Explain the various aspects of the DHCP protocol
DHCP protocol, a protocol for managing network IP. In terms of network security, DHCP has many caveats. This article will explain the contents of the switch security 802.1X, port-security, DHCP SNOOP, DAI, VACL, SPAN RSPAN. Cisco all LAN mitigation technologies are here! Commonly used methods: 802.1X, port authentication, dot1x, also known as IBNS (Note: IBNS includes port-security): identity-based network security; many names, some annoyance. When traffic comes to a port, it needs to interact with the ACS, after authentication Authorization, you can access the network, provided that CLIENT must support 802.1X mode, such as installing a software Extensible AuthenTIcaTIon Protocol Over Lan (EAPOL) uses this protocol to pass authentication and authorization information Example configuration: AUTO is a common way to pass the authentication and authorization process normally. Mandatory authorization mode: not authenticated, always available Forced disallow mode: essentially closes the interface and is always unavailable Optional: Recertification after 2 hours Re-authentication now, note: this session does not disconnect the session if the session has already been established Initialize the authentication, disconnect the session at this time 45 seconds before the next authentication request can be initiated The client needs to input authentication information and answer the AAA server through the port. If the switch does not receive this information from the user, the switch sends the retransmission information to the client, and the 30S sends it once, for a total of 4 times. The default is a host. When using multiple host modes, you must use the AUTO mode to authorize. When one host is successfully authorized, other hosts can access the network. When the authorization fails, such as re-authentication failure or LOG OFF, all hosts cannot use the port. Unauthorized access to VLAN 2 provides flexibility 1. VLAN2 must be activated on the switch and planned to be allocated to tourists. 2? VLAN2 information will not be transmitted by VTP. Back to default settings 2, port security, solve the CAM table overflow attack (there is a kind of MACOF tool, can generate 155000 MAC addresses per minute, to bombard the CAM table, so that the requirements of the legitimate host must be FLOOD) Example configuration: Save the learned address to the RUN CONFIG file, avoid the trouble of manual configuration, and save the resources consumed by dynamic learning. Three parameters are explained: Protection: When a certain number of MAC addresses is reached, the subsequent unknown MAC is no longer parsed, directly discarded, and no notification is generated. Restriction: When a certain number of MAC addresses is reached, subsequent unknown MACs are no longer parsed, directly discarded, generating notifications, such as SNMP TRAP?SYSLOG information, and increasing the number of violations; here is a problem, malicious attacks will generate a large number of Similar information, bringing disadvantage to the network. Off: When a certain number of MAC addresses is reached, the unknown unknown MAC address is no longer resolved, and the port is directly closed unless manually opened or the port security policy is changed. Port security requires all manual configuration, increasing workload, the following two ways DHCP SNOOP If the administrator of the Internet cafe uses DHCP to assign an address, perform the binding of the IP and MAC address. Specifying the interface as a trusted interface will obtain the address assigned by the DHCP server. The DHCP behavior of other interfaces will be rejected. Dynamic ARP review by DAI, IP-TO-MAC database of ACL and DHCP SNOOP is called. Note that only the ARP ACL can be called. The ACL is preferentially reviewed with the IP-TO-MAC table. That is, even if there is a binding entry, if it is rejected by the ARP-ACL, it cannot pass. The interface connected to the DHCP server calls the IP-TO-MAC table of the DHCP SNOOP on the interface. The interface connected to the host by default is an untrusted interface. The untrusted interface is limited to 14 ARP requests per second. The trusted interface is unrestricted by default. This is modified to 20 per second. Note: DHCP SNOOP only provides IP-TO-MAC binding table, which does not participate in traffic policy itself, but only prevents DHCP spoofing, but spoofs against any IP and MAC. There is no ability to block it, but it provides such a table to DAI calls to prevent MAC spoofing 3, VACL 4. SPAN RSPAN Two monitoring methods based on source port and source VLAN RX TX BOTH three flow directions VLAN MONITOR can only monitor the inbound stream, that is, RX. The physical ports in the source VLAN will be the source port to the destination port COPY. You can assign multiple source ports or VLANs to the destination port. You cannot monitor multiple ports. The outbound flow of the port can monitor the outbound flow of a single port. Up to two monitoring sessions can be configured. The source port and the destination port are separate. You can configure the trunk port as the source port and then use VLAN filtering to be analyzed. Stream, but this command does not affect normal traffic forwarding. Filtering cannot be used in the case of source VLAN based. Target port Cannot be a source port or a reflective port Do not participate in the Layer 2 protocol: CDP VTP PAGP LACP DTP STP In local SPAN, the destination port and the source port are the same switch. You can only participate in one SPAN session at a time, that is, you cannot configure two SPAN sessions on one port. It cannot be an EC member. If the destination port is a source VLAN member, this The traffic of the VLAN cannot be used by MONITOR. Other VLANs can be closed by MONITOR.802.1X and SWITCHPORT PORT-SECURITY on the target port. SPAN can have MONITOR Layer 2 protocol information, and RSPAN cannot. The only impact of IDS or IPS device on traffic is: The IPS IDS policy handles possible attack behaviors, such as RESET TCP connections; does not interfere with normal traffic forwarding. SPAN switch port analysis, simple SPAN requires only two commands In this example, F1/4 traffic is sent to F1/9 to be analyzed. The traffic received by VLAN 1-3 is monitored on all ports, sent to G0/7 for analysis, and then the traffic attached to VLAN 10 is also analyzed. Monitors the traffic received on G0/4 that only includes VLAN 1-5 VLAN 9. The traffic sent to G0/8 is analyzed. Note the difference from the previous example: that is, when defining source traffic, there are two ways. The traffic is the source port, and the other is the VLAN traffic. RSPAN configuration: Step 1: Provide a designated VLAN to remote SPAN on all switches The second step is to configure the source switch. The third step, the target switch configuration Remote VLAN monitoring Switch(config)# no monitor session 2
We are dedicated charging solution Manufacturer since 2005.
Supply various Power Station including Portable Power Stations, Solar Power Generators, Smallest Generator etc.
Manufacturing high quality products for customers according to international standards, such as CE ROHS FCC REACH UL SGS BQB etc.
To constantly offer clients more innovative products and better services is our consistent pursuit.
portable power stations for camping, solar pow er stations, jackery portable power station TOPNOTCH INTERNATIONAL GROUP LIMITED , https://www.micbluetooth.com
Switch security 802.1X, port-security, DHCP SNOOP, DAI, VACL, SPAN RSPAN
Port and MAC binding: port-security
DHCP-based port and IP, MAC binding: ip source guard
DHCP-based prevention of ARP attacks: DAI
Prevent DHCP attacks: DHCP Snooping