防ARP等幾個(gè)概念說(shuō)明

FreeResource、DHCPSnooping、防ARP等概念說(shuō)明及關(guān)系客戶(hù)服務(wù)中心技術(shù)支持部2007-8-21TOC\o"1-4"\h\z\u1. 文檔說(shuō)明 32. 概念說(shuō)明 32.1. ARP攻擊及欺騙 32.1.1. ARPDoS攻擊行為 32.1.2. ARP欺騙行為 42.1.2.1. 針對(duì)PC的ARP欺騙行為 42.1.2.2. 針對(duì)網(wǎng)關(guān)的ARP欺騙行為 52.2. FreeResource概念 62.2.1. DHCPSnooping模式 72.2.2. DCBI靜態(tài)IP-MACACL管理模式 72.2.3. 交換機(jī)靜態(tài)配置用戶(hù)綁定信息模式 72.3. DHCPSnooping概念 82.3.1. DHCPSnooping與防ARP欺騙和攻擊 82.3.1.1. Anti-arpscan 92.3.1.2. Arpguard應(yīng)用 93. 防ARP攻擊及欺騙的解決方案 103.1. 綁定Dot1x的DHCPSnooping應(yīng)用（接入PC使用Dot1x認(rèn)證） 103.1.1. 認(rèn)證客戶(hù)端動(dòng)態(tài)獲取IP地址 103.1.2. 認(rèn)證客戶(hù)端靜態(tài)配置IP地址 143.1.2.1. 交換機(jī)靜態(tài)配置用戶(hù)綁定關(guān)系 143.1.2.2. DCBI靜態(tài)綁定IP-MACACL管理方式 193.2. 綁定USER的DHCPSnooping應(yīng)用（接入PC不啟用Dot1x） 233.2.1. 接入PC動(dòng)態(tài)獲取IP模式 233.2.2. 接入PC靜態(tài)配置IP模式 274. 總結(jié)及建議 31文檔說(shuō)明本文檔主要對(duì)目前防ARP病毒、FreeResource解決方案、DHCPSnooping幾個(gè)概念和具體技術(shù)加以闡述，澄清過(guò)去一些模糊說(shuō)法。概念說(shuō)明ARP攻擊及欺騙ARP攻擊及欺騙是目前局域網(wǎng)中經(jīng)常出現(xiàn)的一個(gè)網(wǎng)絡(luò)異常行為，輕則導(dǎo)致網(wǎng)絡(luò)內(nèi)用戶(hù)無(wú)法正常使用網(wǎng)絡(luò)，重則導(dǎo)致網(wǎng)絡(luò)設(shè)備出現(xiàn)異常，出現(xiàn)整個(gè)網(wǎng)絡(luò)癱瘓，影響整個(gè)網(wǎng)絡(luò)運(yùn)行?；贏RP對(duì)網(wǎng)絡(luò)應(yīng)用產(chǎn)生異常影響的行為模式可以劃分為兩種：ARPDoS攻擊行為ARP欺騙行為ARPDoS攻擊行為ARPDoS攻擊行為：將一個(gè)網(wǎng)絡(luò)設(shè)備（通常為PC）通過(guò)發(fā)送大量（可能達(dá)到線(xiàn)速）正確的ARP請(qǐng)求或響應(yīng)報(bào)文來(lái)阻擾網(wǎng)絡(luò)設(shè)備正常運(yùn)行的行為定義為ARP攻擊行為。ARPDoS行為中病毒主機(jī)發(fā)送的ARP報(bào)文從報(bào)文內(nèi)容及對(duì)網(wǎng)絡(luò)內(nèi)其它主機(jī)關(guān)于病毒主機(jī)的ARP表項(xiàng)影響方面來(lái)看，其是正確的。但從發(fā)送速率對(duì)網(wǎng)絡(luò)上其它設(shè)備的影響來(lái)看則是不正常的。攻擊對(duì)象一般為病毒主機(jī)的默認(rèn)網(wǎng)關(guān)，路由器或者交換機(jī)等等。因?yàn)槠溆绊懥司W(wǎng)絡(luò)上其它設(shè)備對(duì)ARP報(bào)文的正常處理，被攻擊攻擊對(duì)象（一般為病毒主機(jī)的默認(rèn)網(wǎng)關(guān)，路由器或者交換機(jī)等等）往往沒(méi)有資源來(lái)響應(yīng)其它主機(jī)的ARP請(qǐng)求，影響網(wǎng)絡(luò)正常運(yùn)行。請(qǐng)看下面一個(gè)實(shí)例：故障現(xiàn)象：核心交換機(jī)7208下接3926S，3926S下接PC。PC與網(wǎng)關(guān)7208時(shí)通時(shí)斷，網(wǎng)絡(luò)正常時(shí)PC及7208上ARP表項(xiàng)均正確，網(wǎng)絡(luò)不正常時(shí)PC學(xué)習(xí)不到網(wǎng)關(guān)ARP信息。故障原因：3926S某接口下一臺(tái)PC發(fā)送大量的ARP報(bào)文，以每秒接近15000個(gè)速率向網(wǎng)關(guān)發(fā)送ARP請(qǐng)求報(bào)文，導(dǎo)致網(wǎng)關(guān)不能響應(yīng)其它主機(jī)發(fā)送的ARP請(qǐng)求報(bào)文。ARP欺騙行為ARP欺騙行為按照被欺騙對(duì)象又分為：針對(duì)PC的ARP欺騙行為針對(duì)網(wǎng)關(guān)的欺騙行為針對(duì)PC的ARP欺騙行為針對(duì)PC的ARP欺騙行為：針對(duì)PC的ARP欺騙行為是指攻擊主機(jī)通過(guò)主動(dòng)向被攻擊主機(jī)發(fā)送關(guān)于網(wǎng)關(guān)的ARPReply報(bào)文，導(dǎo)致被攻擊主機(jī)上關(guān)于網(wǎng)關(guān)ARP表項(xiàng)變成攻擊主機(jī)的MAC，從而導(dǎo)致被攻擊主機(jī)的報(bào)文無(wú)法通過(guò)正確的網(wǎng)關(guān)MAC發(fā)送出去，從而導(dǎo)致網(wǎng)絡(luò)中斷現(xiàn)象。攻擊實(shí)例某網(wǎng)絡(luò)中5526SVlan206下接3926S交換機(jī)，3926S下PCIP地址屬于172.16.206.0/24網(wǎng)段，網(wǎng)關(guān)地址為172.16.206.1（MAC為00-03-0F-02-93-82），某主機(jī)172.16.206.64、MAC為00-01-80-57-3f被攻擊主機(jī)回應(yīng)此請(qǐng)求：攻擊報(bào)文：攻擊主機(jī)發(fā)送ARPReply報(bào)文給被攻擊主機(jī)，會(huì)更改172.16.206.6主機(jī)上關(guān)于網(wǎng)關(guān)172.16.206.1的MAC地址為病毒主機(jī)的MAC地址：00-01-80-57-3F-5C針對(duì)網(wǎng)關(guān)的ARP欺騙行為針對(duì)網(wǎng)關(guān)的ARP欺騙行為：是指攻擊主機(jī)通過(guò)ARP報(bào)文更改網(wǎng)關(guān)設(shè)備（交換機(jī)、路由器、防火墻等網(wǎng)絡(luò)設(shè)備）上關(guān)于其它主機(jī)正確的ARP表項(xiàng)。導(dǎo)致交換機(jī)在轉(zhuǎn)發(fā)報(bào)文時(shí)，將報(bào)文轉(zhuǎn)發(fā)給錯(cuò)誤的MAC地址，導(dǎo)致從網(wǎng)絡(luò)到主機(jī)的報(bào)文不能被正確轉(zhuǎn)發(fā)給主機(jī)，導(dǎo)致網(wǎng)絡(luò)中斷的現(xiàn)象。實(shí)例分析：網(wǎng)絡(luò)內(nèi)多個(gè)主機(jī)無(wú)法上網(wǎng)，主機(jī)上關(guān)于網(wǎng)關(guān)的ARP表項(xiàng)正確，而網(wǎng)關(guān)設(shè)備DCRS-5526S交換機(jī)上關(guān)于這些主機(jī)的ARP表現(xiàn)不正確，導(dǎo)致報(bào)文不能正確被轉(zhuǎn)發(fā)。office#showarpTotalarpitemsis221,thematchedarpitemsis221AddressHardwareAddrInterfacePortFlag172.16.1.4100-D0-95-C9-A1-5AEthernet0/1/1Ethernet0/1/1Dynamic192.168.160.1400-0B-CD-6A-D4-D2Vlan1Ethernet0/0/1Dynamic192.168.162.200-12-3F-67-14192.168.162.300-11-5B-0B-59-74Vlan3Ethernet0/0/3Dynamic192.168.162.600-0C-F1-D1-E7-E5Vlan3Ethernet0/0/3Dynamic192.168.162.800-20-ED-A8-65-CBVlan3Ethernet0/0/3Dynamic192.168.162.900-0D-60-CA-DC-C0Vlan3Ethernet0/0/3Dynamic192.168.162.2000-10-5192.168.162.2300-10-5192.168.162.2400-10-5192.168.162.10000-07-95-F3-39-7FVlan3Ethernet0/0/3Dynamic192.168.162.25300-30-48-2A-C5-51Vlan3Ethernet0/0/3Dynamic192.168.163.300-11-D8-04-8192.168.163.400-30-F1-BF-7F-34Vlan4Ethernet0/0/4Dynamic192.168.163.600-40-05-47-19-4EVlan4Ethernet0/0/4Dynamic192.168.163.800-05-5D-02-DD-1DVlan4Ethernet0/0/4Dynamic192.168.163.900-E0-4C-11-02-23Vlan4Ethernet0/0/4Dynamic192.168.163.1000-E0-4C-41-04-DBVlan4Ethernet0/0/4Dynamic192.168.163.1100-E0-4C-00-27-DFVlan4Ethernet0/0/4Dynamic192.168.163.1200-E0-4C-41-04-DBVlan4Ethernet0/0/4Dynamic192.168.163.1500-E0-4C-41-04-DBVlan4Ethernet0/0/4Dynamic192.168.163.1600-E0-4C-82-09-27Vlan4Ethernet0/0/4Dynamic。。。。。。192.168.163.4500-40-05-47-36-0CVlan4Ethernet0/0/4Dynamic192.168.163.4700-40-05-47-36-0CVlan4Ethernet0/0/4Dynamic192.168.163.4800-40-05-47-36-0CVlan4Ethernet0/0/4Dynamic可以看到，同一個(gè)MAC地址對(duì)應(yīng)多個(gè)IP，說(shuō)明交換機(jī)已經(jīng)被ARP病毒攻擊了，可以在對(duì)應(yīng)的E0/0/4接口去查找病毒主機(jī)。FreeResource概念FreeResource是結(jié)合DOT1X認(rèn)證提出的概念。其基本意思是指Dot1x用戶(hù)在未認(rèn)證之前可以訪(fǎng)問(wèn)事先定義的部分網(wǎng)絡(luò)資源，在認(rèn)證之后能夠訪(fǎng)問(wèn)所有資源。認(rèn)證之前可訪(fǎng)問(wèn)的部分網(wǎng)絡(luò)資源在交換機(jī)上配置的，目前只能配置一個(gè)網(wǎng)段或者一臺(tái)主機(jī)，不能配置多個(gè)網(wǎng)段或者多臺(tái)主機(jī)。FreeSource解決方案中，Dot1x客戶(hù)端不管是認(rèn)證前還是認(rèn)證后，其所發(fā)送的ARP報(bào)文或者IP報(bào)文只有在IP地址+以太網(wǎng)幀源MAC均正確的基礎(chǔ)之上，該報(bào)文才能發(fā)送出去，否則端口會(huì)直接拒絕不正確報(bào)文（但對(duì)于DHCP報(bào)文及EAP認(rèn)證報(bào)文特殊處理），從而阻止ARP欺騙的行為。在FreeSource解決方案中，Dot1x客戶(hù)端如何做到認(rèn)證前訪(fǎng)問(wèn)部分網(wǎng)絡(luò)資源，認(rèn)證后能夠訪(fǎng)問(wèn)所有資源的呢？這肯定是由交換機(jī)所控制的，交換機(jī)在認(rèn)證之前首先為該接口下的Dot1x認(rèn)證客戶(hù)端生成兩條ACL表項(xiàng)，一條用于判斷ARP報(bào)文，一條用于判斷IP報(bào)文，并且允許ACL表項(xiàng)中的源MAC地址進(jìn)行dot1x認(rèn)證。這兩條ACL表項(xiàng)又是如何生成的呢？按照來(lái)源劃分有3個(gè)方面（在DCS-3950-X的1.3.8.0版本之前僅有前2個(gè)方面）：DHCPSnooping模式DCBI靜態(tài)IP-MACACL管理模式交換機(jī)靜態(tài)配置用戶(hù)綁定信息模式（1.3.8.0開(kāi)始支持該模式）上述3個(gè)方面分別對(duì)應(yīng)于認(rèn)證客戶(hù)端通過(guò)DHCP獲取IP地址及手工設(shè)定IP兩種不同的IP獲取情況，其中DCBI靜態(tài)IP-MACACL管理及交換機(jī)靜態(tài)配置的用戶(hù)綁定信息這兩種方式對(duì)應(yīng)于客戶(hù)端IP為靜態(tài)配置的應(yīng)用模式。DHCPSnooping模式DHCPSnooping模式是指交換機(jī)動(dòng)態(tài)監(jiān)控認(rèn)證客戶(hù)端在Dot1x認(rèn)證之前通過(guò)DHCP獲取IP地址的過(guò)程，在一個(gè)DHCP分配過(guò)程中獲取認(rèn)證客戶(hù)端的IP、MAC，并關(guān)聯(lián)到具體的交換機(jī)端口，從而形成動(dòng)態(tài)的綁定信息。DCBI靜態(tài)IP-MACACL管理模式DCBI靜態(tài)IP-MACACL管理模式是指在DCBI后臺(tái)服務(wù)器上手工設(shè)定認(rèn)證客戶(hù)端的IP、MAC、接入交換機(jī)IP、接入端口的綁定關(guān)系，并向交換機(jī)下發(fā)此綁定關(guān)系，交換機(jī)在得到此綁定消息后生成控制認(rèn)證客戶(hù)端接入的ACL表項(xiàng)。交換機(jī)靜態(tài)配置用戶(hù)綁定信息模式交換機(jī)靜態(tài)配置用戶(hù)綁定是指直接在交換機(jī)上配置認(rèn)證客戶(hù)端的IP、MAC、接入端口、接入VLAN的綁定信息，從而達(dá)到與DCBI下發(fā)綁定信息一樣的ACL控制表項(xiàng)。交換機(jī)配置命令為：ipdhcpsnoopingbindinguser<mac>address<ipAddr><mask>vlan<vid>interface[Ethernet]<ifname>注意：此模式下必須啟用DHCPSnooping所以從FreeResource解決方案中對(duì)于認(rèn)證客戶(hù)端進(jìn)行控制的ACL來(lái)源來(lái)看，有3種模式，如下圖所示：DHCPSnooping概念DHCPSnooping本身最基本的概念是用于交換機(jī)上防止用戶(hù)私設(shè)DHCPServer情況，通過(guò)啟用DHCPSnooping，將交換機(jī)上各端口定義為T(mén)rust接口和Untrust接口，在Untrust接口判斷是非有DHCPServer才能發(fā)送的DHCPOFFER、DHCPACK、DHCPNAK報(bào)文，如果截獲到這些報(bào)文，將發(fā)出警告并做出相應(yīng)反應(yīng)（shutdown該接口或者下發(fā)blockhole）。并且DHCPSnooping實(shí)現(xiàn)了防止DHCP過(guò)載攻擊，對(duì)Trust接口及Untrust接口設(shè)定接收DHCP報(bào)文的速率限制，防止過(guò)多的DHCP報(bào)文耗盡CPU資源。在DCS-3950-X1.3.8.0之前，對(duì)DHCPSnooping應(yīng)用進(jìn)行了擴(kuò)展，就是將其與Dot1x綁定，利用DHCPSnooping綁定數(shù)據(jù)功能，形成了FreeResource解決方案的一種實(shí)現(xiàn)方式，即在客戶(hù)端獲取IP地址過(guò)程中，監(jiān)控并綁定相關(guān)信息，從而為Dot1x認(rèn)證、處理ARP報(bào)文、處理IP報(bào)文提供了判斷依據(jù)。并不是所有的用戶(hù)均需要Dot1x認(rèn)證，而DHCPSnooping監(jiān)聽(tīng)并綁定數(shù)據(jù)對(duì)于網(wǎng)絡(luò)維護(hù)及監(jiān)控非常有效。因此，在DCS-3950-X1.3.8.0版本以后將DHCPSnooping綁定功能與Dot1x獨(dú)立開(kāi)來(lái)，形成了DHCPSnooping綁定功能的兩種應(yīng)用：綁定Dot1x認(rèn)證的DHCPSnooping應(yīng)用和綁定USER的DHCPSnooping應(yīng)用（不啟用dot1x環(huán)境）。DHCPSnooping綁定功能由兩種方式來(lái)實(shí)現(xiàn)：A、DHCPSnooping動(dòng)態(tài)監(jiān)聽(tīng)；B、DHCPSnooping靜態(tài)配置。DHCPSnooping與防ARP欺騙和攻擊DHCPSnooping綁定功能具備一定的防ARP病毒能力，確切的說(shuō)，由于由DHCPSnooping生成的ACL阻止了源MAC地址、ARP報(bào)文中的源IP地址不正確的ARP報(bào)文，達(dá)到防止ARP欺騙的功能，如下圖：因此，如果SIP不正確，則該報(bào)文被交換機(jī)直接丟棄，因此無(wú)法實(shí)現(xiàn)針對(duì)PC的ARP欺騙。如果ARP報(bào)文中SMAC不正確，則會(huì)修改目標(biāo)MAC設(shè)備上的ARP表項(xiàng)，如果目標(biāo)MAC為接入交換機(jī)，則導(dǎo)致接入交換機(jī)無(wú)法轉(zhuǎn)發(fā)目標(biāo)為該IP的報(bào)文，影響其自身通信。但如果啟用ipdhcpsnoopingbindingarp功能，即由DHCP綁定再生成ARP靜態(tài)綁定，則可以解決此問(wèn)題。如果認(rèn)證客戶(hù)端通過(guò)ARP掃描或者ARPDoS攻擊來(lái)阻擾網(wǎng)絡(luò)正常運(yùn)行，DHCPSnooping技術(shù)就毫無(wú)防范能力，此時(shí)必須配合anti-arpscan來(lái)實(shí)現(xiàn)。如果沒(méi)有啟用DHCPSnooping，則接入端口無(wú)法實(shí)現(xiàn)ARP報(bào)文控制，則為了保護(hù)網(wǎng)關(guān)IP不被欺騙，必須啟用arpguard功能。Anti-arpscanARP掃描是一種常見(jiàn)的網(wǎng)絡(luò)攻擊方式。為了探測(cè)網(wǎng)段內(nèi)的所有活動(dòng)主機(jī)，攻擊源將會(huì)產(chǎn)生大量的ARP報(bào)文在網(wǎng)段內(nèi)廣播，這些廣播報(bào)文極大的消耗了網(wǎng)絡(luò)的帶寬資源；攻擊源甚至有可能通過(guò)偽造的ARP報(bào)文而在網(wǎng)絡(luò)內(nèi)實(shí)施大流量攻擊，使網(wǎng)絡(luò)帶寬消耗殆盡而癱瘓。而且ARP掃描通常是其他更加嚴(yán)重的攻擊方式的前奏，如病毒自動(dòng)感染，或者繼而進(jìn)行端口掃描、漏洞掃描以實(shí)施如信息竊取、畸形報(bào)文攻擊，拒絕服務(wù)攻擊等。由于ARP掃描給網(wǎng)絡(luò)的安全和穩(wěn)定帶來(lái)了極大的威脅，所以防ARP掃描功能將具有重大意義。神州數(shù)碼系列交換機(jī)防ARP掃描的整體思路是若發(fā)現(xiàn)網(wǎng)段內(nèi)存在具有ARP掃描特征的主機(jī)或端口，將切斷攻擊源頭，保障網(wǎng)絡(luò)的安全。有兩種方式來(lái)防ARP掃描：基于端口和基于IP?；诙丝诘腁RP掃描會(huì)計(jì)算一段時(shí)間內(nèi)從某個(gè)端口接收到的ARP報(bào)文的數(shù)量，若超過(guò)了預(yù)先設(shè)定的閾值，則會(huì)down掉此端口。基于IP的ARP掃描則計(jì)算一段時(shí)間內(nèi)從網(wǎng)段內(nèi)某IP收到的ARP報(bào)文的數(shù)量，若超過(guò)了預(yù)先設(shè)置的閾值，則禁止來(lái)自此IP的任何流量，而不是down與此IP相連的端口。此兩種防ARP掃描功能可以同時(shí)啟用。端口或IP被禁掉后，可以通過(guò)自動(dòng)恢復(fù)功能自動(dòng)恢復(fù)其狀態(tài)。為了提高交換機(jī)的效率，可以配置受信任的端口和IP，交換機(jī)不檢測(cè)來(lái)自受信任的端口或IP的ARP報(bào)文，這樣可以有效地減少交換機(jī)的負(fù)擔(dān)。有關(guān)anti-arpscan功能及配置請(qǐng)參考交換機(jī)手冊(cè)。Arpguard應(yīng)用ARP協(xié)議的設(shè)計(jì)存在嚴(yán)重的安全漏洞，任何網(wǎng)絡(luò)設(shè)備都可以發(fā)送ARP報(bào)文通告IP地址和MAC地址的映射關(guān)系。這就為ARP欺騙提供了可乘之機(jī)，攻擊者發(fā)送ARPREQUEST報(bào)文或者ARPREPLY報(bào)文通告錯(cuò)誤的IP地址和MAC地址映射關(guān)系，導(dǎo)致網(wǎng)絡(luò)通訊故障。ARP欺騙的危害主要表項(xiàng)為兩種形式：1、PC4發(fā)送ARP報(bào)文通告PC2的IP地址映射為自己的MAC地址，將導(dǎo)致本應(yīng)該發(fā)送給PC2的IP報(bào)文全部發(fā)送到了PC4，這樣PC4就可以監(jiān)聽(tīng)、截獲PC2的報(bào)文；2、PC4發(fā)送ARP報(bào)文通告PC2的IP地址映射為非法的MAC地址，將導(dǎo)致PC2無(wú)法接收到本應(yīng)該發(fā)送給自己的報(bào)文。特別是如果攻擊者假冒網(wǎng)關(guān)進(jìn)行ARP欺騙，將導(dǎo)致整個(gè)網(wǎng)絡(luò)癱瘓。 我們利用交換機(jī)的過(guò)濾表項(xiàng)保護(hù)重要網(wǎng)絡(luò)設(shè)備的ARP表項(xiàng)不能被其它設(shè)備假冒?；驹砭褪抢媒粨Q機(jī)的過(guò)濾表項(xiàng)，檢測(cè)從端口輸入的所有ARP報(bào)文，如果ARP報(bào)文的源IP地址是受到保護(hù)的IP地址，就直接丟棄報(bào)文，不再轉(zhuǎn)發(fā)。ARPGUARD功能常用于保護(hù)網(wǎng)關(guān)不被攻擊，如果要保護(hù)網(wǎng)絡(luò)內(nèi)的所有接入PC不受ARP欺騙攻擊，需要在端口配置大量受保護(hù)的ARPGUARD地址，這將占用大量芯片F(xiàn)FP表項(xiàng)資源，可能會(huì)因此影響到其它應(yīng)用功能，并不適合。此時(shí)推薦采用FREERESOURCE相關(guān)接入方案，詳細(xì)請(qǐng)參考相關(guān)文檔。命令：arp-guardip<addr> noarp-guardip<addr>功能：添加ARPGUARD地址參數(shù)：<addr>：受到保護(hù)的IP地址，點(diǎn)分十進(jìn)制形式命令模式：端口配置模式缺省情況：默認(rèn)沒(méi)有ARPGUARD地址使用指南：配置ARPGUARD地址之后，所配置的安全地址對(duì)所有配置了ARPGUARD的端口都有效，從配置了ARPGUARD的端口接收到的ARP報(bào)文將被進(jìn)行過(guò)濾，如果ARP報(bào)文的源IP地址匹配任意端口所配置ARPGUARD地址，就認(rèn)為是ARP欺騙攻擊報(bào)文，這樣的ARP報(bào)文將直接被丟棄，而不會(huì)被轉(zhuǎn)發(fā)，但是ARP廣播報(bào)文和發(fā)送給交換機(jī)自己的ARP報(bào)文仍然會(huì)被提交交換機(jī)CPU進(jìn)行處理。每個(gè)端口下最多可以配置16個(gè)ARPGUARD地址。ARP-Guard典型的應(yīng)用環(huán)境為接入交換機(jī)不啟用DHCPSnooping功能不能阻擋ARP欺騙報(bào)文時(shí)為保護(hù)網(wǎng)關(guān)地址不被欺騙，在端口應(yīng)用該技術(shù)。有關(guān)arpguard的詳細(xì)配置及應(yīng)用請(qǐng)參考手冊(cè)。防ARP攻擊及欺騙的解決方案綁定Dot1x的DHCPSnooping應(yīng)用（接入PC使用Dot1x認(rèn)證）綁定Dot1x的DHCPSnooping應(yīng)用，是FreeResource解決方案的一種實(shí)現(xiàn)形式。根據(jù)DHCPSnooping數(shù)據(jù)綁定的來(lái)源，又有兩種形式：認(rèn)證客戶(hù)端動(dòng)態(tài)獲取IP地址及認(rèn)證客戶(hù)端靜態(tài)配置IP地址。認(rèn)證客戶(hù)端動(dòng)態(tài)獲取IP地址網(wǎng)絡(luò)拓?fù)淙缦拢簊witch#shorunCurrentconfiguration:!hostnameswitch!ipuserhelper-address192.168.1.245source192.168.1.49ipdhcpsnoopingenableipdhcpsnoopingbindingenable!radius-serverkey3950radius-serverauthenticationhost192.168.1.245radius-serveraccountinghost192.168.1.245aaa-accountingenableaaaenable!dot1xenabledot1xuserfree-resource192.168.10.0255.255.255.0dot1xprivateclientenable!!Vlan1vlan1!anti-arpscanenableanti-arpscanrecoverytime60anti-arpscanip-basedthreshold10!!InterfaceEthernet0/0/1nameuplinkportipdhcpsnoopingtrustanti-arpscantrustsupertrust-port!InterfaceEthernet0/0/2nametoauth-clientipdhcpsnoopingactionblackholerecovery30ipdhcpsnoopingbindingdot1xdot1xenable!InterfaceEthernet0/0/3!InterfaceEthernet0/0/4!InterfaceEthernet0/0/5!InterfaceEthernet0/0/6!InterfaceEthernet0/0/7!InterfaceEthernet0/0/8!InterfaceEthernet0/0/9!InterfaceEthernet0/0/10!InterfaceEthernet0/0/11!InterfaceEthernet0/0/12!InterfaceEthernet0/0/13!InterfaceEthernet0/0/14!InterfaceEthernet0/0/15!InterfaceEthernet0/0/16!InterfaceEthernet0/0/17!InterfaceEthernet0/0/18!InterfaceEthernet0/0/19!InterfaceEthernet0/0/20!InterfaceEthernet0/0/21!InterfaceEthernet0/0/22!InterfaceEthernet0/0/23!InterfaceEthernet0/0/24!InterfaceEthernet0/0/25!InterfaceEthernet0/0/26!InterfaceEthernet0/0/27!InterfaceEthernet0/0/28!!interfaceVlan1interfacevlan1ipaddress192.168.1.49255.255.255.0!switch#showverDCS-3950-28CTDevice,Aug15200709:36:38HardWareversionis1.0SoftWareversionisDCS-3950-28CT_1.3.8.0DCNOSversionisDCNOS_5.1.35.47BootRomversionisDCS-3950-28CT_1.3.2Copyright(C)2001-2007byDigitalChinaNetworksLimited.Allrightsreserved.Systemuptime:0days,6hours,38minutes,15seconds.switch#說(shuō)明：上述配置情況，對(duì)于認(rèn)證客戶(hù)端發(fā)送源IP地址正確，源MAC不正確的ARP欺騙報(bào)文，將導(dǎo)致交換機(jī)上該IP對(duì)應(yīng)ARP表現(xiàn)中MAC地址修改，可以通過(guò)全局配置ipdhcpsnoopingbindingarp來(lái)解決。認(rèn)證客戶(hù)端靜態(tài)配置IP地址可以分兩種情況：通過(guò)交換機(jī)手工設(shè)定客戶(hù)端的綁定關(guān)系或者通過(guò)在DCBI上靜態(tài)設(shè)定IP-MAC并下發(fā)給交換機(jī)來(lái)實(shí)現(xiàn)交換機(jī)對(duì)客戶(hù)端的接入控制。交換機(jī)靜態(tài)配置用戶(hù)綁定關(guān)系如果通過(guò)交換機(jī)手工設(shè)定客戶(hù)端的綁定關(guān)系，交換機(jī)配置如下：switch#shorunCurrentconfiguration:!hostnameswitch!ipuserhelper-address192.168.1.245source192.168.1.49ipdhcpsnoopingenableipdhcpsnoopingbindingenableipdhcpsnoopingbindinguser00-15-58-2B-59-A8address192.168.1.48255.255.255.0vlan1interfaceEthernet0/0/2//該綁定信息會(huì)上傳至DCBI。!radius-serverkey3950radius-serverauthenticationhost192.168.1.245radius-serveraccountinghost192.168.1.245aaa-accountingenableaaaenable!dot1xenabledot1xuserfree-resource192.168.10.0255.255.255.0dot1xprivateclientenable!!Vlan1vlan1!anti-arpscanenableanti-arpscanrecoverytime60anti-arpscanip-basedthreshold20!!InterfaceEthernet0/0/1nameuplinkanti-arpscantrustsupertrust-port!InterfaceEthernet0/0/2nametoauth-clientipdhcpsnoopingactionblackholerecovery30ipdhcpsnoopingbindingdot1xdot1xenable!InterfaceEthernet0/0/3!InterfaceEthernet0/0/4!InterfaceEthernet0/0/5!InterfaceEthernet0/0/6!InterfaceEthernet0/0/7!InterfaceEthernet0/0/8!InterfaceEthernet0/0/9!InterfaceEthernet0/0/10!InterfaceEthernet0/0/11!InterfaceEthernet0/0/12!InterfaceEthernet0/0/13!InterfaceEthernet0/0/14!InterfaceEthernet0/0/15!InterfaceEthernet0/0/16!InterfaceEthernet0/0/17!InterfaceEthernet0/0/18!InterfaceEthernet0/0/19!InterfaceEthernet0/0/20!InterfaceEthernet0/0/21!InterfaceEthernet0/0/22!InterfaceEthernet0/0/23!InterfaceEthernet0/0/24!InterfaceEthernet0/0/25!InterfaceEthernet0/0/26!InterfaceEthernet0/0/27!InterfaceEthernet0/0/28!!interfaceVlan1interfacevlan1ipaddress192.168.1.49255.255.255.0!switch#showversionDCS-3950-28CTDevice,Aug15200709:36:38HardWareversionis1.0SoftWareversionisDCS-3950-28CT_1.3.8.0DCNOSversionisDCNOS_5.1.35.47BootRomversionisDCS-3950-28CT_1.3.2Copyright(C)2001-2007byDigitalChinaNetworksLimited.Allrightsreserved.Systemuptime:0days,1hours,15minutes,13seconds.switch#認(rèn)證前switch#showdot1xinte0/0/2802.1XisenabledonethernetEthernet0/0/2AuthenticationMethod:UserbasedadvancedMaxUserNumber:10NotifyDCBIis1ConfigUserNumber:1ip:192.168.1.48,mac:00-15-58-2b-59-a8,authentiacted:0switch#showipdhcpsninte0/0/2interfaceEthernet0/0/2userconfig:trustattribute:untrustaction:blackholebindingdot1x:enabledbindinguser:disabledrecoveryinterval:30(s)Alarminfo:0Bindinginfo:1DHCPSnoopingBindingbuiltatMONJAN0101:01:202001TimeStamp:978310880RefCount:2Vlan:1,Port:Ethernet0/0/2ClientMAC:0015.582B.59A8ClientIP:192.168.1.48255.255.255.0Gateway:0.0.0.0Lease:3600(s)Flag:3ExpiredBinding:0RequestBinding:0switch#switch#認(rèn)證成功后switch#showipdhcpsninte0/0/2interfaceEthernet0/0/2userconfig:trustattribute:untrustaction:blackholebindingdot1x:enabledbindinguser:disabledrecoveryinterval:30(s)Alarminfo:0Bindinginfo:1DHCPSnoopingBindingbuiltatMONJAN0101:01:202001TimeStamp:978310880RefCount:2Vlan:1,Port:Ethernet0/0/2ClientMAC:0015.582B.59A8ClientIP:192.168.1.48255.255.255.0Gateway:0.0.0.0Lease:3600(s)Flag:3//不同F(xiàn)lag值表示什么？ExpiredBinding:0RequestBinding:0switch#showdot1xinte0/0/2802.1XisenabledonethernetEthernet0/0/2AuthenticationMethod:UserbasedadvancedMaxUserNumber:10NotifyDCBIis1ConfigUserNumber:1ip:192.168.1.48,mac:00-15-58-2b-59-a8,authentiacted:1StatusAuthorizedPort-controlAutoSupplicant00-15-58-2b-59-a8VLANid1AuthenticatorStateAuthenticatedBackendStateIdleReauthenticationStateStopswitch#DCBI靜態(tài)綁定IP-MACACL管理方式如果通過(guò)DCBI靜態(tài)設(shè)定綁定并下發(fā)給交換機(jī)，則在管理端--“接入安全管理”--“靜態(tài)IP-MAC過(guò)濾ACL管理”中定義：交換機(jī)配置如下：switch#shorunCurrentconfiguration:!hostnameswitch!ipuserhelper-address192.168.1.245source192.168.1.49!radius-serverkey3950radius-serverauthenticationhost192.168.1.245radius-serveraccountinghost192.168.1.245aaa-accountingenableaaaenable!dot1xenabledot1xuserfree-resource192.168.10.0255.255.255.0dot1xprivateclientenable!!Vlan1vlan1!anti-arpscanenableanti-arpscanrecoverytime60anti-arpscanip-basedthreshold20!!InterfaceEthernet0/0/1nameuplinkanti-arpscantrustsupertrust-port!InterfaceEthernet0/0/2nametoauth-clientdot1xenable!InterfaceEthernet0/0/3!InterfaceEthernet0/0/4!InterfaceEthernet0/0/5!InterfaceEthernet0/0/6!InterfaceEthernet0/0/7!InterfaceEthernet0/0/8!InterfaceEthernet0/0/9!InterfaceEthernet0/0/10!InterfaceEthernet0/0/11!InterfaceEthernet0/0/12!InterfaceEthernet0/0/13!InterfaceEthernet0/0/14!InterfaceEthernet0/0/15!InterfaceEthernet0/0/16!InterfaceEthernet0/0/17!InterfaceEthernet0/0/18!InterfaceEthernet0/0/19!InterfaceEthernet0/0/20!InterfaceEthernet0/0/21!InterfaceEthernet0/0/22!InterfaceEthernet0/0/23!InterfaceEthernet0/0/24!InterfaceEthernet0/0/25!InterfaceEthernet0/0/26!InterfaceEthernet0/0/27!InterfaceEthernet0/0/28!!interfaceVlan1interfacevlan1ipaddress192.168.1.49255.255.255.0!switch#showverDCS-3950-28CTDevice,Aug15200709:36:38HardWareversionis1.0SoftWareversionisDCS-3950-28CT_1.3.8.0DCNOSversionisDCNOS_5.1.35.47BootRomversionisDCS-3950-28CT_1.3.2Copyright(C)2001-2007byDigitalChinaNetworksLimited.Allrightsreserved.Systemuptime:0days,0hours,2minutes,6seconds.switch#認(rèn)證之前，DCBI必須成功下發(fā)綁定關(guān)系給交換機(jī)，否則無(wú)法認(rèn)證成功。switch#showipdhcpsnoopinginte0/0/2DHCPSnoopingisdisabledinterface(null)userconfig:trustattribute:untrustaction:nonebindingdot1x:disabledbindinguser:disabledrecoveryinterval:0(s)Alarminfo:0Bindinginfo:0ExpiredBinding:0RequestBinding:0switch#showdot1xinte0/0/2802.1XisenabledonethernetEthernet0/0/2AuthenticationMethod:UserbasedadvancedMaxUserNumber:10NotifyDCBIis1ConfigUserNumber:1ip:192.168.1.48,mac:00-15-58-2b-59-a8,authentiacted:0///提示已下發(fā)成功switch#認(rèn)證成功后switch#showipdhcpsnoopinginte0/0/2DHCPSnoopingisdisabledinterface(null)userconfig:trustattribute:untrustaction:nonebindingdot1x:disabledbindinguser:disabledrecoveryinterval:0(s)Alarminfo:0Bindinginfo:0ExpiredBinding:0RequestBinding:0switch#showdot1xinte0/0/2802.1XisenabledonethernetEthernet0/0/2AuthenticationMethod:UserbasedadvancedMaxUserNumber:10NotifyDCBIis1ConfigUserNumber:1ip:192.168.1.48,mac:00-15-58-2b-59-a8,authentiacted:1StatusAuthorizedPort-controlAutoSupplicant00-15-58-2b-59-a8VLANid1AuthenticatorStateAuthenticatedBackendStateIdleReauthenticationStateStopswitch#可見(jiàn)在DCBI下發(fā)綁定IP-MACACL管理應(yīng)用時(shí)，與交換機(jī)的DHCPSnooping沒(méi)有任何關(guān)系，綁定關(guān)系直接下發(fā)到驅(qū)動(dòng)。綁定USER的DHCPSnooping應(yīng)用（接入PC不啟用Dot1x）該模式針對(duì)不需要Dot1x認(rèn)證的環(huán)境。同樣存在2種模式：接入PC動(dòng)態(tài)獲取IP模式和接入PC靜態(tài)配置IP模式接入PC動(dòng)態(tài)獲取IP模式客戶(hù)端通過(guò)DHCP獲取IP地址，DHCPSnooping監(jiān)控DHCP過(guò)程在端口形成綁定信息。（目前認(rèn)證計(jì)費(fèi)組研發(fā)已經(jīng)從DCBI將DCBI收集交換機(jī)的DHCPSnooping綁定信息功能移植到一個(gè)獨(dú)立軟件DSMS（DHCPSnoopingManagementSystem，此軟件目前僅具備查詢(xún)功能，沒(méi)有管理功能），在研發(fā)內(nèi)部交換機(jī)3926SV1V2的某測(cè)試版本中已經(jīng)實(shí)現(xiàn)將該綁定信息上傳至DSMS，但3950-X系列交換機(jī)還沒(méi)有實(shí)現(xiàn)該功能，但有開(kāi)發(fā)計(jì)劃。如果需要該功能請(qǐng)和總部工程師確認(rèn)版本信息。）交換機(jī)配置如下：switch#shorunCurrentconfiguration:!hostnameswitch!ipdhcpsnoopingenableipdhcpsnoopingbindingenable!!Vlan1vlan1!anti-arpscanenableanti-arpscanrecoverytime60anti-arpscanip-basedthreshold20!!InterfaceEthernet0/0/1nameuplinkipdhcpsnoopingtrustanti-arpscantrustsupertrust-port!InterfaceEthernet0/0/2nametoclientipdhcpsnoopingactionblackholerecovery60ipdhcpsnoopingbindinguser-control!InterfaceEthernet0/0/3!InterfaceEthernet0/0/4!InterfaceEthernet0/0/5!InterfaceEthernet0/0/6!InterfaceEthernet0/0/7!InterfaceEthernet0/0/8!InterfaceEthernet0/0/9!InterfaceEthernet0/0/10!InterfaceEthernet0/0/11!InterfaceEthernet0/0/12!InterfaceEthernet0/0/13!InterfaceEthernet0/0/14!InterfaceEthernet0/0/15!InterfaceEthernet0/0/16!InterfaceEthernet0/0/17!InterfaceEthernet0/0/18!InterfaceEthernet0/0/19!InterfaceEthernet0/0/20!InterfaceEthernet0/0/21!InterfaceEthernet0/0/22!InterfaceEthernet0/0/23!InterfaceEthernet0/0/24!InterfaceEthernet0/0/25!InterfaceEthernet0/0/26!InterfaceEthernet0/0/27!InterfaceEthernet0/0/28!!interfaceVlan1interfacevlan1ipaddress192.168.1.49255.255.255.0!switch#showversionDCS-3950-28CTDevice,Aug15200709:36:38HardWareversionis1.0SoftWareversionisDCS-3950-28CT_1.3.8.0DCNOSversionisDCNOS_5.1.35.47BootRomversionisDCS-3950-28CT_1.3.2Copyright(C)2001-2007byDigitalChinaNetworksLimited.Allrightsreserved.Systemuptime:0days,0hours,40minutes,50seconds.switch#獲取地址之前switch#showipdhcpsnoopinginte0/0/2interfaceEthernet0/0/2userconfig:trustattribute:untrustaction:blackholebindingdot1x:disabledbindinguser:enabledrecoveryinterval:60(s)Alarminfo:0Bindinginfo:0ExpiredBinding:0RequestBinding:0switch#獲取地址之后，可以訪(fǎng)問(wèn)所有資源switch#showipdhcpsnoopinginte0/0/2interfaceEthernet0/0/2userconfig:trustattribute:untrustaction:blackholebindingdot1x:disabledbindinguser:enabledrecoveryinterval:60(s)Alarminfo:0Bindinginfo:1DHCPSnoopingBindingbuiltatMONJAN0100:39:282001TimeStamp:978309568RefCount:1Vlan:1,Port:Ethernet0/0/2ClientMAC:0015.582B.59A8ClientIP:192.168.1.56255.255.255.0Gateway:192.168.1.254Lease:3600(s)Flag:0ExpiredBinding:0RequestBinding:0switch#接入PC靜態(tài)配置IP模式PC地址為靜態(tài)獲得，在交換機(jī)上配置DHCPSnooping綁定信息，只有經(jīng)過(guò)配置的接入PC才能訪(fǎng)問(wèn)網(wǎng)絡(luò)，否則不能訪(fǎng)問(wèn)網(wǎng)絡(luò)。switch#showrunCurrentconfiguration:!hostnameswitch!ipdhcpsnoopingenableipdhcpsnoopingbindingenableipdhcpsnoopingbindinguser00-15-58-2B-59-A8address192.168.1.48255.255.255.0vlan1interfaceEthernet0/0/2!!Vlan1vlan1!anti-arpscanenableanti-arpscanrecoverytime60anti-arpscanip-basedthreshold20!!InterfaceEthernet0/0/1nameuplinkipdhcpsnoopingtrustanti-arpscantrustsupertrust-port!InterfaceEthernet0/0/2nametoauth-clientipdhcpsnoopingactionblackholerecovery60ipdhcpsnoopingbindinguser-control!InterfaceEthernet0/0/3!InterfaceEthernet0/0/4!InterfaceEthernet0/0/5!InterfaceEthernet0/0/6!InterfaceEthernet0/0/7!InterfaceEthernet0/0/8!InterfaceE