DHCP Dynamic Host Configuration Protocol (1)
ABOUT THIS
application layer protocol
Encapsulated on UDP (reason: DHCP servers require high request response speed)
The server side listens on port 67
Client listens on port 68
Dynamic Host Configuration Protocol (DHCP) is a protocol for dynamic configuration and centralized management of network parameters for TCP/IP protocol-based hosts, enabling.
l Assign IP addresses to network hosts.
DHCP can provide two address assignment mechanisms, and network administrators can choose different assignment policies for different hosts according to network requirements. - Dynamic allocation mechanism: DHCP assigns an IP address to a host for a limited period of time (usually called a lease period). This allocation mechanism is suitable for scenarios where hosts need temporary access to the network or where the number of free addresses is less than the total number of network hosts and the hosts do not need to be permanently connected to the network. For example, the portable machines of employees on business trips and mobile terminals in cafes need to obtain IP addresses in order to access the network temporarily.
- Static assignment mechanism: The network administrator assigns a fixed IP address to a specified host through DHCP. This allocation mechanism is suitable for hosts that have special requirements for IP addresses, such as corporate file servers that need to use fixed IP addresses because of the services they provide to users on the external network. Compared with manual static configuration of IP addresses, the DHCP method static allocation mechanism avoids manual configuration errors and facilitates unified maintenance management by administrators.
l Provide network parameters other than IP addresses for network hosts, such as IP addresses of DNS servers, routing information, gateway addresses, etc.
Message types: 8
Discover
Offer to provide (IP)
Request Request (renewal of lease)
ACK confirmed
NAK rejects
Release release
Information information (request specific parameters such as: DNS Domain)
Dcline detection (IP address conflict)
state machine
1. When a DHCP client first connects to the network, it sends a DHCP Discover message, which is used to find and locate the DHCP server.
The first data is sent from port 68 on 0.0.0.0 to port 67 on 255.255.255.255, ensuring that the packets sent by the client look for the server
2. After receiving a DHCP discovery message, the DHCP server sends a DHCP offer message (DHCP Offer), which contains configuration information such as IP address.
First allocation
3. After a DHCP client receives a DHCP offer message from the server, it sends a DHCP request message (DHCP Request, broadcast: tells other servers at the same time), and in addition, after a DHCP client obtains an IP address and restarts, it also sends a 2DHCP request message to confirm the assigned IP address and other allocation information. When the IP address lease obtained by a DHCP client is about to expire, it also sends a DHCP request message (broadcast: server location may migrate) to request an IP address lease extension from the server (the default lease period is 24 hours).
4. After receiving a DHCP request message from a DHCP client, the DHCP server replies with a DHCP acknowledgement message (DHCP ACK). After the client receives the DHCP acknowledgement message, it will configure and use the obtained IP address and other information.
Timer.
Renewal: default rental period of 86400S (one day)
When the DHCP-assigned IP address usage has reached 50 percent of the lease term, unicast lease renewal begins. request message
Rebinding Timer
When the time reaches 87.5 percent start broadcasting the lease renewal.
Expiry of lease
5. If the DHCP server receives a DHCP-REQUEST message and does not find the corresponding lease record, it sends a DHCP-NAK message as an answer to inform the DHCP client that it cannot assign a suitable IP address.
6. The DHCP client releases the IP address by sending a DHCP Release message (DHCP Release). After receiving the DHCP release message, the DHCP server can assign the IP address to other DHCP clients.
The DHCP server's address pool is used to define the range of IP addresses assigned to hosts
There are two forms.
1. The interface address pool assigns IP addresses to hosts or endpoints connected to the same network segment. You can execute the dhcp select interface command under the server's interface to configure the DHCP server to use the DHCP server mode of the interface address pool to assign IP addresses to clients.
2. The global address pool assigns IP addresses to all endpoints that connect to the DHCP server. You can execute the dhcp select global command under the interface of the server to configure the DHCP server to use the DHCP server mode of global address pool to assign IP addresses to clients.
The interface address pool has a higher priority than the global address pool. After a global address pool is configured, if another address pool is configured on the interface, the client will get the IP address from the interface address pool. On X7 series switches, interface address pools can only be configured on VLANIF logical interfaces.
server
dhcp enable
#
ip pool vlan10
gateway-list 192.168.1.254
network 192.168.1.0 mask 255.255.255.0
#
#
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.0
dhcp select global
#
relay
dhcp enable
#
dhcp server group vlan10
dhcp-server 12.1.1.2 0
#
#
interface GigabitEthernet0/0/1
ip address 192.168.1.254 255.255.255.0
dhcp select relay
dhcp relay server-select vlan10
# Configuration explanation
ip pool vlan20
static-bind ip-address 192.168.2.149 mac-address 5489-983d-0504
Static binding of IP and hardware addresses
View Address Pool
dis ip pool name xx
The dhcp enable command is used to enable the DHCP function. When you configure a DHCP server, you must execute the dhcp enable command before other features of DHCP can be configured and take effect.
The dhcp select interface command is used to associate interfaces and interface address pools to provide configuration information for hosts connected to the interface. In this example, interface GigabitEthernet 0/0/0 is added to the interface address pool. The interface ground finger pool is not paired with a gateway, and the interface address is the gateway.
The dhcp server dns-list command is used to specify the DNS server addresses under the interface address pool.
The dhcp server excluded-ip-address command is used to configure the range of IP addresses in the interface address pool that do not participate in automatic assignment.
The dhcp server lease command is used to configure the lease expiration date function for IP addresses in the address pool of the DHCP server interface. By default, the lease expiration date for IP addresses in the interface address pool is 1 day.
Each DHCP server can define one or more global address pools and interface address pools. In this example, execute the display ip pool command to view the attributes of the interface address pool. The display information contains the IP address range of the address pool, and also includes information about the IP gateway, subnet mask, and so on.
A DHCP global address pool is configured.
The ip pool command is used to create a global address pool.
The network command is used to configure the network segment addresses that can be assigned under the global address pool.
The gateway-list command is used to configure the egress gateway address of the DHCP server global address pool.
The lease command is used to configure the lease period for addresses under the DHCP global address pool. By default, the IP address lease period is 1 day.
The dhcp select global command is used to enable the DHCP server function of an interface.
View the ip pool detailed configuration command: dis ip pool name used
DHCP attack prevention.
[sw2]dhcp snooping check
dhcp-chaddr DHCP chaddr
dhcp-giaddr DHCP relay agent ip address
dhcp-rate DHCP rate
dhcp-request DHCP request Check all request messages sent by the client to the server
[sw2]dhcp snooping alarm alarm
[sw2-GigabitEthernet0/0/1]dhcp snooping alarm
dhcp-chaddr DHCP chaddr
dhcp-rate DHCP rate
dhcp-reply Untrust dhcp reply packet
dhcp-request DHCP request
Client hardware address: CHADDR (normally this address is the MAC address of the client)
DHCP starvation attack
falsificationDHCP message, enableCHADDR (numeric, data) field(MACdi'z) Constantly changing, enableDHCP-server unrecognizable, thereby leading toDHCP Address pool depleted, Normal legitimate users cannot getIP address。
Solution: DHCP-Snooping (configured at the access layer switch)
DHCP Snooping Binding Table
[SW1]dhcp snooping check dhcp-chaddr enable vlan 1 # Take effect for VLAN1
[SW1-GigabitEthernet0/0/12]dhcp snooping check dhcp-chaddr enable #Effective for interface
If the source MAC address and CHADDR fields in a DHCP-Discover message do not match, the message is discarded
DHCP-Server Spoofing Attack
The attacker spoofs the DHCP server and sends the user an illegal IP address defined by himself already other parameters, which leads to the theft of the user's information and causes damage. (trusted and unTrusted)
Solved: [SW1-GigabitEthernet0/0/20]dhcp snooping trusted # Configure trusted port
By default, all interfaces are untrusted ports when DHCP-Snooping is enabled.
DHCP-SERVER packets cannot be received on untrusted ports (OFFER ACK NAK)
Man-in-the-middle attack
Constantly using ARP replies to spoof PCs, servers, and legitimate routers
Solution: DAI Dynamic ARP Detection
[SW1]arp dhcp-snooping-detect enable #Effective for all interfaces of all VLANs
ARP --- DHCP-SNOOPING five elements
IP MAC port VLAN lease period
1.1 B 1 1 2028-1-1
ARP: source-ip 1.1 source-mac B
IP address spoofing attacks
Prevent attackers from maliciously spoofing the IP addresses of legitimate users.
[SW1-GigabitEthernet0/0/1]ip source check user-bind enable
IP-Souce-Guard (IP Source Protection)
If an attacker launches a DHCP starvation attack, the CHADDR and MAC address are forged at the same time.
(1): Rate of addition
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 1(PPS)
(2): Add the maximum number of users
dhcp snooping max-user-number 10
(3): Port security
[SW1-GigabitEthernet0/0/10]port-security enable
[SW1-GigabitEthernet0/0/10]port-security max-mac-num 1 Maximum number of users on the interface (1)
[SW1-GigabitEthernet0/0/10]port-security mac-address sticky (sticky MAC address) dynamic learning
[SW1-GigabitEthernet0/0/10]port-security protect-action shutdow
MultiD
Public ID: Multi_D
pay attention to
Recommended>>
1、5 Surefire Ways to Master Machine Learning
2、Customs has a way to promote the development of crossborder ecommerce regulation
3、Heres a simple crawler and the idea of implementing it
4、Is there any salvation in the cryptocurrency world after such a bad fall
5、How to buy a high end Apple laptop with a budget of only 4000