Dell Networking SONiC:動態主機配置通訊協定監測
Summary: 本文說明 Dell Networking SONiC 中的動態主機組態通訊協定 (DHCP) 監測。本文使用執行 Dell SONiC 4.1 的交換器。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
|
先決條件
標準介面命名用於示範概念。請參閱 Dell Networking S 系列202172 Dell 文章:基本介面組態 - SONiC 4.0, 以取得介面命名的詳細資訊 |
指數
介紹
DHCP 第 2 層 COPP 組態
IPv4 DHCP 監測組態
清除 IPv4 DHCP 監測綁定表
中的專案檢視 IPv4 DHCP 監測資訊
IPv6 DHCP 監測組態
清除 IPv6 DHCP 監測綁定表
中的專案檢視 IPv6 DHCP 監測資訊
簡介
動態主機配置通訊協定 (DHCP) 窺探是一種安全性功能,可讓網路中的交換器監控 DHCP 控制訊息。交換器可以使用控制訊息,識別網路中的惡意 DHCP 伺服器和用戶端。當您啟用 DHCP 監測時,交換器會開始監控來自 DHCP 伺服器和用戶端的 DHCP 控制封包。系統會使用此資訊建立資料庫。
DHCP 監測介面有兩種類型;受信任和不受信任的介面。您可將 DHCP 用戶端連線至不受信任的介面,並將 DHCP 伺服器連接至信任的介面。
當交換器從不受信任的埠上的用戶端接收 DHCP 訊息,將封包轉送至相同 VLAN 中信任的埠時。當您將連接至 DHCP 伺服器的埠設定為受信任時,系統會放棄在不受信任的介面上收到的任何 DHCP 伺服器對用戶端訊息。
透過在乙太網路標頭中與 DHCP 標頭中的用戶端 MAC 位址檢查來源 MAC 位址,DHCP 監測可將惡意的 DHCP 用戶端從取得 DHCP 租用中降至最低。
組態注意事項:
- IPv4 和 IPv6 支援 DHCP 監測。
- DHCPv6 監測僅適用于 DHCPv6 具狀態的伺服器
- 在全球和特定 VLAN 上啟用 DHCP 監測。
- 設定 VLAN 內的埠不受信任或不受信任。
- 依預設,所有埠不受信任。
- 透過信任的埠連接 DHCP 伺服器。
- 透過不受信任的埠連接 DHCP 用戶端。
- 在不受信任的介面上,如果來源 MAC 位址與用戶端硬體位址不相符,交換器會掉落 DHCP 封包。您可以停用此行為停用 Verify MAC address 功能。將此功能用於路由的 DHCP 轉送和 DHCP Unicast 要求封包。
- 啟用 DHCP 監測時,確認 MAC 位址功能預設為啟用。
- DHCP 監測未套用至未啟用窺探的 VLAN。
- 您可以在 DHCP 監測綁定表格中設定手動專案。
- 在啟用 DHCP 監測之前,請先卸下 DHCP Layer 3 COPP 規則,然後安裝 DHCP Layer 2 COPP 規則。如需詳細資訊,請參閱 「DHCP Layer 2 COPP 組態 」一節。
DHCP 第 2 層 COPP 組態
若要讓 DHCP 窺探正常運作,請執行此組態:- 卸載 DHCP 第 3 層 COPP 規則。此為預設規則。
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure terminal DELLSONiC(config)# policy-map copp-system-policy type copp DELLSONiC(config-policy-map)# no class copp-system-dhcp
-
安裝 DHCP Layer 2 COPP 規則以進行 DHCP 窺探。
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure terminal DELLSONiC(config)# policy-map copp-system-policy type copp DELLSONiC(config-policy-map)# class copp-system-dhcpl2 DELLSONiC(config-policy-map-flow)# set copp-action copp-system-dhcp
IPv4 DHCP 監測組態
若要設定 DHCP 監測,請使用下列程式:- 在全球範圍內啟用 DHCP 監測功能。
sonic(config)# ip dhcp snooping admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# ip dhcp snooping
- 設定在受信任的 DHCP 伺服器上連接的介面。
sonic(config-if)# ip dhcp snooping trust admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# interface Eth 1/1 DELLSONiC(config-if-Eth1/1)# ip dhcp snooping trust
DELLSONiC(config-if-Eth1/1)# show configuration ! interface Eth1/1 mtu 9100 speed 100000 unreliable-los auto no shutdown ip dhcp snooping trust DELLSONiC(config-if-Eth1/1)# DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Enabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1
- 在 VLAN 或 VLAN 清單上啟用 DHCP 監測。
sonic(config)# ip dhcp snooping vlan {vlan-id | vlan-list}
admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# ip dhcp snooping vlan 100,200-201
%Info: Configuring only existing vlans in range
注意:以上是資訊訊息。
DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Enabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1
- (選配)停用 DHCP 來源 MAC 位址驗證
sonic(config)# no ip dhcp snooping verify mac-address admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# no ip dhcp snooping verify mac-address
DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Disabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1 DELLSONiC#
- (選配)在 DHCP 監測綁定表格中建立靜態專案。
sonic(config)# ip source binding source-ip-address source-mac-address vlan vlan-id interface interface-name
注意:不使用 IP 來源綁定命令來移除靜態專案。
admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# ip source binding 10.10.100.150 aa:bb:cc:dd:11:22 Vlan 100 Eth 1/1
DELLSONiC# show ip dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:22 10.10.100.150 100 Eth1/1 static NA DELLSONiC#
清除 IPv4 的 DHCP 監測綁定表中的專案
使用下列命令清除所有或特定的動態專案:- 清除所有動態 IP DHCP 監測繫結項目目:
sonic(config)# clear ip dhcp snooping binding
- 清除特定的動態 IP DHCP 監測繫結項目目:
sonic(config)# clear ip dhcp snooping binding source-ip-address source-mac-address vlan vlan-id interface interface-name
- 清除 DHCP 監測統計資料:
sonic# clear ip dhcp snooping statistics
檢視 IPv4 的 DHCP 監測資訊。
- 檢視 DHCP 窺探的一般資訊:
sonic# show ip dhcp snooping admin@DELLSONiC:~$ sonic-cli DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Disabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1
- 檢視 DHCP 監測結合資料庫:
sonic# show ip dhcp snooping binding admin@DELLSONiC:~$ sonic-cli DELLSONiC# show ip dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:22 10.10.100.150 100 Eth1/1 static NA
- 檢視 DHCP 監測統計資料:
sonic# show ip dhcp snooping statistics admin@DELLSONiC:~$ sonic-cli DELLSONiC# show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Recvd --------------- ---------- ---------- ----------- Eth1/1 0 0 0 Eth1/2 0 0 0 Eth1/3 0 0 0 Eth1/4 0 0 0 Eth1/5 0 0 0 Eth1/6 0 0 0 Eth1/7 0 0 0
設定 IPv6 的 DHCP 監測。
若要設定 DHCP 監測,請使用下列程式:
- 在全球範圍內啟用 DHCP 監測功能。
sonic(config)# ipv6 dhcp snooping admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# ipv6 dhcp snooping
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Enabled DHCPv6 snooping is enabled on the following VLANs: DHCPv6 snooping trusted interfaces: DELLSONiC#
- 設定在受信任的 DHCP 伺服器上連接的介面。
sonic(config-if)# ipv6 dhcp snooping trust admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# interface Eth 1/1 DELLSONiC(config-if-Eth1/1)# ipv6 dhcp snooping trust
DELLSONiC(config-if-Eth1/1)# show configuration ! interface Eth1/1 mtu 9100 speed 100000 unreliable-los auto no shutdown ip dhcp snooping trust ipv6 dhcp snooping trust DELLSONiC(config-if-Eth1/1)#
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Enabled DHCPv6 snooping is enabled on the following VLANs: DHCPv6 snooping trusted interfaces: Eth1/1
- 在 VLAN 或 VLAN 清單上啟用 DHCP 監測。
sonic(config)# ipv6 dhcp snooping vlan {vlan-id | vlan-list}
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# ipv6 dhcp snooping vlan 100,200-201
%Info: Configuring only existing vlans in range
注意:以上是資訊訊息。
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Enabled DHCPv6 snooping is enabled on the following VLANs: 100 200 201 DHCPv6 snooping trusted interfaces: Eth1/1
- (選配)停用 DHCP 來源 MAC 位址驗證
sonic(config)# no ipv6 dhcp snooping verify mac-address admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# no ipv6 dhcp snooping verify mac-address
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Disabled DHCPv6 snooping is enabled on the following VLANs: 100 200 201 DHCPv6 snooping trusted interfaces: Eth1/1 DELLSONiC#
- (選配)在 DHCP 監測綁定表格中建立靜態專案。
sonic(config)# ipv6 source binding source-ip-address source-mac-address vlan vlan-id interface interface-name admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# ipv6 source binding 2001:db8:3333::7778 aa:bb:cc:dd:11:11 Vlan 100 Eth 1/1
DELLSONiC# show ipv6 dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IPv6 Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:11 2001:db8:3333::7778 100 Eth1/1 static NA DELLSONiC#
注意:不使用 IP 來源綁定命令來移除靜態專案。
清除 IPv6 的 DHCP 監測綁定表專案
使用下列命令清除所有或特定的動態專案:
- 清除所有動態 IP DHCP 監測繫結項目目:
sonic(config)# clear ipv6 dhcp snooping binding
- 清除特定的動態 IP DHCP 監測繫結項目目:
sonic(config)# clear ipv6 dhcp snooping binding source-ip-address source-mac-address vlan vlan-id interface interface-name
- 清除 DHCP 監測統計資料:
sonic# clear ipv6 dhcp snooping statistics
檢視 IPv6 的 DHCP 監測資訊。
- 檢視 DHCP 窺探的一般資訊:
sonic# show ipv6 dhcp snooping DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Disabled DHCPv6 snooping is enabled on the following VLANs: 100 200 201 DHCPv6 snooping trusted interfaces: Eth1/1 DELLSONiC#
- 檢視 DHCP 監測結合資料庫:
sonic# show ipv6 dhcp snooping binding DELLSONiC# show ipv6 dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IPv6 Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:11 2001:db8:3333::7778 100 Eth1/1 static NA DELLSONiC#
- 檢視 DHCP 監測統計資料:
sonic# show ipv6 dhcp snooping statistics DELLSONiC# show ipv6 dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Recvd --------------- ---------- ---------- ----------- Eth1/1 0 0 0 Eth1/2 0 0 0 Eth1/3 0 0 0 Eth1/4 0 0 0
Affected Products
Enterprise SONiC Distribution, PowerSwitch S5048F-ON, PowerSwitch S5148F-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch S5448F-ONArticle Properties
Article Number: 000218723
Article Type: How To
Last Modified: 31 Oct 2023
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.