3. After a DHCP client receives a DHCP offer message from the server, it sends a DHCP request message (DHCP Request, broadcast: tells other servers at the same time), and in addition, after a DHCP client obtains an IP address and restarts, it also sends a 2DHCP request message to confirm the assigned IP address and other allocation information. When the IP address lease obtained by a DHCP client is about to expire, it also sends a DHCP request message (broadcast: server location may migrate) to request an IP address lease extension from the server (the default lease period is 24 hours).
4. After receiving a DHCP request message from a DHCP client, the DHCP server replies with a DHCP acknowledgement message (DHCP ACK). After the client receives the DHCP acknowledgement message, it will configure and use the obtained IP address and other information.
Renewal: default rental period of 86400S (one day)
When the DHCP-assigned IP address usage has reached 50 percent of the lease term, unicast lease renewal begins. request message
When the time reaches 87.5 percent start broadcasting the lease renewal.
Expiry of lease
5. If the DHCP server receives a DHCP-REQUEST message and does not find the corresponding lease record, it sends a DHCP-NAK message as an answer to inform the DHCP client that it cannot assign a suitable IP address.
6. The DHCP client releases the IP address by sending a DHCP Release message (DHCP Release). After receiving the DHCP release message, the DHCP server can assign the IP address to other DHCP clients.
The DHCP server's address pool is used to define the range of IP addresses assigned to hosts
There are two forms.
1. The interface address pool assigns IP addresses to hosts or endpoints connected to the same network segment. You can execute the dhcp select interface command under the server's interface to configure the DHCP server to use the DHCP server mode of the interface address pool to assign IP addresses to clients.
2. The global address pool assigns IP addresses to all endpoints that connect to the DHCP server. You can execute the dhcp select global command under the interface of the server to configure the DHCP server to use the DHCP server mode of global address pool to assign IP addresses to clients.
The interface address pool has a higher priority than the global address pool. After a global address pool is configured, if another address pool is configured on the interface, the client will get the IP address from the interface address pool. On X7 series switches, interface address pools can only be configured on VLANIF logical interfaces.
ip pool vlan10
network 192.168.1.0 mask 255.255.255.0
ip address 184.108.40.206 255.255.255.0
dhcp select global
dhcp server group vlan10
dhcp-server 220.127.116.11 0
ip address 192.168.1.254 255.255.255.0
dhcp select relay
dhcp relay server-select vlan10
# Configuration explanation
ip pool vlan20
static-bind ip-address 192.168.2.149 mac-address 5489-983d-0504
Static binding of IP and hardware addresses
View Address Pool
dis ip pool name xx
The dhcp enable command is used to enable the DHCP function. When you configure a DHCP server, you must execute the dhcp enable command before other features of DHCP can be configured and take effect.
The dhcp select interface command is used to associate interfaces and interface address pools to provide configuration information for hosts connected to the interface. In this example, interface GigabitEthernet 0/0/0 is added to the interface address pool. The interface ground finger pool is not paired with a gateway, and the interface address is the gateway.
The dhcp server dns-list command is used to specify the DNS server addresses under the interface address pool.
The dhcp server excluded-ip-address command is used to configure the range of IP addresses in the interface address pool that do not participate in automatic assignment.
The dhcp server lease command is used to configure the lease expiration date function for IP addresses in the address pool of the DHCP server interface. By default, the lease expiration date for IP addresses in the interface address pool is 1 day.
Each DHCP server can define one or more global address pools and interface address pools. In this example, execute the display ip pool command to view the attributes of the interface address pool. The display information contains the IP address range of the address pool, and also includes information about the IP gateway, subnet mask, and so on.
A DHCP global address pool is configured.
The ip pool command is used to create a global address pool.
The network command is used to configure the network segment addresses that can be assigned under the global address pool.
The gateway-list command is used to configure the egress gateway address of the DHCP server global address pool.
The lease command is used to configure the lease period for addresses under the DHCP global address pool. By default, the IP address lease period is 1 day.
The dhcp select global command is used to enable the DHCP server function of an interface.
View the ip pool detailed configuration command: dis ip pool name used
DHCP attack prevention.
[sw2]dhcp snooping check
dhcp-chaddr DHCP chaddr
dhcp-giaddr DHCP relay agent ip address
dhcp-rate DHCP rate
dhcp-request DHCP request Check all request messages sent by the client to the server
[sw2]dhcp snooping alarm alarm
[sw2-GigabitEthernet0/0/1]dhcp snooping alarm
dhcp-chaddr DHCP chaddr
dhcp-rate DHCP rate
dhcp-reply Untrust dhcp reply packet
dhcp-request DHCP request
Client hardware address: CHADDR (normally this address is the MAC address of the client)
DHCP starvation attack
falsificationDHCP message， enableCHADDR (numeric, data) field（MACdi'z） Constantly changing， enableDHCP-server unrecognizable， thereby leading toDHCP Address pool depleted， Normal legitimate users cannot getIP address。
Solution: DHCP-Snooping (configured at the access layer switch)
DHCP Snooping Binding Table
[SW1]dhcp snooping check dhcp-chaddr enable vlan 1 # Take effect for VLAN1
[SW1-GigabitEthernet0/0/12]dhcp snooping check dhcp-chaddr enable #Effective for interface
If the source MAC address and CHADDR fields in a DHCP-Discover message do not match, the message is discarded
DHCP-Server Spoofing Attack
The attacker spoofs the DHCP server and sends the user an illegal IP address defined by himself already other parameters, which leads to the theft of the user's information and causes damage. (trusted and unTrusted)
Solved: [SW1-GigabitEthernet0/0/20]dhcp snooping trusted # Configure trusted port
By default, all interfaces are untrusted ports when DHCP-Snooping is enabled.
DHCP-SERVER packets cannot be received on untrusted ports (OFFER ACK NAK)
Constantly using ARP replies to spoof PCs, servers, and legitimate routers
Solution: DAI Dynamic ARP Detection
[SW1]arp dhcp-snooping-detect enable #Effective for all interfaces of all VLANs
ARP --- DHCP-SNOOPING five elements
IP MAC port VLAN lease period
1.1 B 1 1 2028-1-1
ARP: source-ip 1.1 source-mac B
IP address spoofing attacks
Prevent attackers from maliciously spoofing the IP addresses of legitimate users.
[SW1-GigabitEthernet0/0/1]ip source check user-bind enable
IP-Souce-Guard (IP Source Protection)
If an attacker launches a DHCP starvation attack, the CHADDR and MAC address are forged at the same time.
(1): Rate of addition
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 1（PPS）
(2): Add the maximum number of users
dhcp snooping max-user-number 10
(3): Port security
[SW1-GigabitEthernet0/0/10]port-security max-mac-num 1 Maximum number of users on the interface (1)
[SW1-GigabitEthernet0/0/10]port-security mac-address sticky (sticky MAC address) dynamic learning
[SW1-GigabitEthernet0/0/10]port-security protect-action shutdow
Public ID: Multi_D
pay attention to
>>1、performanceamp distributedampNewLifeXCode Support for unlimited data2、The difference between Facets and Artifacts in IntellijIDEA 14x3、Replace virtualenv with pythons officially recommended pipenv4、Big Talk Enterprise android reading notes I5、Definition and execution principle of Asynchronous Action under ASPNETMVC