Shulou(Shulou.com)06/01 Report--

In the production environment, if the security requirements of LAN are not high, and you do not want to configure too many security technologies, there are two technologies that can be used in the network to facilitate the security and stability of the network. They are: BPDU protection and DHCP-Snooping. So what kind of functions can they achieve?

I. BPDU protection

When it comes to BPDU protection technology, you need to talk about STP technology. STP technology is a layer 2 anti-loop technology to prevent the generation of loops. If the switch in the production environment supports STP, it is very recommended to enable STP. Whether it is STP, RSTP or MSTP, MSTP is enabled by default on Huawei devices.

After STP is turned on, the interfaces of the switch are in the topology of STP. When the port enters the forwarding state, it will cause the re-convergence of STP, which will lead to network shock, so how to make: the switch opens STP, while some ports that often need UP/DOWN (connecting to the host) do not participate in the calculation of STP? then there is an edge port (Cisco called portfast), which is manually defined by the administrator. They do not participate in the calculation of STP and can directly enter the forwarding state. Another advantage here is that users do not have to wait for 30 seconds to communicate with the network. This problem occurred in a company I worked for, where the network administrator did not turn on the edged-port function, resulting in users needing 30s to access the network, resulting in user dissatisfaction.

For example: the core of the company is the 77 series switch, which is connected to the 5700LI switch and connects a network cable from the 5700LI to the conference room for Internet access in the conference room. One day, the company changed the conference room into an office, where five people worked, and the leader decided to deploy a stupid switch in the conference room for the office of these users. If STP technology is not configured on the upper access layer 5700, when one day, the user goes offline, he adjusts the line of the 8-port small exchange and accidentally connects a network cable to the 5-port and 6-port of the 8-port small switch, thus forming a loop.

If your network-wide switch does not turn on STP technology, this will lead to three problems: broadcast storm, multi-frame replication, and MAC address table instability. In fact, the end result is slow network, packet loss and network outage. Therefore, it is necessary to deploy STP technology in the network. So, what about BPDU protection? BPDU protection means that when an interface turns on BPDU protection, if it receives a frame of BPDU, the switch sets the interface to the err-disabled state, which is equivalent to the shutdown state, so that the loop can be prevented.

Next, let's look at which ports need to be deployed as edge ports and which ports need to be enabled for BPDU protection. The so-called edge port refers to the port manually designated by the administrator to connect to the host. Under normal circumstances, these ports will not connect to the switch, receive BPDU, and will not create a loop. Which ports need to be enabled for BPDU protection: edge ports, Huawei devices only need to enable BPDU protection globally.

Configuration:

1. Enable STP and BPDU protection globally

Stp mode rstp

Stp bpdu-protection

two。 Interface opens edge port

Interface GigabitEthernet0/0/1

Stp edged-port enable

II. DHCP-Snooping

The basic DHCP-Snooping technology introduced here is to prevent malicious DHCP servers from appearing, causing users in the network to get the wrong IP address, so that they cannot use the network normally. In the absence of * × ×, when will there be fake DHCP? This is the case with our common small routes. for example, in order to change the company's network from wired to wireless, a user has a home wireless route, and if he accidentally connects the wireless LAN interface to the existing network, then the user in the current network may get the wrong IP. Next, let's look at how to solve this problem in two steps.

(1) find the wireless router

1. The first step, there must be a user to tell you that he cannot surf the Internet, you will go to the correct gateway of PING when you arrive at the scene, and find that PING is not available. Next, you will check the user's IP address and find that he has obtained the wrong IP, then you must need to find the wireless router that provides DHCP.

two。 The second step is to look at the ARP table on the computer that obtained the wrong IP address and find the MAC address of the gateway. Generally speaking, this MAC address is the MAC address of the wireless router (ARP-a).

3. Step 3, log in to the switch and look for the MAC address. If you find out which MAC address belongs to the non-uplink interface of the access switch, it must be the interface that is connected to the wireless route, shutdown the interface, and the user will not get the wrong IP address. The trick here is: this wireless route must be in this VLAN. If you know how many switches there are in this VLAN, you can look at it one by one. If you don't know, start with the core and see which port of the core learns the MAC, and then go to the next layer, that is, the core learns which switch the port of the MAC is connected to. In this way, you can find out where the wireless route is) display mac-address | include XXXX.XXXX.XXXX Cisco switch is the command show mac-address.

(2) use DHCP-Snooping to make forged routers unable to provide IP to users

The function of DHCP-Snooping is that when you turn on DHCP Snooping technology in the switch, by default all interfaces are untrusted interfaces, and these interfaces cannot send DHCP-Offer and DHCP-ACK messages, so that the DHCP server connected to the untrusted interface cannot provide IP addresses to users. Moreover, the switch with DHCP Snooping on will form a binding table of IP-MAC-VLAN-Port-lease time. We usually turn on DHCP Snooping technology on the access layer switch.

Display dhcp snooping user-bind all

DHCP Dynamic Bind-table:

Flags:O-outer vlan, I-inner vlan, P-Vlan-mapping

IP Address MAC Address VSI/VLAN (O/I/P) Interface Lease

192.168.58.62 3c97-0e44-fff5 58 /-/-GE0/0/13 2018.09.16-08:05

192.168.58.47 507b-9d53-3e88 58 /-/-GE0/0/24 2018.09.16-08:12

192.168.58.67 3c97-0e72-0b3b 58 /-/-GE0/0/46 2018.09.16-08:20

So how do you configure DHCP Snooping?

There are three steps:

1. Enable dhcp globally

two。 Enable DHCP snooping globally

3. Enable DHCP snooping under the interface or DHCP snooping under VLAN, and enable DHCP snooping under vlan, which is equivalent to enabling dhcp snooping for all the interfaces belonging to this VLAN on the switch.

4. Set the uplink interface to the trusted interface

Configuration:

Dhcp enable

#

Dhcp snooping enable ipv4

#

Vlan 58

Dhcp snooping enable

#

Interface GigabitEthernet0/0/52

Dhcp snooping trusted

#

In the current network, after the configuration of these two steps, we can prevent some common failures and solve the problems caused by loops and illegal DHCP servers.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.