的IP和端口跟踪定位问题,为用户管理提供方便,而且还供给动态ARP检测DAI和IP Source Guard使用。

  IOS 全局命令:
  ip dhcp snooping vlan 100,200 /* 定义哪些 VLAN 启用 DHCP 嗅探
  ip dhcp snooping
  ip dhcp snooping trust
  no ip dhcp snooping trust (Default)
  ip dhcp snooping limit rate 10 (pps) /* 一定程度上防止 DHCP 拒绝服 /* 务攻击
  手工添加 DHCP 绑定表
  ip dhcp snooping binding 1.1.1 vlan 1 interface gi1/1 expiry 1000
  导出 DHCP 绑定表到 TFTP 服务器
  ip dhcp snooping database tftp:// 10.1.1 .1/directory/file

思科 Dynamic ARP Inspection (DAI)  3550以上支持
DAI在交换机上提供IP地址和MAC地址的绑定, 并动态建立绑定关系。DAI 以 DHCP Snooping绑定表为基础,对于没有使用DHCP的服务器个别机器可以采用静态添加ARP access-list实现。DAI配置针对VLAN,对于同一VLAN内的接口可以开启DAI也可以关闭。通过DAI可以控制某个端口的ARP请求报文数量。通过这些技术可以防范“中间人”攻击。
  IOS 全局命令:
  ip dhcp snooping vlan 100,200
  no ip dhcp snooping information option
  ip dhcp snooping
  ip arp inspection vlan 100,200 /* 定义对哪些 VLAN 进行 ARP 报文检测
  ip arp inspection log-buffer entries 1024
  ip arp inspection log-buffer logs 1024 interval 10
    IOS 接口命令:
  ip dhcp snooping trust
  ip arp inspection trust /* 定义哪些接口是信任接口,通常是网络设备接口, TRUNK 接口等,信任接口,不做ARP检查
  ip arp inspection limit rate 15 (pps) /* 定义接口每秒 ARP 报文数量
    ip arp inspection validate {[src-mac] [dst-mac] [ip]}对于不合法的ARP报文,可以定义drop

  对于没有使用 DHCP 设备可以采用下面办法:
  arp access-list static-arp
对于没有使用 DHCP 设备可以采用下面办法:
  arp access-list static-arp
  permit ip host mac host 0009.6b88.d387
  ip arp inspection filter static-arp vlan 201

  a) 在配置 DAI技术的接口上,用户端不能采用指定地址地址将接入网络。
  b) 由于 DAI检查 DHCP snooping绑定表中的IP和MAC对应关系,无法实施中间人攻击,攻击工具失效。下表为实施中间人攻击是交换机的警告:
  3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/
  由于对 ARP请求报文做了速度限制,客户端无法进行认为或者病毒进行的IP扫描、探测等行为,如果发生这些行为,交换机马上报警或直接切断扫描机器。如下表所示:
  3w0d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ******报警
  3w0d: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/ 30 in err-disable state ******切断端口
   用户获取 IP地址后,用户不能修改IP或MAC,如果用户同时修改IP和MAC必须是网络内部合法的IP和MAC才可,对于这种修改可以使用下面讲到的 IP Source Guard技术来防范。下表为手动指定IP的报警:
  3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/30, vlan 1.([000d.6078.2d95/ UTC Fri Dec 29 2000 ])

IP Source Guard
依赖于DHCP Snooping绑定表数据库,一般在untrust接口配置,只有表里有的对应于这个接口的源ip数据报才可以上来
如果接口配置ip source guard,但是没有配置snooping动态绑定或手动绑定,则这个接口drop所有数据报

IP Source Guard 技术配置在交换机上仅支持在 2 层端口上的配置,通过下面机制可以防范 IP/MAC 欺骗:
  IP Source Guard 使用 DHCP sooping 绑定表信息。

  ? 运作机制类似 DAI,但是 IP Source Guard不仅仅检查ARP报文,所有经过定义IP Source Guard检查的端口的报文都要检测。

  ? IP Source Guard检查 接口 所通过的流量的IP地址和MAC地址是否在DHCP sooping绑定表,如果不在绑定表中则阻塞这些流量。注意如果需要检查MAC需要DHCP服务器支持Option 82,同时使路由器支持Option 82信息。

通过在交换机上配置 IP Source Guard:

  ? 可以过滤掉非法的 IP地址,包含用户故意修改的和病毒、攻击等造成的。
  ? 解决 IP地址冲突问题。
  ? 提供了动态的建立 IP+MAC+PORT的对应表和绑定关系,对于不使用DHCP的服务器和一些特殊情况机器可以采用利用全局命令静态手工添加对应关系到绑定表中。
  ? 配置 IP Source Guard的接口初始阻塞所有非DHCP流量。
  ? 不能防止“中间人攻击”。

  对于 IP欺骗在路由器上也可以使用urpf技术。

检测接口上的 IP+MAC
  IOS 全局配置命令:
  ip dhcp snooping vlan 12,200
  ip dhcp snooping information option
  ip dhcp snooping

  ip verify source vlan dhcp-snooping port-security  交换机3560以上支持,access或trunk接口
  switchport mode access
  switchport port-security   ?????????????
  switchport port-security limit rate invalid-source-mac N
  /* 控制端口上所能学习源 MAC 的速率,仅当 IP+MAC 同时检测时有意义。

  检测接口上的 IP
  IOS 全局配置命令
  ip dhcp snooping vlan 12,200
  no ip dhcp snooping information option
  ip dhcp snooping

  ip verify source vlan dhcp-snooping

  不使用 DHCP 的静态配置
  IOS 全局配置命令:
  ip dhcp snooping vlan 12,200
  ip dhcp snooping information option
  ip dhcp snooping
  ip source binding 0009.6b88.d387 vlan 212 interface Gi4/5 交换机2960以上支持



为了减少静态IP的麻烦,用到DHCP给客户机自动分配IP,但如果存在非法的DHCP服务器会出现冲突,使用DHCP SNOOPING技术可以确何DHCP的合法性。
使用的方法是采用DHCP方式为用户分配IP,然后限定这些用户只能使用动态IP的方式,如果改成静态IP的方式则不能连接上网络;也就是使用了DHCP SNOOPING功能。
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service compress-config
hostname C4-2_4506
enable password xxxxxxx!
clock timezone GMT 8
ip subnet-zero

no ip domain-lookup
ip dhcp snooping vlan 180-181 // 对哪些VLAN 进行限制
ip dhcp snooping
ip arp inspection vlan 180-181
ip arp inspection validate src-mac dst-mac ip

errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause unicast-flood
errdisable recovery cause vmps
errdisable recovery cause arp-inspection
errdisable recovery interval 30
spanning-tree extend system-id

interface GigabitEthernet2/1 // 对该端口接入的用户进行限制,可以下联交换机
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100

interface GigabitEthernet2/2
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
interface GigabitEthernet2/3
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100
interface GigabitEthernet2/4
ip arp inspection limit rate 100
arp timeout 2
ip dhcp snooping limit rate 100

IP Source Guard
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially, all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PACL) is installed on the port. This process restricts the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This filtering limits a host's ability to attack the network by claiming neighbor host's IP address.
 楼主| 发表于 2007-12-19 11:01:36 | 显示全部楼层
DHCP Snooping (防止DHCP服务器欺骗攻击)

DHCP Snooping (防止DHCP服务器欺骗攻击)
ip dhcp snooping vlan 100,200 /*定义哪些VLAN启用DHCP嗅探
ip dhcp snooping
ip dhcp snooping trust
no ip dhcp snooping trust (Default)
ip dhcp snooping limit rate 10 (pps) /*一定程度上防止DHCP拒绝服务攻击*/

Dynamic ARP Inspection (DAI) (防止ARP欺骗地址冲突)
采用静态分配Ip地址的网络做 Ip+mac绑定的配置如下:

ip dhcp snooping vlan 10,20
ip dhcp snooping
ip arp inspection vlan 10,20
ip arp inspection vlan 10,20 logging dhcp-bindings all
ip arp inspection validate src-mac dst-mac ip
ip arp inspection filter PERMIT_HOST vlan 10,20
arp access-list PERMIT_HOST
permit ip host mac host 0015.c57b.faac
permit ip host mac host 0015.c57b.abcd

采用dhcp pool的配置只需要增加
ip dhcp snooping database flash:dhcp_snooping_data

注:以上IP 和 MAC绑定的方法比以前使用 arp 0000.1111.1111 需要全部把 255个ip全部绑定要简单的多

 楼主| 发表于 2007-12-19 11:01:53 | 显示全部楼层
dhcp snooping + dai测试问题

ip dhcp snooping vlan 100,200  /*定义哪些VLAN启用DHCP嗅探
no ip dhcp snooping information option
ip dhcp snooping
conf t
int gi8/3
ip dhcp snooping trust
ip dhcp snooping limit rate 10 (pps) /*后来发现加了这一条并发用户一多会造成一部分人上不了网,获取不到IP地址,最后去掉,默认是unlimit*/
int gi8/1
ip dhcp snooping trust

int gi0/1
ip dhcp snooping trust


ip dhcp snooping vlan 100,200  
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 100,200 /*定义对哪些VLAN进行ARP报文检测*/
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
conf t
int gi8/3
ip dhcp snooping trust
ip arp inspection trust
ip arp inspection limit rate 15 (pps) /*定义接口每秒ARP报文数量:此为默认值*/
int gi8/1
ip dhcp snooping trust

int gi0/1
ip dhcp snooping trust
在2960上接测试PC,获取IP地址,然后手动改IP地址,发现手动改的IP地址上不了网,DAI测试结果达到,以为大功告成,没想到第二天用户一上班,此时并发用户一多,出现大面积上不了网,获取不到IP地址。Show ip arp inspection发现有很多的DROP包。
ip arp inspection trust
测试发现show ip arp inspection就没有drop包了,基乎都是forwarded,但加上去了后,测试PC手动改IP还是可以上网,达不到DAI的效果*/


图片附件: [结构图] 结构图.jpg (2007-2-6 12:06 PM, 12.21 K)
 楼主| 发表于 2007-12-19 11:02:09 | 显示全部楼层

虽然这个功能是DAI的一个子集,文档上面写着必须要用DHCP SNOOPING,但我觉得可以不需要DHCP 服务器,可以单独使用,因此,在某些特定的小规模的场合还是有用的,共享一下

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 180
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip dhcp snooping limit rate 100
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# ip verify source port-security
Switch(config-if)# exit
Switch(config)# ip source binding 0100.0022.0010 vlan 180 interface gigabitethernet0/2
Switch(config)# ip source binding 0100.0558.493e vlan 180 interface gigbitethernet0/3
Switch(config)# end
 楼主| 发表于 2007-12-22 07:02:18 | 显示全部楼层
