How to manage DHCP using vswitches and port settings (1)

In network management, some people always have headaches for administrators. Next, we will introduce the next network manager to manage DHCP using switches and port settings. Network Administrator: Now, users are really worried about changing their own IP addresses; private AP, forget DHCP, And the next hacker program, you just want to try it on your intranet. Can a vswitch be used alone? Test Engineer: Yes! Many small functions on vswitches can be of great help.

I. Test Results

Binding an IP address to a MAC address

Cisco's Catalyst 3560 switch supports the DHCP Snooping function. The switch listens to the DHCP process and generates an IP address and MAC address table. Cisco switches further support the IP source guard and Dynamic ARP Inspection functions. Either of these functions can automatically match the IP address and MAC address table obtained by DHCP Snooping listeners, to prevent unauthorized address changes.

Another advantage of the Dynamic ARP Inspection function is that it can prevent man-in-the-middle attacks on Layer 2 networks, as shown in figure 4 ).

Cisco also provides some very useful extensions on DHCP Snooping. For example, a Catalyst 3560 switch can limit the rate of DHCP packets passing through a port. The granularity is pps, this prevents DoS attacks against IP Address requests of DHCP servers. In addition, the Catalyst 3560 switch also supports DHCP Tracker, which inserts the ID of the switch port in the DHCP request, thus limiting the number of IP addresses requested by each port, prevents hackers from exploiting the IP address pool by exploiting the DHCP server. Although Asus cannot adjust the rate, it also limits the number of DHCP requests.

DHCP Dynamic Host Configuration Protocol) is a TCP/IP standard that simplifies Host IP Address Configuration Management. This standard provides an effective way for DHCP servers to use: to manage the Dynamic Allocation of Client IP addresses in the network and to enable other configurations of DHCP clients on the network.

In a TCP/IP-based network, each computer must have a unique IP address to access resources on the network. Communication between computers in the network is achieved through IP addresses, the IP address and subnet mask are used to identify the master computer and its connected subnets. If the number of computers in the LAN is relatively small, you can manually set the IP address. However, if the number of computers is large and multiple subnets are divided, the workload and complexity of the Administrator involved in configuring IP addresses for the computer are heavy and error-prone, for example, in actual use, we often encounter problems such as IP address conflict, incorrect gateway or DNS server address settings, which leads to the inability to access the network, frequent machine location change, and frequent IP address replacement.

DHCP is a good solution to the above problems, by installing and configuring the DHCP server on the network, DHCP-enabled clients can automatically obtain the IP addresses and related configuration parameters required for accessing the Internet each time they start and join the network. This reduces configuration management and provides secure and reliable configuration.

The server configured with the DHCP service can provide each network customer with an IP address, subnet mask, default gateway, and DNS server address. DHCP avoids errors caused by manual IP addresses and subnet masks, and avoids address conflicts caused by assigning an IP address to multiple hosts. This reduces the burden on IP address administrators and greatly reduces the time spent on configuring hosts in the network by using DHCP servers.

However, with the wide application of the DHCP service, some problems have also occurred. First, the DHCP service allows Multiple DHCP servers to exist in one subnet. This means that the administrator cannot guarantee that the client can only obtain valid IP addresses from the DHCP server set by the Administrator, instead of obtaining IP addresses from some user-created illegal DHCP servers. Second, in the subnet where the DHCP service is deployed, A host with a valid IP address, mask, and gateway can also access the network normally, but the DHCP server may still allocate the address to other hosts, resulting in address conflict, affects the normal allocation of IP addresses.

In view of the above problems, this article provides a solution, that is, through the DHCP Snooping technology provided by Cisco and Dynamic ARP Inspection technology, can effectively prevent the occurrence of the above problems.

Here we will give a brief introduction to the two technologies, and then describe an application example.