華為HCNP實驗 DHCP配置

HCNP實驗 DHCP配置

學習目的

1、掌握ip pool的配置方法
2、掌握DHCP服務器的配置方法
3、掌握DHCP客戶端的配置方法
4、掌握DHCP中繼的配置方法
5、掌握DHCP Snooping的基本功能配置方法

拓撲圖：

場景：

假如你是一個公司的管理員，由於公司的網絡主機數量較多，使用靜態地址分配難以管理，因此需要
架設DHCP服務器。
R1路由器做DHCP服務器。R4為DHCP客戶端。R2作為交換機S1下各設備的網關，由於DHCP discover是
廣播報文不能穿越路由器因此部署dhcp relay 將請求報文從R2發送的R1，S2不做任務配置，僅透明
轉發。

為了提升網絡安全性，防止其他DHCP服務器讓客戶端獲取到錯誤的地址，在S1交換機上部署
DHCP snooping，要求R4可以獲取到DHCP服務器（R1）的地址，不應該獲取到DHCP2（R3）的地址
為了進一步增強安全防范，開戶DHCP snooping的部分特性防止餓死攻擊和DHCP中間人攻擊。

學習任務

步驟一、基礎配置與IP編址

R1：
sys
sysname R1
int g0/0/2
ip add 10.0.12.1 24
int lo0
ip add 1.1.1.1 32

R2:
sys
sysname R2
int g0/0/1
ip add 10.0.12.2 24
int g0/0/2
ip add 10.10.10.1 24
int lo0
ip add 2.2.2.2 32

R3:
sys
sysname R3
int g0/0/1
ip add 192.168.1.1 24

在R4的接口上配置DHCP客戶端，使用DHCP方式獲得IP地址：

R4：
system-view
sysname R4
dhcp enable
int g0/0/1
ip address dhcp-alloc

給交換機配置名稱，並關閉不必要的接口：

SW1:

sys
sysname SW1

SW2:
sys
sysname SW2

步驟二、配置R1和R2之間的路由

R1發布自己的環回口路由給R2，R2將自己連接S2的接口路由發布給R1
實現局域網網關和外網的互通；

R1：
sys
ospf 1 router-id 1.1.1.1
area 0
network 10.0.12.0 0.0.0.255
network 1.1.1.1 0.0.0.0

R2:
sys
ospf 1 router-id 2.2.2.2
silent-interface g0/0/2
area 0
network 10.0.12.0 0.0.0.255
network 10.10.10.0 0.0.0.255
network 2.2.2.2 0.0.0.0

R2連接交換機的接口設置為silent接口，可以保證該網段的發布但不會在這個
在這個接口建立任何鄰居，驗證兩個網絡的互通：

[R2]ping -a 10.10.10.1 1.1.1.1
PING 1.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=255 time=50 ms

--- 1.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/48/60 ms

步驟三、配置IP Pool

分別在R1和R3上創建兩個地址池，R1的地址范圍為10.10.10.0.24，網關為R2的g0/0/0
接口地址10.10.10.1，DNS地址使用1.1.1.1 。為了保證該網絡中一些靜態地址不被分配
，保留10.10.10.2-10 不被DHCP動態分配。R3的地址池范圍為192.168.1.0、24
網關地址為R3的G0/0/0接口地址192.168.1.1 ，DNS地址使用192.168.1.1
保留192.168.1.2-10不被DHCP動態分配，兩台服務器的地址租期設置為3天

R1：
sys
ip pool DHCP
gateway-list 10.10.10.1
network 10.10.10.0 mask 255.255.255.0
excluded-ip-address 10.10.10.2 10.10.10.10
dns-list 1.1.1.1
lease day 3 hour 3 minute 3

R3:
sys
ip pool dhcp
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
excluded-ip-address 192.168.1.2 192.168.1.10
dns-list 192.168.1.1
lease day 3 hour 0 minute 4

驗證地址池的配置：

R1：
[R1]dis ip pool
-----------------------------------------------------------------------
Pool-name : DHCP
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.10.10.1
Mask : 255.255.255.0
VPN instance : --

IP address Statistic
Total :253
Used :0 Idle :244
Expired :0 Conflict :0 Disable :9

R3:

[R3-ip-pool-dhcp]q
[R3]dis ip pool
-----------------------------------------------------------------------
Pool-name : dhcp
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 192.168.1.1
Mask : 255.255.255.0
VPN instance : --

IP address Statistic
Total :253
Used :0 Idle :244
Expired :0 Conflict :0 Disable :9

 

 

步驟四、配置基於全局地址池的DHCP服務器

在上一步已經配置好DHCP地址池的各個參數了，
但是此時並不能被客戶端所使用，我們需要在全局和接口上配置啟用DHCP功能:

R3:
sys
dhcp enable
int g0/0/1
dhcp select global

在配置好R3的dhcp之后，R4應該可以正常獲取到地址：

<R4>dis ip interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 93, bytes : 30504, multicasts : 0
Directed-broadcast packets:
received packets: 0, sent packets: 93
forwarded packets: 0, dropped packets: 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is allocated by DHCP, 192.168.1.254/24
Broadcast address : 192.168.1.255
TTL being 1 packet number: 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0

可以看到這個接口所使用的IP地址是通過DHCP方式獲取的，
ip地址為192.168.1.254

步驟五、配置DHCP中繼

R3做為臨時測試的DHCP server 配置已經完成，但我們實際想使用的
DHCP Server為R1，因為DHCP Discover消息無法從客戶端直接發給R1，因此
在R2上我們需要配置DHCP中繼，讓R2作為S1所連接的LAN的網關，幫助這些客戶端
傳遞DHCP請求

先在R1上啟用DHCP

R1：
sys
dhcp enable
interface GigabitEthernet0/0/2
dhcp select global

在R2上指定DHCP的服務器地址為10.0.12.1 ，在接口上配置DHCP中繼：
R2:
sys
dhcp enable
dhcp server group server1
dhcp-server 10.0.12.1
quit
interface GigabitEthernet0/0/2
dhcp select relay
dhcp relay server-select server1

在R2上驗證DHCP中繼的配置：
display dhcp server group
display dhcp relay all

[R2-GigabitEthernet0/0/2]display dhcp relay all
DHCP relay agent running information of interface GigabitEthernet0/0/2 :
Server group name : server1
Gateway address in use : 10.10.10.1

[R2-GigabitEthernet0/0/2]
[R2-GigabitEthernet0/0/2]display dhcp server group
Group-name : server1
(0) Server-IP : 10.0.12.1
Gateway : --
VPN instance : --
1 DHCP server group(s) in total

可以看到R2上配置了一個DHCP組，組里有一台服務器，地址為10.0.12.1
並且在R2的g0/0/1接口上啟用了DHCP中繼，中繼將會把DHCP請求發送到組內服務器
10.0.12.1

為了進一步驗證DHCP中繼是否部署成功，我們首先關閉R3的接口，然后關閉
R4的接口，最后開啟接口正常情況下R4可以獲取到10.10.10.0/24這個子網
的地址，不應該獲取到DHCP2（R3）的地址

R3：
sys
int g0/0/1
shutdown

R4:
sys
int g0/0/1
shutdown
undo shutdown

查看R4 g0/0/1接口IP地址

<R4>dis ip interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
The Maximum Transmit Unit : 1500 bytes
input packets : 0, bytes : 0, multicasts : 0
output packets : 44, bytes : 14461, multicasts : 0
Directed-broadcast packets:
received packets: 0, sent packets: 44
forwarded packets: 0, dropped packets: 0
ARP packet input number: 0
Request packet: 0
Reply packet: 0
Unknown packet: 0
Internet Address is allocated by DHCP, 10.10.10.254/24
Broadcast address : 10.10.10.255
TTL being 1 packet number: 0
TTL invalid packet number: 0
ICMP packet input number: 0
Echo reply: 0
Unreachable: 0
Source quench: 0
Routing redirect: 0
Echo request: 0
Router advert: 0
Router solicit: 0
Time exceed: 0
IP header bad: 0
Timestamp request: 0
Timestamp reply: 0
Information request: 0
Information reply: 0
Netmask request: 0
Netmask reply: 0
Unknown type: 0

R4成功獲取到了地址，並且地址為10.10.10.254，
查看R2上的數據統計

<R2>dis dhcp relay statistics
The statistics of DHCP RELAY:
DHCP packets received from clients : 2
DHCP DISCOVER packets received : 1
DHCP REQUEST packets received : 1
DHCP RELEASE packets received : 0
DHCP INFORM packets received : 0
DHCP DECLINE packets received : 0
DHCP packets sent to clients : 2
Unicast packets sent to clients : 2
Broadcast packets sent to clients : 0
DHCP packets received from servers : 2
DHCP OFFER packets received : 1
DHCP ACK packets received : 1
DHCP NAK packets received : 0
DHCP packets sent to servers : 2
DHCP Bad packets received : 0
<R2>

查看R1上地址池狀態

<R1>dis ip pool
-----------------------------------------------------------------------
Pool-name : DHCP
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.10.10.1
Mask : 255.255.255.0
VPN instance : --

IP address Statistic
Total :253
Used :1 Idle :243
Expired :0 Conflict :0 Disable :9

查看R4的路由並測試R4到R1的環回互通：

<R4>dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 Unr 60 0 D 10.10.10.1 GigabitEthernet
0/0/1
10.10.10.0/24 Direct 0 0 D 10.10.10.254 GigabitEthernet
0/0/1
10.10.10.254/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
10.10.10.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet
0/0/1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0

<R4>ping 1.1.1.1
PING 1.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=254 time=190 ms
Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=254 time=80 ms
Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=254 time=60 ms
Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=254 time=70 ms
Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms

--- 1.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/96/190 ms

 

步驟六、配置DHCP snooping和攻擊防范特性

開始配置DHCP snooping防止未授權DHCP提供地址：

SW1:

sys
dhcp enable
dhcp snooping enable
int g0/0/2
dhcp snooping enable
int g0/0/1
dhcp snooping enable

默認情況下，開啟DHCP Snooping的接口處於untrust狀態：

R4再次重啟接口，但這時無法從任何一台DHCP服務器獲取到地址，因為連接這兩個服務器的接口
在S1上都是非信任狀態：因為R2所中繼的R1是信任的DHCP服務器，因此在交換機
R2的接口上啟用信任接口：
SW1：
[SW1]int g0/0/2
[SW1-GigabitEthernet0/0/2]dhcp snooping trusted
[SW1-GigabitEthernet0/0/2]dis dhcp snooping interface GigabitEthernet 0/0/2
DHCP snooping running information for interface GigabitEthernet0/0/2 :
DHCP snooping : Enable
Trusted interface : Yes
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)

R4可以重新獲取地址

配置完畢后，假設R4是一台不被信任的主機，有可能從這台主機
發起大量的DHCP請求耗盡地址池，因此在S1交換機與其相連的接口上啟用DHCP餓死
攻擊特性

配置如下：

SW1：

sys
int g0/0/4
dhcp snooping check dhcp-chaddr enable

最后開啟防中間人攻擊的特性：

arp dhcp-snooping-detect enable

到此DHCP安全防范配置完畢

[SW1]dis dhcp snooping
DHCP snooping global running information :
DHCP snooping : Enable
Static user max number : 1024
Current static user number : 0
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Arp dhcp-snooping detect : Enable
Alarm threshold : 100 (default)
Check dhcp-rate : Disable (default)
Dhcp-rate limit(pps) : 100 (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100 (default)
Discarded dhcp packets for rate limit : 0
Bind-table autosave : Disable (default)
Offline remove mac-address : Disable (default)
Client position transfer allowed : Enable (default)

DHCP snooping running information for interface GigabitEthernet0/0/1 :
DHCP snooping : Enable
Trusted interface : No
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)

DHCP snooping running information for interface GigabitEthernet0/0/2 :
DHCP snooping : Enable
Trusted interface : Yes
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)

DHCP snooping running information for interface GigabitEthernet0/0/4 :
DHCP snooping : Disable (default)
Trusted interface : No
Dhcp user max number : 1024 (default)
Current dhcp user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Enable
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Enable
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 100
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)