【路由交换】华为交换机和路由器配置DHCP和DHCP中继

1.DHCP原理和实验拓扑

1.1.DHCP原理

DHCP一共有四个阶段:DHCP Discover 、DHCP Offer、DHCP Request、DHCP ACK

  • DHCP Discover:发送DHCP Discover消息,寻找DHCP Server,表示自己需要获取一个IP地址
  • DHCP Offer:响应所收到的DHCP Discover消息,把准备提供的IP地址携带在DHCP Offer消息中,并将此消息发送给客户端
  • DHCP Request:在所有offer中,选择接收到的第一个Offer,并向相应的服务器发送DHCP Request消息
  • DHCP ACK:如果接收到了DHCP Ack消息,表示客户端可以使用分配的IP地址

1.2.实验拓扑

次数分为了4个DHCP服务器场景

  • 交换机上通过接口池方式配置DHCP服务器
  • 交换机上通过全局地址池方式配置DHCP服务器
  • 路由器上通过接口池方式配置DHCP服务器
  • 路由器上通过全局地址池方式配置DHCP中继

2.基于交换机的DHCP

  • 需要在全局模式中开启DHCP
[LSW1]dhcp enable

2.1.基于接口地址池的DHCP

  • 基于接口池的DHCP配置
[LSW1]dhcp enable
[LSW1]interface Vlanif 5
[LSW1-Vlanif5]
[LSW1-Vlanif5]dhcp select interface 
[LSW1-Vlanif5]dhcp server lease day 1
[LSW1-Vlanif5]dhcp server excluded-ip-address 192.168.5.2 192.168.5.20
[LSW1-Vlanif5]dhcp server dns-list 223.6.6.6
[LSW1-Vlanif5]quit
  • 验证DHCP地址获取
PC4>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe72:2f77
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.5.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.5.1
Physical address..................: 54-89-98-72-2F-77
DNS server........................: 223.6.6.6


PC4>
  • 查看DHCP分配情况
<LSW1>display ip pool interface vlanif5 used  
  Pool-name      : vlanif5
  Pool-No        : 0
  Lease          : 1 Days 0 Hours 0 Minutes
  Domain-name    : -
  DNS-server0    : 223.6.6.6       
  NBNS-server0   : -               
  Netbios-type   : -               
  Position       : Interface       Status           : Unlocked
  Gateway-0      : 192.168.5.1     
  Mask           : 255.255.255.0
  VPN instance   : --
 -----------------------------------------------------------------------------
         Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 -----------------------------------------------------------------------------
     192.168.5.1   192.168.5.254   253     1        233(0)         0       19
 -----------------------------------------------------------------------------

  Network section : 
  --------------------------------------------------------------------------
  Index              IP               MAC      Lease   Status  
  --------------------------------------------------------------------------
    253   192.168.5.254    5489-9872-2f77        119   Used       
  --------------------------------------------------------------------------

<LSW1>

2.2.基于全局地址池的DHCP

  • 基于全局地址池的DHCP的配置
[LSW1]dhcp enable
[LSW1]ip pool vlan4
[LSW1-ip-pool-vlan4]
[LSW1-ip-pool-vlan4]network 192.168.4.0 mask 255.255.255.0
[LSW1-ip-pool-vlan4]
[LSW1-ip-pool-vlan4]gateway-list 192.168.4.1
[LSW1-ip-pool-vlan4]dns-list 223.6.6.6
[LSW1-ip-pool-vlan4]
[LSW1-ip-pool-vlan4]lease day 1
[LSW1-ip-pool-vlan4]excluded-ip-address 192.168.4.2 192.168.4.20
[LSW1-Vlanif5]quit

[LSW1]interface Vlanif 4
[LSW1-Vlanif4]
[LSW1-Vlanif4]dhcp select global
  • 验证DHCP地址获取
PC3>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe36:3c8d
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.4.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.4.1
Physical address..................: 54-89-98-36-3C-8D
DNS server........................: 223.6.6.6


PC3>
  • 查看DHCP分配情况
<LSW1>display ip pool name vlan4 used  
  Pool-name      : vlan4
  Pool-No        : 1
  Lease          : 1 Days 0 Hours 0 Minutes
  Domain-name    : -
  DNS-server0    : 223.6.6.6       
  NBNS-server0   : -               
  Netbios-type   : -               
  Position       : Local           Status           : Unlocked
  Gateway-0      : 192.168.4.1     
  Mask           : 255.255.255.0
  VPN instance   : --
 -----------------------------------------------------------------------------
         Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 -----------------------------------------------------------------------------
     192.168.4.1   192.168.4.254   253     1        233(0)         0       19
 -----------------------------------------------------------------------------

  Network section : 
  --------------------------------------------------------------------------
  Index              IP               MAC      Lease   Status  
  --------------------------------------------------------------------------
    253   192.168.4.254    5489-9836-3c8d        127   Used       
  --------------------------------------------------------------------------

<LSW1>

3.基于AR路由器的DHCP

  • 配置基于接口的DHCP
[AR1]dhcp enable
[AR1]interface GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]
[AR1-GigabitEthernet0/0/1]dhcp select interface 	
[AR1-GigabitEthernet0/0/1]dhcp server lease day 1
[AR1-GigabitEthernet0/0/1]dhcp server dns-list 223.6.6.6
[AR1-GigabitEthernet0/0/1]dhcp server excluded-ip-address 192.168.1.2 192.168.1.20
[AR1-GigabitEthernet0/0/1]quit
  • 验证DHCP地址获取
PC1>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe51:36e
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.1.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.1.1
Physical address..................: 54-89-98-51-03-6E
DNS server........................: 223.6.6.6


PC1>
  • DHCP分配情况
<AR1>display ip pool interface GigabitEthernet0/0/1 used  
  Pool-name      : GigabitEthernet0/0/1
  Pool-No        : 0
  Lease          : 1 Days 0 Hours 0 Minutes
  Domain-name    : -
  DNS-server0    : 223.6.6.6       
  NBNS-server0   : -               
  Netbios-type   : -               
  Position       : Interface       Status           : Unlocked
  Gateway-0      : 192.168.1.1     
  Mask           : 255.255.255.0
  VPN instance   : --
 -----------------------------------------------------------------------------
         Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 -----------------------------------------------------------------------------
     192.168.1.1   192.168.1.254   253     1        233(0)         0       19
 -----------------------------------------------------------------------------

  Network section : 
  --------------------------------------------------------------------------
  Index              IP               MAC      Lease   Status  
  --------------------------------------------------------------------------
    253   192.168.1.254    5489-9851-036e        900   Used       
  --------------------------------------------------------------------------

<AR1>

4.基于AR路由器的DHCP中继

  • 在AR1上配置DHCP地址池
[AR1]ip pool vlan3
[AR1-ip-pool-vlan3]
[AR1-ip-pool-vlan3]network 192.168.3.0 mask 255.255.255.0
[AR1-ip-pool-vlan3]gateway-list 192.168.3.1
[AR1-ip-pool-vlan3]dns-list 223.6.6.6
[AR1-ip-pool-vlan3]excluded-ip-address 192.168.3.2 192.168.3.20
[AR1-ip-pool-vlan3]lease day 1
[AR1-ip-pool-vlan3]quit
[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]
[AR1-GigabitEthernet0/0/0]dhcp select global
[AR1-GigabitEthernet0/0/0]quit
  • 在AR2上配置DHCP中继
[AR2]dhcp enable 	
[AR2]interface GigabitEthernet 0/0/1
[AR2-GigabitEthernet0/0/1]dhcp select relay 
[AR2-GigabitEthernet0/0/1]
[AR2-GigabitEthernet0/0/1]dhcp  relay server-ip 192.168.2.1
[AR2-GigabitEthernet0/0/1]quit
  • 验证DHCP地址获取
PC2>ipconfig

Link local IPv6 address...........: fe80::5689:98ff:fe98:546e
IPv6 address......................: :: / 128
IPv6 gateway......................: ::
IPv4 address......................: 192.168.3.254
Subnet mask.......................: 255.255.255.0
Gateway...........................: 192.168.3.1
Physical address..................: 54-89-98-98-54-6E
DNS server........................: 223.6.6.6


PC2>
  • DHCP分配情况
<AR1>display ip pool name vlan3 used  
  Pool-name      : vlan3
  Pool-No        : 1
  Lease          : 1 Days 0 Hours 0 Minutes
  Domain-name    : -
  DNS-server0    : 223.6.6.6       
  NBNS-server0   : -               
  Netbios-type   : -               
  Position       : Local           Status           : Unlocked
  Gateway-0      : 192.168.3.1     
  Mask           : 255.255.255.0
  VPN instance   : --
 -----------------------------------------------------------------------------
         Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 -----------------------------------------------------------------------------
     192.168.3.1   192.168.3.254   253     1        233(0)         0       19
 -----------------------------------------------------------------------------

  Network section : 
  --------------------------------------------------------------------------
  Index              IP               MAC      Lease   Status  
  --------------------------------------------------------------------------
    253   192.168.3.254    5489-9898-546e       1838   Used       
  --------------------------------------------------------------------------

<AR1>

5.DHCP服务器安全设计的要点

5.1.DHCP Snooping

交换机通过监听 DHCP 消息来构建和维护一个 DHCP 绑定表。这个表记录了 MAC 地址、IP 地址、租约时间以及连接的端口等信息。通过检查 DHCP 消息是否符合绑定表中的信息,来防止非法的 DHCP 服务器接入网络和恶意客户端获取非法 IP 地址。

[Huawei] dhcp snooping enable
[Huawei] interface gigabitethernet 0/0/1
[Huawei - GigabitEthernet0/0/1] dhcp snooping trust

5.2.租约时间管理

合理设置IP地址的租约时间,可以在一定程度上提高网络的安全性,较短的租约时间可以使 IP 地址更快地被回收重新分配,减少 IP 地址被恶意占用的时间;同时,也可以方便网络管理员及时发现异常的 IP 地址使用情况。推荐的租约时间可以设置成1天,或者12小时,方便释放IP地址

5.3.信任端口与非信任端口设置

在支持 DHCP Snooping 的网络环境中,交换机端口被分为信任端口和非信任端口。信任端口通常是连接合法 DHCP 服务器的端口,允许所有的 DHCP 消息通过;非信任端口连接客户端,只允许合法的 DHCP 请求消息(如 Discover、Request)通过,而对于非法的 DHCP 服务器发出的 Offer、ACK 等消息则会被阻止。

5.4.DHCP分配日志记录

记录DHCP的分配情况,方便安全溯源和追踪。

posted @ 2024-12-19 13:02  二乘八是十六  阅读(1081)  评论(0)    收藏  举报