No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing

Configuring Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing

This section describes how to configure the IP/MAC address binding and Option 82 functions to prevent man-in-the-middle attacks and IP/MAC address spoofing.

Applicable Environment

In man-in-the-middle attacks and IP/MAC address spoofing, attackers pretend to be servers and clients. The servers consider that all packets are sent from and destined for the clients, and so do the clients. Actually these packets are second-hand information from man-in-the-middle, and in this manner attackers can obtain the data on the servers and clients.

To prevent man-in-the-middle attacks and IP/MAC address spoofing, enable the Dynamic Host Configuration Protocol (DHCP) snooping function on a device so that the device forwards a packet only if the packet info matches an entry in the DHCP snooping binding table. If a packet does not match any entry in the DHCP snooping binding table, the device discards the packet.

Pre-configuration Tasks

Before you configure defense against man-in-the-middle attacks and IP/MAC address spoofing, configure DHCP snooping.

Configuration Procedures

Figure 4-2 Flowchart of configuring defense against man-in-the-middle attacks and IP/MAC address spoofing

Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions, enable DHCP snooping first.

Context

Enable DHCP snooping in the following sequence:
  1. Enable DHCP globally.
  2. Enable DHCP snooping globally.
  3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP snooping for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run vlan vlan-id

      The VLAN view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the VLAN.

    6. Run quit

      The system view is displayed.

    7. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run bridge-domain bd-id

      The BD view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled in a BD.

    6. Run commit

      The configuration is committed.

  • Enable DHCP snooping for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run interface interface-type interface-number

      The interface view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the interface.

    6. Run commit

      The configuration is committed.

Enabling DHCP Request Packet Check

To prevent man-in-the-middle attacks and IP/MAC address spoofing, enable Dynamic Host Configuration Protocol (DHCP) request packet check. After packet check is enabled on a device, the device checks the received Address Resolution Protocol (ARP) or IP packets to see whether the combination of source IP addresses and source MAC addresses in the packets match entries in the DHCP snooping binding table.

Context

For DHCP users, the DHCP snooping binding table is automatically generated when DHCP snooping is enabled. For users using static IP addresses, the DHCP snooping binding table needs to be manually configured.

Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP request packet check in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping check { arp | dhcp-request | ip } enable [ interface interface-type interface-number ]

      DHCP request packet check is enabled for the VLAN.

    4. Run commit

      The configuration is committed.

  • Enable DHCP request packet check in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping check { arp | dhcp-request | ip } enable

      DHCP request packet check is enabled in a BD.

    4. Run commit

      The configuration is committed.

  • Enable DHCP request packet check in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping check { arp | dhcp-request | ip } enable

      DHCP request packet check is enabled for the interface.

    4. Run commit

      The configuration is committed.

(Optional) Configuring the DHCP Snooping Binding Table

Dynamic entries in the DHCP snooping binding table are automatically generated when DHCP snooping is enabled. Static entries in the DHCP snooping binding table must be manually configured.

Context

NOTE:

The static IP address and the IP address allocated to a user in static mode are the IP addresses that are manually configured on the client. Static users are those who use static IP addresses.

If the IP addresses allocated to users are static IP addresses, static binding entries can be configured for these IP addresses, ensuring static IP address anti-embezzlement. If there are a large number of static users, static binding entries must be configured for each static IP address; otherwise, unauthorized users who attempt to embezzle static IP addresses cannot be isolated.

Dynamic entries in the DHCP snooping binding table do not need to be configured. They are automatically generated when DHCP snooping is enabled. However, static entries in the DHCP snooping binding table must be configured by running commands.

NOTE:
  • For the IP addresses dynamically allocated to users, devices automatically learn the MAC addresses of users and create a binding relationship table. The table does not need to be configured manually.
  • For the IP addresses statically allocated to users, devices cannot create a binding relationship table. The table must be created manually.

If the binding relationship table for static users is not created manually, the following situations occur:

NOTE:
  • If packets that do not match any entry in the binding relationship table are configured to be forwarded, the packets of all static users are forwarded. All static users can access the DHCP server normally. This is the default condition of the devices.
  • If packets that do not match any entry in the binding relationship table are configured to be discarded, the packets of all static users are discarded. All static users cannot access the DHCP server.

If the created binding table must contain interface information, the Option82 function must be enabled. If the Option82 function is not enabled and DHCP snooping is enabled on the VLANIF interface, entries in the created DHCP snooping binding table do not contain interface information. For details, see the description of how to configure the Option82 function.

When an interface receives an Address Resolution Protocol (ARP) or IP packet, the interface matches the source IP address and source MAC address of the ARP or IP packet with entries in the DHCP snooping binding table. The interface checks the MAC address, IP address, interface, and virtual local area network (VLAN) information. Based on this check, the interface performs the following actions:

  • The ARP or IP packet is discarded if its source IP address and source MAC address do not match any entry in the DHCP snooping binding table.
  • The ARP or IP packet is forwarded if its source IP address and source MAC address match an entry in the DHCP snooping binding table.

When an interface receives an ARP or IP packet, the interface matches the source IP address and source MAC address of the ARP or IP packet with entries in the DHCP snooping binding table. The ARP or IP packet is forwarded if its source IP address and source MAC address match an entry in the DHCP snooping binding table, or is discarded if its source IP address and source MAC address do not match any entry in the DHCP snooping binding table.

Procedure

  • Configure DHCP snooping static entries for a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping bind-table static ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

      The static DHCP snooping entry is configured for the VLAN.

    4. Run commit

      The configuration is committed.

  • Configure static DHCP snooping binding entries.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping bind-table static ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

      The static DHCP snooping entry is configured.

    4. Run commit

      The configuration is committed.

  • Configure static DHCP snooping binding entries.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping bind-table static ip-address ip-address [ mac-address mac-address ] [ vlan vlan-id [ ce-vlan ce-vlan-id ] ]

      The static DHCP snooping entry is configured.

    4. Run commit

      The configuration is committed.

  • Configure backup for the DHCP snooping binding table.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp snooping bind-table autosave filename

      Automatic backup is configured for the DHCP snooping binding table.

      After this configuration, the system backs up the file that stores the DHCP snooping binding table in the specified backup path at an interval of 60 minutes.

    3. Run commit

      The configuration is committed.

(Optional) Configuring Option 82 Field Insertion

After the Option 82 function is enabled on a device, the device can record the location information of the DHCP client or create binding entries with accurate interface information based on the Option 82 information.

Context

The Option 82 field contains the location information of Dynamic Host Configuration Protocol (DHCP) hosts, such as information about the login interface, virtual local area network (VLAN), and address. After the Option 82 field insertion function is configured, the device can set up dynamic binding entries with accurate interface information. Based on the Option 82 field, the DHCP server assigns IP addresses and policies for DHCP clients.

Procedure

  • Configure Option 82 field insertion in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp option82 insert enable [ interface interface-type interface-number ]

      Or dhcp option82 rebuild enable [ interface interface-type interface-number ]

      Option 82 field insertion is enabled.

      • Run the dhcp option82 insert enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • Run the dhcp option82 rebuild enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.

    4. Run commit

      The configuration is committed.

  • Configure Option 82 field insertion in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp option82 insert enable

      Option 82 insertion is enabled.

      • Run the dhcp option82 insert enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • Run the dhcp option82 rebuild enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field in the packet.

    4. Run commit

      The configuration is committed.

  • Configure Option 82 field insertion for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp option82 insert enable

      Or dhcp option82 rebuild enable

      Option 82 field insertion is enabled for the interface.

      • Run the dhcp option82 insert enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a received DHCP packet, the device checks whether the Option 82 field contains sub-options. If the Option 82 field contains sub-options, the device does not change the sub-options. If the Option 82 field does not contain sub-options and the sub-option format is configured, the device inserts sub-options into the Option 82 field.
      • Run the dhcp option82 rebuild enable command. If no Option 82 field exists in a received DHCP packet, the device inserts the Option 82 field into the packet. If the Option 82 field exists in a DHCP packet, the device deletes the Option 82 field and inserts a new Option 82 field into the packet.

    4. Run commit

      The configuration is committed.

Follow-up Procedure

After Option 82 field insertion is enabled, you can configure the formats of the Option 82 field and sub-option 9 in the Option 82 field as required. You can configure the format of the Option 82 field in a VLAN view or an interface view.

  • Configure the format of the Option 82 field in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp option82 format { type1 | type2 | self-define self-define | cn-telecom } interface interface-type interface-number

      The format of the Option 82 field is configured for the VLAN.

    4. Run commit

      The configuration is committed.

  • Configure the format of the Option 82 field for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run

      dhcp option82 format { self-define extendtex | type1 | type2 | cn-telecom }

      Or dhcp option82 { circuit-id | remote-id } format self-define extendtex

      The format of the Option 82 field is configured for the interface.

    4. Run commit

      The configuration is committed.

(Optional) Configuring the Alarm Function for Discarded Man-in-the-Middle Attack and IP/MAC Address Spoofing Packets

By configuring the function described in this chapter, you can have an alarm generated when a specified number of man-in-the-middle attack and IP/MAC address spoofing packets are discarded.

Context

After packet check is enabled, if a received Address Resolution Protocol (ARP) or IP packet of a man-in-the-middle attack or IP/MAC address spoofing does not match any entry in the Dynamic Host Configuration Protocol (DHCP) snooping binding table, the device discards the ARP or IP packet. With the function described in this section configured, when the number of discarded packets reaches a specified threshold, an alarm is generated.

Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in a VLAN, BD, or interface view.

Procedure

  • Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping alarm { arp | ip } enable [ interface interface-type interface-number ]

      The alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets is enabled for the VLAN.

    4. Run dhcp snooping alarm { arp | ip } threshold threshold [ interface interface-type interface-number ]

      The alarm threshold for the number of discarded packets is configured for the VLAN.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping alarm { arp | ip } enable

      The alarm function is enabled for discarded man-in-the-middle attack and IP/MAC address spoofing packets in the BD view.

    4. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm { arp | ip } enable

      The alarm function for discarded man-in-the-middle attack and IP/MAC address spoofing packets is enabled for the interface.

    4. Run dhcp snooping alarm { arp | ip } threshold threshold-value

      The alarm threshold for the number of discarded packets is configured for the interface.

    5. Run commit

      The configuration is committed.

Verifying the Configuration of Defense Against Man-in-the-Middle Attacks and IP/MAC Address Spoofing

This section describes how to check the configuration of defense against man-in-the-middle attacks and IP/MAC address spoofing.

Prerequisites

The configuration of defense against man-in-the-middle attacks and IP/MAC address spoofing is complete.

Procedure

  • Run the display dhcp snooping global command to check the global DHCP snooping information.
  • Run the display dhcp snooping bind-table { all | dynamic | interface interface-type interface-number | ip-address ip-address | mac-address mac-address | static | vlan vlan-id [interface interface-type interface-number ] | vsi vsi-name | bridge-domain bd-id } command to check the information about the Dynamic Host Configuration Protocol (DHCP) snooping binding table.
  • Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] | bridge-domain bd-id } command to check the DHCP snooping configuration.
  • Run the display dhcp option82 configuration [ interface interface-type interface-number | vlan vlan-id | bridge-domain bd-id ] command to check the Option 82 configuration.

Example

Run the display dhcp snooping global command to check the global DHCP snooping information.
<HUAWEI> display dhcp snooping global
 dhcp snooping enable
Run the display dhcp snooping bind-table command to check the information about the DHCP snooping binding table.
<HUAWEI> display dhcp snooping global
bind-table:
ifname         vrf/vsi/bdid   p/cvlan   mac-address    ip-address      tp lease
-------------------------------------------------------------------------------
--             --        0010/0000 -              010.010.010.001 S  0
--             --        0010/0000 -              010.010.010.002 S  0
-------------------------------------------------------------------------------
binditem count:      2                   binditem total count: 2
Run the display dhcp snooping command to check the configuration of defense against man-in-the-middle attacks and IP/MAC address spoofing.
<HUAWEI> display dhcp snooping vlan 10
dhcp snooping enable
 dhcp snooping check arp enable
 dhcp snooping alarm arp enable
 dhcp snooping alarm arp threshold 100
 dhcp snooping check ip enable
 dhcp snooping alarm ip enable
 dhcp snooping alarm ip threshold 205
 dhcp check chaddr enable
 dhcp snooping alarm dhcp-chaddr enable
 dhcp snooping alarm dhcp-chaddr threshold 200
 dhcp snooping alarm dhcp-request enable
 dhcp snooping alarm dhcp-request threshold 300
 dhcp snooping max-user-number 100
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0    

Run the display dhcp option82 configuration interface Gigabitethernet 0/1/0 command to check the Option 82 configuration of the GE0/1/0 interface.

<HUAWEI> display dhcp option82 configuration interface Gigabitethernet 0/1/0
#
interface Gigabitethernet0/1/0

 dhcp option82 insert enable
#
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 20296

Downloads: 39

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next