華為交換機dhcp怎麼建立-tft每日頭條

DHCP Snooping是一種DHCP安全特性，通過MAC地址限制、DHCP Snooping安全綁定、IP MAC綁定、Option82特性等功能過濾不信任的DHCP消息，解決了設備應用DHCP時遇到DHCP DoS攻擊、DHCP Server仿冒攻擊、ARP中間人攻擊及IP/MAC Spoofing攻擊的問題。組網需求如圖1所示，USG作為DHCP Relay，部署在DHCP Client和DHCP Server之間，避免網絡受到各種DHCP攻擊。防止的攻擊類型如下：DHCP Server仿冒者攻擊中間人攻擊與IP/MAC Spoofing攻擊改變CHADDR值的DoS攻擊仿冒DHCP續租報文攻擊發送DHCP Request報文攻擊圖1 配置設備的DHCP Snooping功能組網圖

華為交換機dhcp怎麼建立（華為防火牆配置DHCP）1

網絡規劃根據網絡情況和需求，網絡規劃如下：為了防範各種DHCP攻擊，需要在全局視圖和接口視圖下開啟DHCP Snooping功能。為了避免受到DHCP Server仿冒者的攻擊，需要把用戶側的接口配置為Untrusted模式，把DHCP Server側的接口配置為Trusted模式，所有從Untrusted接口收到的DHCP Relay報文全部丢棄。為了避免受到中間人與IP/MAC Spoofing攻擊，需要使用DHCP Snooping綁定功能，隻有接收到報文的信息和綁定表中的内容一緻才會被轉發，否則報文将被丢棄。為了避免受到攻擊者改變CHADDR值的攻擊，需要檢查DHCP Request報文中的CHADDR字段。如果該字段跟數據幀頭部的源MAC相匹配，便轉發報文；否則，丢棄報文。為了避免受到攻擊者仿冒DHCP續租報文進行攻擊，需要檢查DHCP Request報文和使用DHCP Snooping綁定功能，隻有接收到的報文的信息和綁定表中的内容一緻才會被認為是正常的申請報文，報文被轉發，否則報文将被丢棄。為了避免DHCP Request報文攻擊，可以配置DHCP上送速率檢查。在DHCP報文被大量丢棄時，配置設備向網管的告警的功能，以便管理員及時了解情況，采取對應措施。操作步驟1配置DHCP Relay功能，實現網絡的DHCP功能。# 配置接口GigabitEthernet 0/0/2的IP地址。<USG> system-view[USG] sysname DHCP-Relay[DHCP-Relay] interface GigabitEthernet 0/0/2[DHCP-Relay-GigabitEthernet 0/0/2] ip address 100.1.1.1 24[DHCP-Relay-GigabitEthernet 0/0/2] quit# 在接口GigabitEthernet 0/0/1上配置DHCP Relay功能，使其和DHCP Client屬于同一個網段。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay–GigabitEthernet 0/0/1] ip address 10.1.1.1 24[DHCP-Relay-GigabitEthernet 0/0/1] dhcp select relay[DHCP-Relay-GigabitEthernet 0/0/1] ip relay address 100.1.1.22 開啟DHCP Snooping功能。# 啟用全局和接口的DHCP Snooping功能。[DHCP-Relay] dhcp snooping enable[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping enable[DHCP-Relay-GigabitEthernet0/0/1] quit[DHCP-Relay] interface GigabitEthernet 0/0/2[DHCP-Relay-GigabitEthernet0/0/2] dhcp snooping enable[DHCP-Relay-GigabitEthernet0/0/2] quit3 配置Trusted接口，防止DHCP Server仿冒者攻擊。# 将連接DHCP Server側的接口配置為“Trusted”，将連接DHCP Client側的接口設置為“Untrusted”（接口上啟用DHCP Snooping功能後，接口模式默認為“Untrusted”）。[DHCP-Relay] interface GigabitEthernet 0/0/2[DHCP-Relay-GigabitEthernet0/0/2] dhcp snooping trusted[DHCP-Relay-GigabitEthernet0/0/2] quit4 配置對特定報文的檢查和DHCP Snooping綁定表。# 在DHCP Client側的接口進行ARP報文和IP報文檢查，這樣可以防止中間人攻擊與IP/MAC Spoofing攻擊。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check arp enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check ip enable[DHCP-Relay-GigabitEthernet0/0/1] quit# 在DHCP Client側的接口進行DHCP Request報文檢查，這樣可以防止仿冒DHCP續租報文的攻擊。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable[DHCP-Relay-GigabitEthernet0/0/1] quit# 在DHCP Client側的接口進行CHADDR檢查，這樣可以防止改變CHADDR值的DoS攻擊。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable[DHCP-Relay-GigabitEthernet0/0/1] quit5 配置DHCP上送速率限制，防止DHCP Request報文攻擊。# 配置DHCP上送速率檢查，這樣可以防止DHCP Request報文攻擊。[DHCP-Relay] dhcp snooping check dhcp-rate 90[DHCP-Relay] dhcp snooping check dhcp-rate enable6 配置Option82功能。# 配置DHCP報文中攜帶接口信息，以便建立精确的綁定表信息。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp option82 insert enable[DHCP-Relay-GigabitEthernet0/0/1] quit7 配置丢棄沒有表項的報文，保證網絡的安全。# 配置對全局ARP報文和IP報文的轉發行為。[DHCP-Relay] dhcp snooping nomatch-packet arp action discard[DHCP-Relay] dhcp snooping nomatch-packet ip action discard# 配置對接口ARP報文和IP報文的轉發行為。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping nomatch-packet arp action discard[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping nomatch-packet ip action discard[DHCP-Relay-GigabitEthernet0/0/1] quit8 配置向網管告警功能。# 開啟向網管告警。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm arp enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable[DHCP-Relay-GigabitEthernet0/0/1] quit[DHCP-Relay] dhcp snooping check dhcp-rate alarm enable# 配置告警阈值。[DHCP-Relay] interface GigabitEthernet 0/0/1[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 10[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm arp threshold 10[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 10[DHCP-Relay-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 10[DHCP-Relay-GigabitEthernet0/0/1] quit[DHCP-Relay] dhcp snooping check dhcp-rate alarm threshold 40結果驗證在DHCP-Relay上執行display dhcp snooping global命令可以看到全局和接口視圖下已經開啟DHCP Snooping功能，并查看向網管告警的統計信息。[DHCP-Relay] display dhcp snooping globaldhcp snooping enabledhcp snooping nomatch-packet ip action discarddhcp snooping nomatch-packet arp action discarddhcp snooping check dhcp-rate enabledhcp snooping check dhcp-rate alarm enabledhcp snooping check dhcp-rate 90dhcp snooping check dhcp-rate alarm threshold 40查看DHCP Snooping綁定表的表項信息。[DHCP-Relay] display dhcp snooping bind-table staticbind-table:ifname vrf vsi p/cvlan mac-address ip-address tp lease-------------------------------------------------------------------------------GE0/0/1 0000 - 0000/0000 00e0-fc5e-008a 010.001.001.001 S 0-------------------------------------------------------------------------------binditem count: 1 binditem total count: 1 顯示接口上的DHCP Snooping相關信息。[DHCP-Relay] display dhcp snooping interface GigabitEthernet 0/0/1dhcp snooping enabledhcp snooping check arp enabledhcp snooping alarm arp enabledhcp snooping alarm arp threshold 10dhcp snooping nomatch-packet arp action discarddhcp snooping check ip enabledhcp snooping nomatch-packet ip action discarddhcp snooping alarm dhcp-reply enabledhcp snooping alarm dhcp-reply threshold 10dhcp snooping check dhcp-chaddr enabledhcp snooping alarm dhcp-chaddr enabledhcp snooping alarm dhcp-chaddr threshold 10dhcp snooping check dhcp-request enabledhcp snooping alarm dhcp-request enabledhcp snooping alarm dhcp-request threshold 10arp total 0ip total 0dhcp-request total 0chaddr&src mac total 0dhcp-reply total 0 [DHCP-Relay] display dhcp option82 interface GigabitEthernet 0/0/1dhcp option82 insert enable interface GigabitEthernet0/0/1[DHCP-Relay] display dhcp snooping interface GigabitEthernet 0/0/2dhcp snooping enabledhcp snooping trustedarp total 0ip total 0dhcp-request total 0chaddr&src mac total 0dhcp-reply total 0