Agenda. DHCP Overview DHCP Basic. DHCP Additional. DHCP Relay DHCP Snooping DHCP Server. DHCP Security SAVI ND Snooping

Transcription

1 DHCP

2 Agenda DHCP Overview DHCP Basic DHCP Relay DHCP Snooping DHCP Server DHCP Additional DHCP Security SAVI ND Snooping 1

3 Concepts of DHCP DHCP Dynamic Host Configuration Protocol (DHCP) enables a client to dynamically obtain a valid IP address. DHCP server A DHCP server allocates IP addresses to clients. A client sends a packet to the server to request for configurations such as the IP address, subnet mask, and default gateway. After receiving the packet, the server replies with a packet carrying the corresponding configurations according to policies. Both the Request and Reply packets are encapsulated in UDP packets. DHCP relay agent A DHCP relay agent transparently transmits DHCP broadcast packets between the DHCP clients and DHCP server that are on different network segments. DHCP snooping DHCP snooping is introduced to protect DHCP servers and clients against attacks through ARP, IP, or DHCP packets with IP and MAC addresses of other valid users. DHCP Feature BASIC ADDITIONAL DHCP SERVER DHCP RELAY DHCP SNOOPING DHCP SERCURITY 2

4 DHCP Usage and RFC Comply Table The S9700 can be used as 1 A DHCP server 2 A DHCP relay agent Document Description Remarks RFC 1533 DHCP Options and BOOTP Vendor Extensions RFC 1534 Interoperation Between DHCP and BOOTP RFC 2131 Dynamic Host Configuration Protocol RFC 2132 DHCP Options and BOOTP Vendor Extensions RFC 3046 DHCP Relay Agent Information Option RFC 2460 Internet Protocol, Version 6 (IPv6) Specification RFC 3315 Dynamic Host Configuration Protocol for The functions of the DHCPv6 client and IPv6 (DHCPv6) DHCPv6 server are not supported. Dynamic Host Configuration Protocol for RFC 4649 IPv6 (DHCPv6) Relay Agent Remote-ID Option 3

5 DHCP Usage and RFC Comply Table Document Description Remarks RFC3319 RFC3633 DHCPv6 Options for Session Initiation Protocol (SIP) Servers IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6 RFC3646 RFC3898 RFC4075 RFC2461 draft-bi-savi-stateless-00 DNS Configuration options for DHCPv6 Network Information Service (NIS) Configuration Options for DHCPv6 Simple Network Time Protocol (SNTP) Configuration Option for DHCPv6 Neighbor Discovery for IPv6 SAVI Solution for Stateless Address draft-ietf-savi-dhcp-02 draft-ietf-savi-dhcp-09 draft-kaippallimalil-savi-dhcppd-01 SAVI Solution for DHCP(only support DHCPv6) SAVI Solution for Delegated IPv6 Prefixes 4

6 Agenda DHCP Overview DHCP Basic DHCP Server DHCP Relay DHCP Snooping DHCP Additional DHCP Security SAVI ND Snooping 5

7 DHCP Server Principle #1 Three Modes for the Interaction Between the DHCP Client and Server. MODE1:The DHCP client accesses the network for the first time. MODE2:The DHCP client accesses the network for the second time. MODE3:The DHCP client extends the IP address lease. DHCP CLIENT DHCP SERVER DHCP CLIENT DHCP SERVER ½ L DHCP CLIENT DHCP SERVER Selecting Stage OR ¾ L Trigger condition: Four Stage: 1 Discovering stage 2 Offering stage 3 Selecting stage 4 Acknowledging stage Selecting Stage 1 Client Started release 2 Server supply longer lease 3 If no reply at ½ L from server,client release at ¾ L with broadcast packet 4 Available Server supply new lease with dhcp_ack 6

8 DHCP Server Principle #2 Static and Dynamic Allocation of IP Addresses DHCP server provides the following address allocation policies Manual address allocation: An administrator assigns fixed IP addresses to a few specific hosts, such as the WWW server. Automatic address allocation: The server assigns fixed IP addresses to some hosts when they are connected to the network for the first time. These IP addresses can be used by the hosts for a long time. Dynamic address allocation: The server assigns IP addresses with leases to clients. The clients need to apply for new IP addresses when the leases expire. This address allocation policy is widely accepted by most clients. Sequence of IP address allocation IP address that is in the database of the DHCP server and is statically bound to the client's MAC address IP address assigned to the client before, that is, the IP address in the requested IP Address option of the DHCP DISCOVER packet sent by the client IP address first found when the server searches for available IP addresses in the DHCP address pool If the DHCP address pool has no available IP address, the DHCP server searches for the expired IP addresses and conflicting IP addresses in turn for an available IP address. If an available address is found, the server allocates the IP address to the client; otherwise, the server sends an error message. 7

9 Why we use S9700 as DHCP Server? Purpose With the rapid growth in network scales and increment of complexity, for example, the location of hosts frequently changes (for portable computers or wireless networks) and the number of hosts exceeds the number of assignable IP addresses, network configurations become more complicated. To properly and dynamically assign IP addresses to hosts, DHCP is applied. Benefit HOT BACKUP : For a S9700 with two MPUs/SRUs, DHCP data on the two MPUs is backed up in real time. Therefore, after the master/slave switchover is performed, the slave MPU becomes the master MPU; therefore, the DHCP server can function and allocate IP addresses to clients normally. 8

10 DHCP Server Packet Flow SRU Internal HDR+ DHCP Packet CPU 3 4 IP : MAC :PORT Mapping table Control Channel Memory Address Pool Timing Table 5 DHCP Packet export process DHCP Offer/ Reply/ ACK/ NAK Datagram LPU LC CPU 2 Packet Processor 1 DHCP Discover/ Requrest Packet 9

11 DHCP Server Feature Implementation Subcategory Item Specifications Remarks Assigning addresses randomly through the global address pool Binding addresses statically Setting user-defined DHCP options 256 global address pools are supported. MAC addresses and the IP addresses can be bound. Assign specific IP address to specific MAC address DHCP server Supporting detection of DHCP server address conflicts When detecting an address conflict, the DHCP server monitors the status of the addresses until they are idle. This function can be enabled or disabled. key command: dhcp server ping packet number dhcp server ping timeout milliseconds Number of DHCP server groups 64 Number of DHCP servers in each 20 DHCP server group Maximum number of IP relay addresses that can be configured 20 on a VLANIF interface Number of DHCP server groups 1 on a VLANIF interface User online or offline rate supported by the DHCP relay 85 users per second 8*10G board: 60 users per second 10

12 DHCP Server Feature Implementation Subcategory Item Specifications Remarks Address allocation by two-message exchanges addresses and configuration parameters. After receiving the Solicit client multicasts a Solicit packet to find the server that can allocate packet, the server responds with a Reply packet carrying the IP address and configuration parameters allocated to the client. DHCPv6 server Address allocation by four-message exchanges Stateful DHCPv6 mode Stateless DHCPv6 mode Prefix allocation by twomessage exchanges Prefix allocation by fourmessage exchanges A client first multicasts a Solicit packet to find the servers that can provide DHCPv6 services. After receiving Advertise packets from multiple servers, the client selects one server according to server priorities. Then the client and the selected server complete address application and allocation by exchanging Request and Reply packets. The server allocates IP address and configuration, such as DNS, SIP, NIS, and SNTP server configurations, to the client. The server allocates configuration, such as DNS, SIP, NIS, and SNTP server configurations, to the client. A client multicasts a Solicit packet to find the server that can provide services. After receiving the Solicit packet, the server responds with a Reply packet carrying the prefix allocated to the client. A client first multicasts a Solicit packet to find the servers that can provide services. After receiving Advertise packets from multiple servers, the client selects one server according to server priorities. Then the client and the selected server complete prefix application and allocation by exchanging Request and Reply packets. 11

13 DHCP Server Feature Implementation Subcategory Item Specifications Remarks Address pool management Supporting address pools of VPNs Each address pool supporting two DNS server addresses and the DNS suffix Each address pool supporting two NetBIOS server addresses and the NetBIOS server type Assigning IP addresses based on MAC addresses Setting the address pool lease Locking the address pool Setting user-defined options for address pools 1 to 254 Reclaiming addresses manually Enable dhcp server on VLAN IF key command: interface vlanif vlan-id ip address ip-address { mask mask-length dhcp select interface key command: lease { day day [ hour hour [ minute minute ] ] unlimited } The option can be in the IP address format, in the character string, or in hexadecimal notation. 12

14 DHCP Server Feature 1 Feature 1 : Supporting detection of DHCP server address conflicts Usage Scenario The dhcp server ping command is applicable to DHCP servers. Repetitive IP address assignment will cause IP address conflicts. To solve this problem, before assigning an IP address to a client, the DHCP server needs to send ping packets by using the dhcp server ping command to check whether the IP address is in use. The DHCP server first sends a ping packet to the IP address. If there is no response to the ping packet within a specified period, the DHCP server continues to send ping packets to the IP address until the number of sent ping packets reaches the maximum value. If there is still no response, the DHCP server considers that this IP address is not in use and can be assigned to the client. This ensures that a unique IP address is assigned to the client. Example # Set the maximum number of ping packets to be sent to 10 and the maximum response time of each ping packet to 100 ms. <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp server ping packet 10 [Quidway] dhcp server ping timeout

15 DHCP Server Feature 2 Feature 2 : Locking the address pool Usage Scenario The lock command is applicable to DHCP servers. When a DHCP server needs to be migrated, you simply need to migrate address pools on the DHCP server to another DHCP server on the live network. To retain the addresses that have been assigned to clients from a global address pool, run the lock command to lock the global address pool. When new users get online, they apply for IP addresses from a new address pool. Precautions After the lock command is run, the specified IP address pool is locked and IP addresses in this address pool cannot be assigned to clients. Only the created address pools can be locked. Example # Lock the address pool global1. <Quidway> system-view [Quidway] ip pool global1 [Quidway-ip-pool-global1] lock 14

16 DHCP Server Feature 3 Feature 3 : Reclaiming addresses manually Usage Scenario The reset ip pool command manually recycles the IP addresses that cannot be released in an IP address pool. If an IP address conflict occurs because two clients use the same IP address, run the reset ip pool command to set the IP address to idle. Precautions User information cannot be restored after you clear it. Exercise caution when running the reset ip pool command. DHCP clients must release their old IP addresses before obtaining new IP addresses. Configuration Impact After the reset ip pool command is run, a user may be disconnected if its IP address is within the address range specified in this command. Example # Set all conflicting IP addresses in the IP address pool test to idle. <Quidway> reset ip pool name test conflict 15

17 DHCP Server Configuration Example #1 Example for Configuring a DHCP Server Based on the Global Address Pool Configuration Roadmap STEP 1 : Enable the DHCP server function on SwitchA. <Quidway> system-view [Quidway] dhcp enable 16

18 DHCP Server Configuration Example #2 STEP 2 : Create a global address pool on SwitchA and set the attributes of the address pool, including the range of the address pool, egress gateway, NetBIOS address, and address lease. # Set the attributes of IP address pool 1 [Quidway] ip pool 1 [Quidway-ip-pool-1] network mask [Quidway-ip-pool-1] dns-list [Quidway-ip-pool-1] gateway-list [Quidway-ip-pool-1] excluded-ip-address [Quidway-ip-pool-1] excluded-ip-address [Quidway-ip-pool-1] lease day 10 [Quidway-ip-pool-1] quit # Set the attributes of IP address pool 2 [Quidway] ip pool 2 [Quidway-ip-pool-2] network mask [Quidway-ip-pool-2] dns-list [Quidway-ip-pool-2] nbns-list [Quidway-ip-pool-2] gateway-list [Quidway-ip-pool-2] lease day 2 [Quidway-ip-pool-2] quit 17

19 DHCP Server Configuration Example #3 STEP 3 : Configure VLANIF interfaces to use the global address pool to allocate IP addresses. # Add GE 1/0/1 to VLAN 10 and GE 1/0/2 to VLAN 20. [Quidway] vlan batch [Quidway] interface gigabitethernet 1/0/1 [Quidway-GigabitEthernet1/0/1] port hybrid pvid vlan 10 [Quidway-GigabitEthernet1/0/1] port hybrid untagged vlan 10 [Quidway-GigabitEthernet1/0/1] quit [Quidway] interface gigabitethernet 1/0/2 [Quidway-GigabitEthernet1/0/2] port hybrid pvid vlan 20 [Quidway-GigabitEthernet1/0/2] port hybrid untagged vlan 20 [Quidway-GigabitEthernet1/0/2] quit # Configure the clients on VLANIF 10 to obtain IP addresses from the global address pool. [Quidway] interface vlanif 10 [Quidway-Vlanif10] ip address [Quidway-Vlanif10] dhcp select global [Quidway-Vlanif10] quit # Configure the clients on VLANIF 20 to obtain IP addresses from the global address pool. [Quidway] interface vlanif 20 [Quidway-Vlanif20] ip address [Quidway-Vlanif20] dhcp select global [Quidway-Vlanif20] quit 18

20 DHCP Server Configuration Example #4 STEP 4 : Verify Configuration [Quidway] display ip pool Pool-name : 2 Pool-No : 0 Position : Local Status : Unlocked Gateway-0 : Mask : VPN instance : Pool-name : 1 Pool-No : 2 Position : Local Status : Unlocked Gateway-0 : Mask : VPN instance : -- IP address Statistic Total :250 Used :0 Idle :248 Expired :0 Conflict :0 Disable :2 19

21 Agenda DHCP Overview DHCP Basic DHCP Server DHCP Relay DHCP Snooping DHCP Additional DHCP Security SAVI ND Snooping 20

22 DHCP Relay - Principle #1 DHCP client obtaining an address through the DHCP relay agent for the first time DHCP CLIENT DHCP RELAY DHCP SERVER STEP 1 STEP 2 STEP 3 STEP 4 DHCP client extending the IP address lease through a DHCP relay agent DHCP CLIENT DHCP RELAY DHCP SERVER STEP 1 STEP 2 21

23 DHCP Relay - Principle #2 S9700 DHCP Relay Agent Supporting VPNs To forward DHCP packets on a VPN, you need to configure the DHCP relay agent to support VPNs. Once a private route exists, a DHCP REQUEST packet can be sent to the DHCP server to apply for an IP address. The DHCP relay agent sends a DHCP REQUEST packet from the client on a VPN (or on the public network) to the DHCP server on the local VPN, and then sends a DHCP REPLY packet from the server to the client. DHCP SERVER 1 Client 1 VPN B DHCP RELAY VPN A VPN B VPN C MPLS VPN NETWORK DHCP RELAY VPN B Client 2 Client 3 Currently, the scenario, CE-PE-PE-CE, is applicable. Both the DHCP server and the client can be deployed on the same CE, or the DHCP server is deployed on a PE while the DHCP client is deployed on a CE. 22

24 DHCP Relay - Scenario With the rapid growth in network scales and increment of complexity, for example, the location of hosts frequently changes (for portable computers or wireless networks) and the number of hosts exceeds the number of assignable IP addresses, network configurations become more complicated. To properly and dynamically assign IP addresses to hosts, DHCP is applied. DHCP PACKET L2/L3 Networks DHCP Client DHCP Relay DHCP Relay DHCP Server 23

25 DHCP Relay Packet Flow SRU CPU 4 Memory DHCP Relay Related table 5 DHCP Packet export process Internal HDR+ DHCP Packet 3 Control Channel DHCP Relay Packet (Unicast) LPU LC CPU 2 Packet Processor 1 DHCP Server / Client Packet 24

26 DHCP Relay - Feature Implementation Subcategory Item Specifications Remarks DHCP relay Configuring DHCP relay on the VLANIF interface Configuring DHCP relay on the subinterface Configuring DHCP relay on VPNs Configuring DHCPv6 relay on VLANIFs VLANIF interface-based relay agent DHCPv6 relay DHCPv6 Option 37 (remote-id) DHCPv6 Option 18 (interface-id) 25

27 DHCP Relay Feature 1 Feature 1 : Configuring DHCP relay on the VLANIF interface When functioning as a DHCP relay agent, the S9700 forwards the DHCP Request packets from DHCP clients to the DHCP server. After the DHCP relay function is enabled on the VLANIF interface, set the DHCP server address on the VLANIF interface in either of the following ways: Configure a destination DHCP server group and bind the group to the interface. For details, see Configuring a Destination DHCP Server Group and Binding an Interface to a DHCP Server Group. Run the dhcp relay server-ip ip-address command in the VLANIF interface view to configure the destination DHCP server address. 26

28 DHCP Relay Feature 2 Feature 2 : Configuring DHCP relay on VPNs An enterprise establishes a VPN for employees to communicate with each other. The DHCP server is not in the VPN. Users in the VPN need to obtain IP addresses from the DHCP server. As shown in Figure left, the DHCP clients are located in VPNA, which is in network segment /24; the DHCP server is located in network segment /24. The DHCP packets need to be relayed by the Switch enabled with the DHCP relay function. The DHCP clients on the VPN then can apply for IP addresses from the DHCP server. An address pool containing network segment /24 is configured on the DHCP server. The DHCP server has a reachable route to /24. 27

29 DHCP Relay Configuration Example #1 Configuration Roadmap STEP 1 : Create a DHCP server group and add a DHCP server to the group. STEP 2 : Enable DHCP relay on VLANIF 100 so that the Switch functions as the DHCP relay agent. STEP 3 : Create a VPN instance and bind the DHCP server group and VLANIF interface to the VPN instance. STEP 4 : Bind the specified DHCP server group to VLANIF 100 so that the packets passing VLANIF 100 are forwarded to the specified server. 28

30 DHCP Relay - Configuration Example #2 1. Create a DHCP server group and add DHCP server to the group. <Quidway> system-view [Quidway] sysname Switch [Switch] dhcp server group dhcpgroup1 [Switch-dhcp-server-group-dhcpgroup1] dhcp-server [Switch-dhcp-server-group-dhcpgroup1] quit 2. Enable the DHCP relay function on the VLANIF interface. [Switch] vlan 100 [Switch-Vlan100] quit [Switch] interface gigabitethernet 1/0/0 [Switch-GigabitEthernet1/0/0] port link-type trunk [Switch-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 [Switch-GigabitEthernet1/0/0] quit [Switch] dhcp enable [Switch] interface vlanif 100 [Switch-Vlanif100] dhcp select relay [Switch-Vlanif100] quit 29

31 DHCP Relay - Configuration Example #3 3. Create a VPN instance and bind the DHCP server group and VLANIF interface to the VPN instance. # Create a VPN instance. [Switch] ip vpn-instance vpna [Switch-vpn-instance-vpna] route-distinguisher 1:1 [Switch-vpn-instance-vpna] vpn-target 2:2 both [Switch-vpn-instance-vpna] quit # Bind the DHCP server group to the VPN instance. [Switch] dhcp server group dhcpgroup1 [Switch-dhcp-server-group-dhcpgroup1] vpn-instance vpna [Switch-dhcp-server-group-dhcpgroup1] quit # Bind the VLANIF interface to the VPN instance. [Switch] interface vlanif 100 [Switch-Vlanif100] ip binding vpn-instance vpna 4.Bind the VLANIF interface to the specified DHCP server group. # Set the IP address of the VLANIF interface. [Switch] interface vlanif 100 [Switch-Vlanif100] ip address # Specify a DHCP server for the VLANIF interface. [Switch-Vlanif100] dhcp relay server-select dhcpgroup1 30

32 DHCP Relay - Configuration Example #4 5. Configure the DHCP server and PE. <Quidway> system-view [Quidway] sysname SERVER [SERVER] ip pool 1 [SERVER-ip-pool-1] network mask [SERVER-ip-pool-1] gateway-list [SERVER-ip-pool-1] quit [SERVER] ip route-static <Quidway> system-view [Quidway] sysname PE [PE] vlan 101 [PE-Vlan101] quit [PE] interface gigabitethernet 1/0/0 [PE-GigabitEthernet1/0/0] port link-type trunk [PE-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 [PE-GigabitEthernet1/0/0] quit [PE] ip vpn-instance vpna [PE-vpn-instance-vpna] route-distinguisher 1:1 [PE-vpn-instance-vpna] vpn-target 2:2 both [PE-vpn-instance-vpna] quit [PE] interface vlanif 101 [PE-Vlanif101] ip binding vpn-instance vpna [PE-Vlanif101] ip address [PE-Vlanif101] quit 31 Page 31

33 DHCP Relay - Configuration Example #5 6. Configure MP-IBGP to exchange VPN routing information. [PE] bgp 100 [PE-bgp] peer as-number 100 [PE-bgp] peer connect-interface loopback 1 [PE-bgp] ipv4-family vpnv4 [PE-bgp-af-vpnv4] peer enable [PE-bgp-af-vpnv4] quit [PE-bgp] quit [Switch] bgp 100 [Switch-bgp] peer as-number 100 [Switch-bgp] peer connect-interface loopback 1 [Switch-bgp] ipv4-family vpnv4 [Switch-bgp-af-vpnv4] peer enable [Switch-bgp-af-vpnv4] quit After the configuration, run the display bgp peer command on the PE, and you can see that the BGP peer relationship between the PEs is in Established state. [PE] display bgp peer BGP local router ID : Local AS number : 100 Total number of peers : 1 Peers in established state : 1 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv :02:21 Established 0 32

34 DHCP Relay - Configuration Example #6 7. Verify the configuration. [Switch] display dhcp relay interface vlanif100 DHCP relay agent running information of interface Vlanif100 : DHCP server group name : dhcpgroup1 DHCP server IP [0] : DHCP server IP [1] : DHCP server IP [2] : DHCP server IP [3] : DHCP server IP [4] : DHCP server IP [5] : DHCP server IP [6] : DHCP server IP [7] : DHCP server IP [8] : DHCP server IP [9] : DHCP server IP [10] : DHCP server IP [11] : DHCP server IP [12] : DHCP server IP [13] : DHCP server IP [14] : DHCP server IP [15] : DHCP server IP [16] : DHCP server IP [17] : DHCP server IP [18] : DHCP server IP [19] :

35 Agenda DHCP Overview DHCP Basic DHCP Server DHCP Relay DHCP Snooping DHCP Additional DHCP Security SAVI ND Snooping 34

36 DHCP Snooping Principle DHCP snooping is a security feature of DHCP. The S9700 creates and maintains the DHCP snooping binding table to filter out untrusted DHCP information that is sent from untrusted zones. The DHCP snooping binding table contains the MAC address, IP address, lease, VLAN ID, interface number of each user in an untrusted zone. When DHCP snooping is enabled on an S9700, the S9700 listens on DHCP packets and records the IP addresses and MAC addresses in the received DHCP Request packets or Ack messages. A physical interface can be configured as a trusted interface or an untrusted interface. A trusted interface can forward received DHCP Reply packets, whereas an untrusted interface discards the received DHCP reply packets. By using DHCP snooping, the S9700 can prevent bogus DHCP servers and ensure that clients obtain IP addresses from valid DHCP servers. 35

37 DHCP Snooping - Scenario Purpose DHCP snooping prevents the following attacks: Bogus DHCP server attack Man-in-the-middle attack and IP/MAC spoofing attack Denial of Service (DoS) attack DoS attack by changing the value of the Client Hardware Address (CHADDR) Benefits DHCP snooping ensures that: Clients obtain IP addresses from valid DHCP servers. The IP addresses and MAC addresses of DHCP clients are recorded, and the binding entries can be used by other Feature. 36

38 DHCP Snooping Packet Flow SRU Trust port or not? DROP N Internal HDR+ DHCP Packet CPU 3 Y 4 Control Channel Memory DHCP Snooping table 5 DHCP Packet export process DHCP Snooping Packet (Unicast) LPU LC CPU 2 Packet Processor 1 DHCP Server Packet 37

39 DHCP Snooping - Feature Implementation Subcategory Item Specifications Remarks DHCP snooping Enabling or disabling DHCP snooping globally or on an interface Configuring the trusted interface for the DHCP server Configuring static entries of DHCP snooping Preventing DHCP starvation attacks Preventing attackers from sending bogus DHCP messages for extending IP address leases Prevent unauthorized servers When the static entry of DHCP snooping is configured, the IP address and VLAN ID must be set. The MAC address and port number are optional. The transmission rate of DHCP packets on an interface or in a VLAN is limited. DHCP Snooping binding table consists static bind-table and dynamic bind-table key command:dhcp snooping check dhcp-rate rate Key command: dhcp snooping check user-bind enable Supporting DHCP snooping in the VPLS Supporting DHCPv6 snooping DHCP snooping static binding table DHCP snooping dynamic binding table Rate of creating/deleting DHCP snooping binding table DHCP snooping over VPLS is enabled by enabling DHCP snooping on a physical interface or in a VLAN. 85 entries per second 38

40 DHCP Snooping - Feature Implementation Subcategory Item Specifications Remarks Global DHCPv6 snooping Interface-based DHCPv6 snooping VLAN-based DHCPv6 snooping DHCPv6 trusted interface Dynamic DHCPv6 snooping binding table The trusted interface can receive packets from the DHCP server. The switch discards the DHCP packets received from untrusted interfaces. The switch dynamically generates DHCPv6 snooping binding entries by capturing and analyzing DHCP packets received from the DHCPv6 server. A binding entry contains the IPv6 address, MAC address, double-layer VLAN IDs, and interface number. DHCPv6 snooping Static DHCPv6 snooping binding table You can manually configure DHCP snooping binding entries. A static binding entry contains the IP address, MAC address, VLAN ID, and interface number. DHCPv6 snooping binding table management Preventing bogus DHCPv6 Request message 1:1 VLAN mapping Super VLAN Port flapping Interface- or VLAN-based PD snooping You can add, delete, modify, and query dynamic and static DHCP snooping binding entries by using commands. If unauthorized users send a large number of bogus DHCP Request messages with variable MAC addresses to extend IP addresses, expired IPv6 addresses cannot be withdrawn. Batch configurations take effect in sub-vlans. Port flapping for binding table 39

41 DHCP Snooping Feature 1 Feature 1 : Supporting DHCP snooping in the VPLS Binding Relationship PHY IF 1 PHY IF 2 PHY IF 3 VLAN 10 VLAN 20 VLAN 30 VPLS VSI 100 VPLS VSI 200 Global & PHYIF Enable PHY IF 1 ACCESS VPLS VSI 100 VLANIF 10 DHCP snooping in the VPLS VLAN 10 PHY IF 2 VPLS VSI 200 VLANIF 20 VLAN 20 VLANIF 30 PHY IF 3 VLAN VLAN PWs Take effect Do not take effect Normal DHCP snooping Take effect E series FA series FC series W series BC series LPUs S series Do not support DHCP Snooping in VPLS 40

42 DHCP Snooping - Limitation If DHCP relay is enabled in a super-vlan, DHCP snooping cannot be enabled in this super-vlan. DHCP snooping over VPLS is not supported by the Physical interface and NONE VPLS VLAN interfaces. It can be enabled only on VPLS VLAN interfaces. DHCP snooping over VPLS cannot be enabled on PWs. S series LPUs do not support DHCP snooping in the VPLS. 41

43 DHCP Snooping Configuration Example #1 Example for Preventing Bogus DHCP Server Attacks Configuration Roadmap STEP 1 : Enable DHCP snooping globally and on the interface. STEP 2: Configure the interface connected to the DHCP server as the trusted interface. STEP 3 : Configure the user-side interface as an untrusted interface. The DHCP Request messages including Offer, ACK, and NAK messages received from the untrusted interface are discarded. STEP 4 : Configure the alarm function for discarded packets. Configure the interface as the trusted interface or an untrusted interface. # Configure the interface on the DHCP server side as the trusted interface. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping trusted [Quidway-GigabitEthernet1/0/0] quit 42

44 DHCP Snooping Configuration Example #2 Example for Limiting the Rate of Sending DHCP Messages Configuration Roadmap STEP 1 : Enable DHCP snooping STEP 2 : globally and in the interface view. STEP 3 : Set the rate of sending DHCP Request messages to the protocol stack. STEP 4 : Configure the alarm function for discarded packets. Limit the rate of sending DHCP messages. # Enable the function of checking the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable # Set the rate of sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate 90 43

45 DHCP Snooping Configuration Example #3 Example for Applying DHCP Snooping on a Layer 2 Network #1 44 Configuration Roadmap STEP 1 : Enable DHCP snooping globally and in the interface view. STEP 2 : Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks. STEP 3 : Configure the DHCP snooping binding table and check DHCP Request messages by matching them with entries in the binding table to prevent attackers from sending bogus DHCP messages for extending IP address leases. STEP 4 : Configure the function of checking the CHADDR field in DHCP Request messages to prevent attackers from changing the CHADDR field in DHCP Request messages. STEP 5 : Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers from sending a large number of DHCP Request messages. STEP 6 : Configure the Option 82 function and create the binding table that contains information about the interface. STEP 7 : Configure the alarm function for discarded packets and the alarm function for checking the rate of sending packets.

46 DHCP Snooping Configuration Example #3 Example for Applying DHCP Snooping on a Layer 2 Network #2 Enable DHCP snooping. # Enable DHCP snooping globally. <Quidway> system-view [Quidway] dhcp enable [Quidway] dhcp snooping enable # Enable DHCP snooping on the interface at the user side. The configuration procedure of GE 1/0/1 is the same as the configuration procedure of GE 1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping enable [Quidway-GigabitEthernet1/0/0] quit Configure the interface as trusted. # Configure the interface connecting to the DHCP server as the trusted interface and enable DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client side is not configured as trusted, the default mode of the interface is untrusted after DHCP snooping is enabled on the interface. This prevents bogus DHCP server attacks. [Quidway] interface gigabitethernet 2/0/0 [Quidway-GigabitEthernet2/0/0] dhcp snooping trusted [Quidway-GigabitEthernet2/0/0] quit 45

47 DHCP Snooping Configuration Example #4 Example for Applying DHCP Snooping on a Layer 2 Network #3 Configure the checking for certain types of packets. # Enable the checking of DHCP Request messages on the interfaces on the DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP address leases. The configuration of GE 1/0/1 is the same as the configuration of GE 1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check user-bind enable [Quidway-GigabitEthernet1/0/0] quit # Enable the checking of the CHADDR field on the interfaces on the DHCP client side to prevent attackers from changing the CHADDR field in DHCP Request messages. The configuration of GE 1/0/1 is the same as the configuration of GE1/0/0, and is not mentioned here. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping check mac-address enable [Quidway-GigabitEthernet1/0/0] quit 46

48 DHCP Snooping Configuration Example #5 Example for Applying DHCP Snooping on a Layer 2 Network #4 Limit the rate of sending DHCP messages. # Check the rate of sending DHCP messages to prevent attackers from sending DHCP Request messages. [Quidway] dhcp snooping check dhcp-rate enable [Quidway] dhcp snooping check dhcp-rate 90 Configure the Option 82 function. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp option82 insert enable [Quidway-GigabitEthernet1/0/0] quit Configure the alarm function for discarded packets. [Quidway] interface gigabitethernet 1/0/0 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120 [Quidway-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120 [Quidway-GigabitEthernet1/0/0] quit # Enable the alarm function for checking the rate of sending DHCP messages, and set the alarm threshold for checking the rate of sending DHCP messages. [Quidway] dhcp snooping check dhcp-rate alarm enable [Quidway] dhcp snooping check dhcp-rate alarm threshold 80 47

49 Agenda DHCP Overview DHCP Basic DHCP Server DHCP Relay DHCP Snooping DHCP Additional DHCP Security SAVI ND Snooping 48

50 DHCP Security Feature Implementation Subcategory Item Specifications Remarks DHCP security binding Setting the format of Option 82 Setting the policy for processing Option 82 on an interface Binding an IP address to the MAC address, VLAN ID, or interface flexibly Enabling or disabling the function of checking the DHCP relay address based on the Restoring entries in the DHCP snooping/relay/server binding table after restart Supporting static binding Enabling or disabling the detection on bogus DHCP servers Limiting the transmission rate of DHCP packets sent to the host The default format, the format conforming to the DSLAM standard, and the user-defined format are supported. The Option 82 field in a packet can be kept or replaced. Match certain entries in the binding table, for example, IP address or MAC address, which are irrelevant to the DHCP relay. It can be configured. The server address is recorded and the administrator checks whether it is the address is invalid by using the trusted interface. An alarm is generated if the address is invalid. Note: This version does not support removing of the Option 82 field. 49

51 Restoring entries in the DHCP after restart S9700 Memory DHCP DATA Command dhcp server database enable dhcp server database write-delay XXX Restart S9700 Memory DHCP DATA dhcp server database recover DHCP DATA Lease.txt Conflict.txt CF Card 50

52 DHCP Security Feature 1 Feature 1 : Restoring entries in the DHCP snooping/relay/server binding table after restart Usage Scenario When the S9700 functions as a DHCP server, run the dhcp server database command to enable the S9700 to save DHCP data to storage devices. This avoids data loss caused by device faults. Then the system generates lease.txt and conflict.txt files in the CF card. The two files save address lease information and address conflict information respectively. After the dhcp server database command is run, the current DHCP data is automatically saved at the specified interval, and previous data files are overwritten. The interval can be set by using the dhcp server database write-delay interval command. If a fault occurs on the S9700, run the dhcp server database recover command to recover DHCP data from storage devices after the system restarts. Example # Enable the S9700 to save the current DHCP data to storage devices and set the interval at which DHCP data is saved to 36000s. <Quidway> system-view [Quidway] dhcp server database enable [Quidway] dhcp server database write-delay # Recover DHCP configuration by using the DHCP data saved on storage devices. <Quidway> system-view [Quidway] dhcp server database recover 51

53 Agenda DHCP Overview DHCP Basic DHCP Server DHCP Relay DHCP Snooping DHCP Additional DHCP Security SAVI ND Snooping 52

54 SAVI Feature Implementation Subcategory Item Specifications Remarks Enabling and disabling global SAVI Source Address Validation Improvements (SAVI) creates address-port binding entries to verify the source addresses of the packets received on the specified port. Generating DHCPv6 snooping binding entries The switch listens on DHCPv6 address allocation process, dynamically generates binding entries, or uses static binding entries. Protocol packet check based on The switch can verify DHCPv6 and ND packets based on DHCPv6 snooping binding entries DHCPv6 snooping entries. Generating ND snooping binding The switch listens on ND address allocation process and entries generates dynamic binding entries. Protocol packet check based on ND The switch can verify DHCPv6 and ND packets based on snooping binding entries ND snooping entries. SAVI Generating PD snooping binding entries Protocol packet check based on PD snooping binding entries The switch listens on DHCPv6 PD prefix allocation process, dynamically generates prefix binding entries, or uses static prefix binding entries. The switch can verify DHCPv6 and ND packets based on PD snooping entries. Delivering IPSGv6 entries based on DHCPv6, ND snooping, and PD snooping binding entries. Checking DHCPv6 snooping trusted interface If IPSGv6 is enabled, the switch requests the IPSGv6 module to deliver binding entries to the forwarding plane to verify the forwarded data packets. Checking ND snooping trusted interface The switch discards the RA packets received from untrusted interfaces. 53

55 SAVI: Source Address Validation Improvement Source Address Validation Improvements (SAVI) creates address-port binding entries to verify the source addresses of the packets received on the specified port. Based on duplicate address detection, SAVI listens on address allocation control packets, and creates binding entries. After a binding entry is created, the switch verifies the data and protocol packets received on the specified port. The switch forwards valid packets and discards invalid packets. Function: Address Allocation Mode:DHCPv6,SLAAC Scenarios: DHCPv6-only:Only support DHCPv6 in network SLAAC-only: Only support SLAAC in network Mix Scenario:DHCPv6+SLAAC SLAAC-Stateless Address Auto-configuration 54

56 SAVI: DHCPv6 Mode Host (MAC1) DHCPv6 Request SAVI Port 1 Switch Downlink DHCPv6 Reply Get Address A DAD NS DHCPv6 Port 24 Server Uplink DHCPv6 Request DHCPv6 Reply Allot Address A Add a item to table: (Port 1, MAC1, A) Data Packet(src=A) Data Packet(src!=A) 55

57 SAVI: SLAAC Mode Host (MAC1) SAVI Port 1 Switch Downlink Port 24 Uplink DAD NS Data Packet(src=A) Add a item to table: (Port 1, MAC1, A) Data Packet(src!=A) DAD NS: Duplicate Address Detection Neighbor Solicitation 56

58 DHCP-only :Configuration Example Global configuration [Quidway] savi enable (Enable the SAVI feature globally) [Quidway] dhcp enable (Enable the DHCP feature globally) [Quidway] dhcp snooping enable (Enable the DHCP snooping feature globally) User side interface Ethernet0/0/10 configuration Enable the DHCP snooping feature on the interface [Quidway-Ethernet0/0/10] dhcp snooping enable The port which enabled this command called SAVI-Validation port. Users get online through this port can create the DHCP binding table, but if you want to create filter table to filter the packet by the source address of the IP packet, you need to configure ip source check userbind enable on this interface. Enable the IPSG feature on the interface [Quidway-Ethernet0/0/10] ip source check user-bind enable This command only can be configured on the SAVI-Validation port,and once configured this port can filter IP packet passed through this port by the IP source address according the binding table, only packets whose IP address and MAC, interface, VLAN match the binding table can pass through this port, others will be dropped. Network side interface Ethernet0/0/20 configuration Configure the port as DHCP trust port [Quidway-Ethernet0/0/20] dhcp snooping trusted The port which is configured as SAVI-DHCP-Trust can pass DHCP packets sent by server. 57

59 DHCP-SLAAC-MIX :Configuration Example Global configuration [Quidway] savi enable ( Enable the SAVI feature globally ) [Quidway] dhcp enable ( Enable the DHCP feature globally ) [Quidway] dhcp snooping enable ( Enable the DHCP snooping feature globally ) [Quidway] nd snooping enable (Enable the ND snooping feature globally) User side interface Ethernet0/0/10 configuration Enable the DHCP snooping feature on the interface [Quidway-Ethernet0/0/10] dhcp snooping enable Enable the ND snooping feature on the interface [Quidway-Ethernet0/0/10] nd snooping enable Enable the IPSG feature on the interface [Quidway-Ethernet0/0/10] ip source check user-bind enable When configured the three commands,this port called SAVI-Validation port, and users get online through this port can create DHCP binding table and SLAAC binding table, at the same time create filter table according to the binding table to filter the IP packets by source address. Network side interface Ethernet0/0/20 configuration Configure the port as DHCP trust port [Quidway-Ethernet0/0/20] dhcp snooping trusted The port which is configured as SAVI-DHCP-Trust port can pass the DHCP packets sent from the server. Configure the port as ND trust port [Quidway-Ethernet0/0/20] nd snooping trusted The port which is configured as SAVI-RA-Trust port can pass the RA packets sent from the server. 58

60 Agenda DHCP Overview DHCP Basic DHCP Server DHCP Relay DHCP Snooping DHCP Additional DHCP Security SAVI ND Snooping 59

61 ND Snooping Feature Implementation Subcategory Item Specifications Remarks Global, interface-based, and VLANbased ND snooping. ND Snooping Maximum number of ND binding entries The value is the same as the maximum number of DHCPv6 binding entries. 60

62 ND SNOOPING: ND User security ND : Neighbor Discovery Protocol Basic idea: The IPv6 node which has passed the no-state address distribution, will combine the address prefix of the notification with the interface ID created by itself to make the address when receiving the notification of link router. The Ipv6 node will send NS packet for DAD detecting before use the address, no matter the address is get through state, nostate or configured manually. The IPv6 node will receive relevant NA packet when there is address conflict in the network. Device creates or deletes the ND binding table by detecting the NS packets and NA packets of the network. 61

63 ND SNOOPING Host (MAC1) ND RS Nd snp Switch Port 1 downlink Port 24 uplink ND RS ND prefix management switch Distribute prefix A Get address A1 ND RA DAD NS(prefix=A) Data Packet(src=A1) ND RA Add a prefix to bind the table: (Port 1,prefixA) Add a prefix to bind the table: (Port 1, MAC1, A1) Data Packet(src!=A1) 62

64 ND SNOOP-INGConfiguration Example Global configuration [Quidway] savi enable (Enable the SAVI feature globally) [Quidway] dhcp enable (Enable the DHCP feature globally) [Quidway] nd snooping enable (Enable the ND snooping feature globally) User side interface Ethernet0/0/10 configuration Enable the ND snooping feature on the interface [Quidway-Ethernet0/0/10] nd snooping enable The port which enabled this command called SAVI-Validation port. Users get online through this port can get a SLAAC binding table. But if you want to create filtration table to filter the IP packets by the source address, you need to configure ip source check user-bind enable on the interface. Enable the IPSG feature on the interface [Quidway-Ethernet0/0/10] ip source check user-bind enable this command has to be configured on the SAVI-Validation port,and once configured the IP packet passed through this port will be filtered by the IP source address according to the binding table, only packets whose source IP address and MAC, interface, VLAN accord with the binding table can pass through this port, others will be dropped. Network side interface Ethernet0/0/20 configuration The interface configured as ND trust interface [Quidway-Ethernet0/0/20] nd snooping trusted The port configured as SAVI-RA-Trust port can pass the RA packets sent from the server 63

65 DHCP Feature Summary top 3~5 S9700 can only act as DHCP server and DHCP relay agent, can t act as an DHCP client. DHCP server support global address pool and interface address pool. When S9700 deployed double SRUs and act as an DHCP server, it can support DHCP server hot backup. S9700 DHCP Relay Agent and DHCP Snooping Supporting VPNs. Except the S series LPUs. S9700 supports DHCPv6 server and DHCPv6 relay agent. 64

66 HUAWEI ENTERPRISE ICT SOLUTIONS A BETTER WAY Copyright 2012 Huawei Technologies Co., Ltd. All Rights Reserved. The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.