cool hit counter DHCP Dynamic Host Configuration Protocol (1)_Intefrankly

DHCP Dynamic Host Configuration Protocol (1)


ABOUT THIS

application layer protocol

Encapsulated on UDP (reason: DHCP servers require high request response speed)

The server side listens on port 67

Client listens on port 68

Dynamic Host Configuration Protocol (DHCP) is a protocol for dynamic configuration and centralized management of network parameters for TCP/IP protocol-based hosts, enabling.

l Assign IP addresses to network hosts.

DHCP can provide two address assignment mechanisms, and network administrators can choose different assignment policies for different hosts according to network requirements. - Dynamic allocation mechanism: DHCP assigns an IP address to a host for a limited period of time (usually called a lease period). This allocation mechanism is suitable for scenarios where hosts need temporary access to the network or where the number of free addresses is less than the total number of network hosts and the hosts do not need to be permanently connected to the network. For example, the portable machines of employees on business trips and mobile terminals in cafes need to obtain IP addresses in order to access the network temporarily.

- Static assignment mechanism: The network administrator assigns a fixed IP address to a specified host through DHCP. This allocation mechanism is suitable for hosts that have special requirements for IP addresses, such as corporate file servers that need to use fixed IP addresses because of the services they provide to users on the external network. Compared with manual static configuration of IP addresses, the DHCP method static allocation mechanism avoids manual configuration errors and facilitates unified maintenance management by administrators.

l Provide network parameters other than IP addresses for network hosts, such as IP addresses of DNS servers, routing information, gateway addresses, etc.

Message types: 8

Discover

Offer to provide (IP)

Request Request (renewal of lease)

ACK confirmed

NAK rejects

Release release

Information information (request specific parameters such as: DNS Domain)

Dcline detection (IP address conflict)

state machine

1. When a DHCP client first connects to the network, it sends a DHCP Discover message, which is used to find and locate the DHCP server.

The first data is sent from port 68 on 0.0.0.0 to port 67 on 255.255.255.255, ensuring that the packets sent by the client look for the server

2. After receiving a DHCP discovery message, the DHCP server sends a DHCP offer message (DHCP Offer), which contains configuration information such as IP address.

First allocation

3. After a DHCP client receives a DHCP offer message from the server, it sends a DHCP request message (DHCP Request, broadcast: tells other servers at the same time), and in addition, after a DHCP client obtains an IP address and restarts, it also sends a 2DHCP request message to confirm the assigned IP address and other allocation information. When the IP address lease obtained by a DHCP client is about to expire, it also sends a DHCP request message (broadcast: server location may migrate) to request an IP address lease extension from the server (the default lease period is 24 hours).

4. After receiving a DHCP request message from a DHCP client, the DHCP server replies with a DHCP acknowledgement message (DHCP ACK). After the client receives the DHCP acknowledgement message, it will configure and use the obtained IP address and other information.

Timer.

Renewal: default rental period of 86400S (one day)

When the DHCP-assigned IP address usage has reached 50 percent of the lease term, unicast lease renewal begins. request message

Rebinding Timer

When the time reaches 87.5 percent start broadcasting the lease renewal.

Expiry of lease

5. If the DHCP server receives a DHCP-REQUEST message and does not find the corresponding lease record, it sends a DHCP-NAK message as an answer to inform the DHCP client that it cannot assign a suitable IP address.

6. The DHCP client releases the IP address by sending a DHCP Release message (DHCP Release). After receiving the DHCP release message, the DHCP server can assign the IP address to other DHCP clients.

The DHCP server's address pool is used to define the range of IP addresses assigned to hosts

There are two forms.

1. The interface address pool assigns IP addresses to hosts or endpoints connected to the same network segment. You can execute the dhcp select interface command under the server's interface to configure the DHCP server to use the DHCP server mode of the interface address pool to assign IP addresses to clients.

2. The global address pool assigns IP addresses to all endpoints that connect to the DHCP server. You can execute the dhcp select global command under the interface of the server to configure the DHCP server to use the DHCP server mode of global address pool to assign IP addresses to clients.

The interface address pool has a higher priority than the global address pool. After a global address pool is configured, if another address pool is configured on the interface, the client will get the IP address from the interface address pool. On X7 series switches, interface address pools can only be configured on VLANIF logical interfaces.

server

dhcp enable

#

ip pool vlan10

gateway-list 192.168.1.254

network 192.168.1.0 mask 255.255.255.0

#

#

interface GigabitEthernet0/0/0

ip address 12.1.1.2 255.255.255.0

dhcp select global

#

relay

dhcp enable

#

dhcp server group vlan10

dhcp-server 12.1.1.2 0

#

#

interface GigabitEthernet0/0/1

ip address 192.168.1.254 255.255.255.0

dhcp select relay

dhcp relay server-select vlan10

# Configuration explanation

ip pool vlan20

static-bind ip-address 192.168.2.149 mac-address 5489-983d-0504

Static binding of IP and hardware addresses

View Address Pool

dis ip pool name xx

The dhcp enable command is used to enable the DHCP function. When you configure a DHCP server, you must execute the dhcp enable command before other features of DHCP can be configured and take effect.

The dhcp select interface command is used to associate interfaces and interface address pools to provide configuration information for hosts connected to the interface. In this example, interface GigabitEthernet 0/0/0 is added to the interface address pool. The interface ground finger pool is not paired with a gateway, and the interface address is the gateway.

The dhcp server dns-list command is used to specify the DNS server addresses under the interface address pool.

The dhcp server excluded-ip-address command is used to configure the range of IP addresses in the interface address pool that do not participate in automatic assignment.

The dhcp server lease command is used to configure the lease expiration date function for IP addresses in the address pool of the DHCP server interface. By default, the lease expiration date for IP addresses in the interface address pool is 1 day.

Each DHCP server can define one or more global address pools and interface address pools. In this example, execute the display ip pool command to view the attributes of the interface address pool. The display information contains the IP address range of the address pool, and also includes information about the IP gateway, subnet mask, and so on.

A DHCP global address pool is configured.

The ip pool command is used to create a global address pool.

The network command is used to configure the network segment addresses that can be assigned under the global address pool.

The gateway-list command is used to configure the egress gateway address of the DHCP server global address pool.

The lease command is used to configure the lease period for addresses under the DHCP global address pool. By default, the IP address lease period is 1 day.

The dhcp select global command is used to enable the DHCP server function of an interface.

View the ip pool detailed configuration command: dis ip pool name used

DHCP attack prevention.

[sw2]dhcp snooping check

dhcp-chaddr DHCP chaddr

dhcp-giaddr DHCP relay agent ip address

dhcp-rate DHCP rate

dhcp-request DHCP request Check all request messages sent by the client to the server

[sw2]dhcp snooping alarm alarm

[sw2-GigabitEthernet0/0/1]dhcp snooping alarm

dhcp-chaddr DHCP chaddr

dhcp-rate DHCP rate

dhcp-reply Untrust dhcp reply packet

dhcp-request DHCP request

Client hardware address: CHADDR (normally this address is the MAC address of the client)

DHCP starvation attack

falsificationDHCP message, enableCHADDR (numeric, data) field(MACdi'z) Constantly changing, enableDHCP-server unrecognizable, thereby leading toDHCP Address pool depleted, Normal legitimate users cannot getIP address。

Solution: DHCP-Snooping (configured at the access layer switch)

DHCP Snooping Binding Table

[SW1]dhcp snooping check dhcp-chaddr enable vlan 1 # Take effect for VLAN1

[SW1-GigabitEthernet0/0/12]dhcp snooping check dhcp-chaddr enable #Effective for interface

If the source MAC address and CHADDR fields in a DHCP-Discover message do not match, the message is discarded

DHCP-Server Spoofing Attack

The attacker spoofs the DHCP server and sends the user an illegal IP address defined by himself already other parameters, which leads to the theft of the user's information and causes damage. (trusted and unTrusted)

Solved: [SW1-GigabitEthernet0/0/20]dhcp snooping trusted # Configure trusted port

By default, all interfaces are untrusted ports when DHCP-Snooping is enabled.

DHCP-SERVER packets cannot be received on untrusted ports (OFFER ACK NAK)

Man-in-the-middle attack

Constantly using ARP replies to spoof PCs, servers, and legitimate routers

Solution: DAI Dynamic ARP Detection

[SW1]arp dhcp-snooping-detect enable #Effective for all interfaces of all VLANs

ARP --- DHCP-SNOOPING five elements

IP MAC port VLAN lease period

1.1 B 1 1 2028-1-1

ARP: source-ip 1.1 source-mac B

IP address spoofing attacks

Prevent attackers from maliciously spoofing the IP addresses of legitimate users.

[SW1-GigabitEthernet0/0/1]ip source check user-bind enable

IP-Souce-Guard (IP Source Protection)

If an attacker launches a DHCP starvation attack, the CHADDR and MAC address are forged at the same time.

(1): Rate of addition

dhcp snooping check dhcp-rate enable

dhcp snooping check dhcp-rate 1(PPS)

(2): Add the maximum number of users

dhcp snooping max-user-number 10

(3): Port security

[SW1-GigabitEthernet0/0/10]port-security enable

[SW1-GigabitEthernet0/0/10]port-security max-mac-num 1 Maximum number of users on the interface (1)

[SW1-GigabitEthernet0/0/10]port-security mac-address sticky (sticky MAC address) dynamic learning

[SW1-GigabitEthernet0/0/10]port-security protect-action shutdow

MultiD

Public ID: Multi_D

pay attention to


Recommended>>
1、performanceamp distributedampNewLifeXCode Support for unlimited data
2、The difference between Facets and Artifacts in IntellijIDEA 14x
3、Replace virtualenv with pythons officially recommended pipenv
4、Big Talk Enterprise android reading notes I
5、Definition and execution principle of Asynchronous Action under ASPNETMVC

    已推荐到看一看 和朋友分享想法
    最多200字,当前共 发送

    已发送

    朋友将在看一看看到

    确定
    分享你的想法...
    取消

    分享想法到看一看

    确定
    最多200字,当前共

    发送中

    网络异常,请稍后重试

    微信扫一扫
    关注该公众号