In our previous studies on DHCP, we found that DHCP Snooping is widely used. Although we have introduced DHCP Snooping, We will summarize it in detail here. In this example, I also gave you an illustration, hoping to give you an intuitive understanding of this part of knowle
The content of DHCP snooping has been explained a lot. After DHCP snooping is set, how can we display DHCP snooping? Next let's take a look at the specific content.
DHCP
In a local area network, if someone privately connects the LAN to the enterprise's access layer switch, or if a malicious attacker forges a DHCP message will cause DHCP problems, how to protect the key, the following several scenarios to make a trial configurationScenario 1DHCP server on layer three switches, one DHCP server per VLAN, client and
1. DHCP snooping parsingWhen DHCP snooping is turned on, all ports are untrusted interfaces by default.Untrusted interface: The discovery message can be received, but when an offer message is received, it is dropped directly and no DHCP message is sent.Trusted interface: Sen
12: 09
First, I would like to introduce myself. I am working in a ** technology company in Beijing. My company is engaged in mobile phones and has thousands of people. I am responsible for the basic network management of several outlets across the country, at the same time, I am responsible for monitoring various network devices. Now I have been in service for one and a half months. The company's leaders want to implement layer-2 security. One of them is DHC
I. Working principle:
A. After the specified VLAN is enabled for DHCP snooping, the ports are divided into trusted interfaces and untrusted interfaces, the default VLAN all interfaces become untrusted interfaces, and the trusted interfaces need to be set manually.
B. For the untrusted interface, you can only receive DHCP request messages and do not send
The method used is to assign IP to the user by DHCP, and then limit the way that these users can only use dynamic IP, if it is changed to static IP mode can not connect to the network; that is, the DHCP snooping function is used.
Example:
Version 12.1No service padService Timestamps Debug UptimeService Timestamps Log uptimeNo service password-encryptionService
In the previous two sections, we analyzed the IGMP snooping process based on the IGMP snooping code implemented in linux2.6.32.
This section analyzes the functionality required to implement IGMP snooping based on the first two sections
One, data structure
For the implementation of a sub-layer function, the most important is the establishment of data structures.
addressesDHCP Snooping: a DHCP listener that records the user information applied for an IP address from a layer-2 device.The DHCP packet format is shown in the right figure. The fields are defined as follows: packet format
Fields in the message are described as follows: op, the packet type. 1 indicates the request message, and 2 indicates the Response Message.
address conflicts
Clients do not have to use the DHCP service to get IP, or you can set the IP address in a statically specified manner. This will greatly increase the likelihood of network IP address conflicts.
Introduction to DHCP snooping technology
The DHCP spanning is a control plane feature. The ability to cl
-config
Building configuration ...
Current configuration:1464 bytes
Version rg0s 10.1.00 (1), Release (11758) (Fri Mar 12:53:11 CST 2007-NPRD
Hostname Ruijie
VLAN 1
IP helper-address 192.18.100.1
IP helper-address 192.18.100.2
IP DHCP relay information option DOT1X
Interface Gigabitethernet 0/1
Interface Gigabitethernet 0/2
Interface Gigabitethernet 0/3
No Switchport
IP helper-address 192.168.200.1
IP helper-address 192.168.200.2
Interface VLAN 1
IP a
Application examples
My school is a student apartment, PC owns about 1000 units. Using DHCP assigned IP address, with 4 C class addresses, the actual number of addresses available is about 1000. Because of the frequent presence of private DHCP servers in the building, a large number of hosts cannot be assigned to legitimate IP addresses, and because a significant number of hosts specify IP addresses, confl
, generally, this address is the same as the MAC address of the client. If an attacker modifies the CHADDR In the DHCP packet without modifying the MAC address of the client, and implements Dos attacks, Port Security does not work, DHCP sniffing technology can check the CHADDR field in the DHCP request message to determine whether the field matches the
Original link http://louisnetwork.blog.sohu.com/111972027.html
Some tests involve IGMP snooping at work. When it comes to IGMP snooping, it is inevitable that IGMP proxy will come to mind. Sometimes, you may think more and think more about it.What is the difference between them? First, let's look at the figure below. L2 Switch enables IGMP snooping, and router1
PIM SM + IGMP snooping suitability test test topology
Figure 1
BootstrapThe BOOTSTRAP protocol is used to designate and announce the RP, the BOOTSTRAP protocol ensures that the entire network chooses a unique BSR (boot router) through Bootstrap messages, BSR collects the RP information in the network and floods all PIM routers in the PIM domain; C-RP learned about BSR, By sending candidate-rp-advertisement messages to BSR via unicast, BSR
plan:
Using bound variables to snoop
If you do not use a binding variable for snooping, the default selectable rate (for example, 5%) is used for predicate conditions where the selectable rate may vary depending on the specific input value.
Binding variable snooping (bind peeking) is introduced in Oracle 9i, whether binding variables are enabled to spy on the control of _optim_peek_user_b
PIM SM + IGMP snooping suitability Test (ii) Introduction to TTL issuesThe two questions and answers in the previous section are based on theoretical analysis and experimental validation, and this section describes the problems encountered in experiments and experiments.Test topology
Figure 1
Experiment DescriptionBefore doing experiments to verify the technical problems, first of all to clarify the purpose of the experiment, then detailed
Original link http://blog.163.com/song_jk/blog/static/235693562007022112149449/
At present, in an IP network, the carrier's network does not want to provide users in the form of xDSL for the purpose of providing more services, but directly provides a uniform width interface, this form is particularly common in some broadband communities.
Currently, in addition to Internet services, most applications in broadband communities are provided with IPTV. In the promotion of IPTV, it is generally requi
1. pseudo dhcp server. The working principle of Dhcp is probably that the client first broadcasts the dhcp discovery message. The dhcp server in this section returns the dhcp offer message, and the client sends the dhcp request me
can quickly find its associated multicast group database entries
U32 queries_sent;//the number of times a query package has been sent
};
Where the port list is used to add all the corresponding bridges to the addr of the multicast group
Next points to the next multicast port, and the next multicast group address is addr, only the port value is different.
Where mglist is used to add the multicast port to the Mglist linked list of port, through the mglist linked list of the bridge port, can find
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.