Dell Networking SONiC:动态主机配置协议侦听
Summary: 本文介绍 Dell Networking SONiC 中的动态主机配置协议 (DHCP) 侦听。本文使用运行 Dell SONiC 4.1 的交换机。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
|
前提条件
标准接口命名用于演示概念。请参阅戴尔文章 202172 Dell Networking S 系列:基本接口配置 - SONiC 4.0 ,了解有关接口命名的更多信息 |
指数
介绍
DHCP 第 2 层 COPP 配置
IPv4 DHCP 侦听配置
从 IPv4 DHCP 侦听绑定表
中清除条目查看 IPv4 DHCP 侦听信息
IPv6 DHCP 侦听配置
清除 IPv6 DHCP 侦听绑定表
中的条目查看 IPv6 DHCP 侦听信息
简介
动态主机配置协议 (DHCP) 侦听是一项安全功能,允许网络中的交换机监视 DHCP 控制消息。交换机可以使用控制消息识别网络中的流氓 DHCP 服务器和客户端。启用 DHCP 侦听时,交换机将开始监视来自 DHCP 服务器和客户端的 DHCP 控制数据包。系统使用此信息来构建数据库。
有两种类型的 DHCP 侦听接口;受信任和不受信任的接口。您可以将 DHCP 客户端连接到不受信任的接口,将 DHCP 服务器连接到受信任接口。
当交换机收到来自不受信任端口上的客户端的 DHCP 消息时,它会将数据包转发到同一 VLAN 中的受信任端口。将连接到 DHCP 服务器的端口配置为受信任时,系统会丢弃它在不受信任的接口上收到的任何 DHCP 服务器到客户端消息。
通过检查以太网标头中的源 MAC 地址和 DHCP 标头中的客户端 MAC 地址,DHCP 侦听可更大限度地减少恶意 DHCP 客户端获取 DHCP 租约。
配置说明:
- IPv4 和 IPv6 支持 DHCP 侦听。
- DHCPv6 侦听仅适用于 DHCPv6 有状态服务器
- 在全局和特定 VLAN 上启用 DHCP 侦听。
- 将 VLAN 中的端口配置为受信任或不受信任。
- 默认情况下,所有端口不受信任。
- 通过受信任端口连接 DHCP 服务器。
- 通过不受信任的端口连接 DHCP 客户端。
- 在不受信任的接口上,如果源 MAC 地址与客户端硬件地址不匹配,交换机将丢弃 DHCP 数据包。您可以禁用此行为,禁用验证 MAC 地址功能。将此功能用于路由的 DHCP 中继和 DHCP 单播请求数据包。
- 启用 DHCP 侦听时,验证 MAC 地址 功能默认已启用。
- DHCP 侦听不应用于未启用侦听的 VLAN。
- 您可以配置 DHCP 侦听绑定表的手动条目。
- 在启用 DHCP 侦听之前,请删除 DHCP 第 3 层 COPP 规则并安装 DHCP 第 2 层 COPP 规则。有关更多详细信息,请参阅 DHCP 第 2 层 COPP 配置 部分。
DHCP 第 2 层 COPP 配置
要使 DHCP 侦听正常工作,请执行以下配置:- 卸载 DHCP 第 3 层 COPP 规则。这是默认规则。
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure terminal DELLSONiC(config)# policy-map copp-system-policy type copp DELLSONiC(config-policy-map)# no class copp-system-dhcp
-
安装用于 DHCP 侦听的 DHCP 第 2 层 COPP 规则。
admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure terminal DELLSONiC(config)# policy-map copp-system-policy type copp DELLSONiC(config-policy-map)# class copp-system-dhcpl2 DELLSONiC(config-policy-map-flow)# set copp-action copp-system-dhcp
IPv4 DHCP 侦听配置
要配置 DHCP 侦听,请使用以下过程:- 全局启用 DHCP 侦听。
sonic(config)# ip dhcp snooping admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# ip dhcp snooping
- 将连接到 DHCP 服务器的接口配置为受信任。
sonic(config-if)# ip dhcp snooping trust admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# interface Eth 1/1 DELLSONiC(config-if-Eth1/1)# ip dhcp snooping trust
DELLSONiC(config-if-Eth1/1)# show configuration ! interface Eth1/1 mtu 9100 speed 100000 unreliable-los auto no shutdown ip dhcp snooping trust DELLSONiC(config-if-Eth1/1)# DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Enabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1
- 在 VLAN 或 VLAN 列表上启用 DHCP 侦听。
sonic(config)# ip dhcp snooping vlan {vlan-id | vlan-list}
admin@DELLSONiC:~$ sonic-cli
DELLSONiC#configure terminal
DELLSONiC(config)# ip dhcp snooping vlan 100,200-201
%Info: Configuring only existing vlans in range
提醒:以上是一条信息消息。
DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Enabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1
- (可选)禁用 DHCP 源 MAC 地址验证
sonic(config)# no ip dhcp snooping verify mac-address admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# no ip dhcp snooping verify mac-address
DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Disabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1 DELLSONiC#
- (可选)创建 DHCP 侦听绑定表的静态条目。
sonic(config)# ip source binding source-ip-address source-mac-address vlan vlan-id interface interface-name
提醒:使用 IP 源绑定命令的无形式删除静态条目。
admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# ip source binding 10.10.100.150 aa:bb:cc:dd:11:22 Vlan 100 Eth 1/1
DELLSONiC# show ip dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:22 10.10.100.150 100 Eth1/1 static NA DELLSONiC#
从 IPv4 的 DHCP 侦听绑定表中清除条目
使用以下命令清除所有或特定的动态条目:- 清除所有动态 IP DHCP 侦听绑定条目:
sonic(config)# clear ip dhcp snooping binding
- 清除特定的动态 IP DHCP 侦听绑定条目:
sonic(config)# clear ip dhcp snooping binding source-ip-address source-mac-address vlan vlan-id interface interface-name
- 清除 DHCP 侦听统计信息:
sonic# clear ip dhcp snooping statistics
查看 IPv4 的 DHCP 侦听信息。
- 查看有关 DHCP 侦听的常规信息:
sonic# show ip dhcp snooping admin@DELLSONiC:~$ sonic-cli DELLSONiC# show ip dhcp snooping DHCP snooping is Enabled DHCP snooping source MAC verification is Disabled DHCP snooping is enabled on the following VLANs: 100 200 201 DHCP snooping trusted interfaces: Eth1/1
- 查看 DHCP 侦听绑定数据库:
sonic# show ip dhcp snooping binding admin@DELLSONiC:~$ sonic-cli DELLSONiC# show ip dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IP Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:22 10.10.100.150 100 Eth1/1 static NA
- 查看 DHCP 侦听统计信息:
sonic# show ip dhcp snooping statistics admin@DELLSONiC:~$ sonic-cli DELLSONiC# show ip dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Recvd --------------- ---------- ---------- ----------- Eth1/1 0 0 0 Eth1/2 0 0 0 Eth1/3 0 0 0 Eth1/4 0 0 0 Eth1/5 0 0 0 Eth1/6 0 0 0 Eth1/7 0 0 0
为 IPv6 配置 DHCP 侦听。
要配置 DHCP 侦听,请使用以下过程:
- 全局启用 DHCP 侦听。
sonic(config)# ipv6 dhcp snooping admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# ipv6 dhcp snooping
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Enabled DHCPv6 snooping is enabled on the following VLANs: DHCPv6 snooping trusted interfaces: DELLSONiC#
- 将连接到 DHCP 服务器的接口配置为受信任。
sonic(config-if)# ipv6 dhcp snooping trust admin@DELLSONiC:~$ sonic-cli DELLSONiC#configure terminal DELLSONiC(config)# interface Eth 1/1 DELLSONiC(config-if-Eth1/1)# ipv6 dhcp snooping trust
DELLSONiC(config-if-Eth1/1)# show configuration ! interface Eth1/1 mtu 9100 speed 100000 unreliable-los auto no shutdown ip dhcp snooping trust ipv6 dhcp snooping trust DELLSONiC(config-if-Eth1/1)#
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Enabled DHCPv6 snooping is enabled on the following VLANs: DHCPv6 snooping trusted interfaces: Eth1/1
- 在 VLAN 或 VLAN 列表上启用 DHCP 侦听。
sonic(config)# ipv6 dhcp snooping vlan {vlan-id | vlan-list}
admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# ipv6 dhcp snooping vlan 100,200-201
%Info: Configuring only existing vlans in range
提醒:以上是一条信息消息。
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Enabled DHCPv6 snooping is enabled on the following VLANs: 100 200 201 DHCPv6 snooping trusted interfaces: Eth1/1
- (可选)禁用 DHCP 源 MAC 地址验证
sonic(config)# no ipv6 dhcp snooping verify mac-address admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# no ipv6 dhcp snooping verify mac-address
DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Disabled DHCPv6 snooping is enabled on the following VLANs: 100 200 201 DHCPv6 snooping trusted interfaces: Eth1/1 DELLSONiC#
- (可选)创建 DHCP 侦听绑定表的静态条目。
sonic(config)# ipv6 source binding source-ip-address source-mac-address vlan vlan-id interface interface-name admin@DELLSONiC:~$ sonic-cli DELLSONiC# configure DELLSONiC(config)# ipv6 source binding 2001:db8:3333::7778 aa:bb:cc:dd:11:11 Vlan 100 Eth 1/1
DELLSONiC# show ipv6 dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IPv6 Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:11 2001:db8:3333::7778 100 Eth1/1 static NA DELLSONiC#
提醒:使用 IP 源绑定命令的无形式删除静态条目。
从 IPv6 的 DHCP 侦听绑定表中清除条目
使用以下命令清除所有或特定的动态条目:
- 清除所有动态 IP DHCP 侦听绑定条目:
sonic(config)# clear ipv6 dhcp snooping binding
- 清除特定的动态 IP DHCP 侦听绑定条目:
sonic(config)# clear ipv6 dhcp snooping binding source-ip-address source-mac-address vlan vlan-id interface interface-name
- 清除 DHCP 侦听统计信息:
sonic# clear ipv6 dhcp snooping statistics
查看 IPv6 的 DHCP 侦听信息。
- 查看有关 DHCP 侦听的常规信息:
sonic# show ipv6 dhcp snooping DELLSONiC# show ipv6 dhcp snooping DHCPv6 snooping is Enabled DHCPv6 snooping source MAC verification is Disabled DHCPv6 snooping is enabled on the following VLANs: 100 200 201 DHCPv6 snooping trusted interfaces: Eth1/1 DELLSONiC#
- 查看 DHCP 侦听绑定数据库:
sonic# show ipv6 dhcp snooping binding DELLSONiC# show ipv6 dhcp snooping binding Total number of Dynamic bindings: 0 Total number of Static bindings: 1 Total number of Tentative bindings: 0 MAC Address IPv6 Address VLAN Interface Type Lease (Secs) ----------------- --------------- ---- ----------- ------- ----------- aa:bb:cc:dd:11:11 2001:db8:3333::7778 100 Eth1/1 static NA DELLSONiC#
- 查看 DHCP 侦听统计信息:
sonic# show ipv6 dhcp snooping statistics DELLSONiC# show ipv6 dhcp snooping statistics Interface MAC Verify Client Ifc DHCP Server Failures Mismatch Msgs Recvd --------------- ---------- ---------- ----------- Eth1/1 0 0 0 Eth1/2 0 0 0 Eth1/3 0 0 0 Eth1/4 0 0 0
Affected Products
Enterprise SONiC Distribution, PowerSwitch S5048F-ON, PowerSwitch S5148F-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch S5448F-ONArticle Properties
Article Number: 000218723
Article Type: How To
Last Modified: 31 Oct 2023
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.