Know-how of Industrial Ethernet Switch's Security

DHCP control technology

DHCP Server can automatically set the IP address for the user, mask, gateway, DNS and WINS network parameters, such as solving client changes (such as a laptop or wireless network) and the IP address of the client number more than can be allocated, simplifying the user Settings, improve the efficiency of management. But on using DHCP management, there is a DHCP Server pretend, Dos attack of DHCP Server, the user to specify the IP address which brings the problems such as network address conflict.

1. Layer 3 switches the DHCP Relay technology

Early DHCP protocol is only applicable to the DHCP Client and Server in the same subnet, not can work across a network segment. Therefore, in order to realize the dynamic host configuration, it is necessary to set up a DHCP Server for each subnet, this is clearly not the economy. The introduction of the DHCP Relay to solve this problem: DHCP Client can use DHCP Relay in LAN with other subnets DHCP Server communication, finally get the IP address of the legal. In this way, multiple DHCP Client on the network can use the same DHCP Server, saves cost, and convenient for centralized management. The DHCP Relay configuration includes:

(1) configuration of IP addresses

In order to improve the reliability, can be set on a network segment, for the DHCP Server. Master, the DHCP Server form a DHCP Server group. Master, can use the following command to specify the IP address of the DHCP Server.

In the system view under the following configuration:

DHCP - server IP groupNo ipaddress1 [ipaddress2]

(2) configuration VLAN interface corresponding group

Under the VLAN interface view the following configuration:

The DHCP server groupNo. -

(3) can make/DHCP security features on the VLAN interface is prohibited

Enable DHCP on the VLAN interface security features will start the VLAN interface under the legality of the user address check, so we can put an end to the user to configure IP address disturb the order of the network, with the DHCP Server, rapid, accurate positioning virus or interference sources.

Under the VLAN interface view the following configuration:

Address - check the enable

(4) configuration user address table entries

In order to make the configuration of DHCP Relay legally fixed IP address within the VLAN users will be able to address legitimacy through the DHCP safety check, you need to use this command to a fixed IP address users to add an IP address and MAC address of the corresponding relationship static address table entry. If there is another illegal user configured with a static IP address, the static IP address and legitimate users of fixed IP address conflict, perform the function of DHCP Relay Ethernet switch, can identify the illegal users, and refused to illegal user IP and MAC address binding request.

In the system view under the following configuration:

DHCP ws-security static ip_address mac_address

2. Other address management technology

On the layer 2 switch, users can obtain through legal DHCP server to obtain IP addresses, DHCP Snooping - security mechanism allows for the ports are set to trust and distrust port. The trust ports connect to a DHCP server or other switches; Don't trust port connection user or network. Distrust port will receive DHCP server response DHCPACK and DHCPOFF packet; And trust port will be the normal DHCP message forwarding, so as to ensure the user to obtain the IP address of the right.

(1) the on/off switch DHCP Snooping function

By default, Ethernet switch function of DHCP Snooping - closed.

The following configuration under the system view, to enable the DHCP Snooping function:

DHCP snooping -

(2) port for trust port configuration

By default, the switch ports are suspicious of port.

Under the Ethernet port view the following configuration:

DHCP snooping - trust

(3) to obtain IP address through DHCP configuration VLAN interface way

Under the VLAN interface view the following configuration:

DHCP - alloc IP address

(4) access management configuration, the configuration/IP address/port MAC address binding

Can use the following command to the Port, IP address and MAC address binding together, support the Port + IP + MAC, Port, the Port + IP + MAC and IP + MAC binding way, prevent to remove machine equipment or abuse of MAC address, IP address embezzlement attacked, etc., but this method huge effort.