bootpc、bootps (接入层的交换机在进入接口只允许合法dhcp服务器的udp67, 其他接口丢弃所有的udp67数据包)

bootpc、bootps (接入层的交换机在进入接口只允许合法dhcp服务器的udp67, 其他接口丢弃所有的udp67数据包)

dhcp工作过程的4种报文与GARP.pcapng

图片.png

[sw1-acl4-advance-3001]rule 5 permit udp source-port eq ?
  INTEGER<0-65535>  Port number
  biff              Mail notify (512)
  bootpc            Bootstrap Protocol Client (68)
  bootps            Bootstrap Protocol Server (67)

  discard           Discard (9)
  dns               Domain Name Service (53)
  dnsix             DNSIX Security Attribute Token Map (90)
  echo              Echo (7)
  mobilip-ag        MobileIP-Agent (434)
  mobilip-mn        MobilIP-MN (435)
  nameserver        Host Name Server (42)
  netbios-dgm       NETBIOS Datagram Service (138)
  netbios-ns        NETBIOS Name Service (137)
  netbios-ssn       NETBIOS Session Service (139)
  ntp               Network Time Protocol (123)
  rip               Routing Information Protocol (520)
  snmp              SNMP (161)
  snmptrap          SNMPTRAP (162)
  sunrpc            Sun Remote Procedure Call (111)
  syslog            Syslog (514)
  tacacs-ds         TACACS-Database Service (65)
  talk              Talk (517)
  tftp              Trivial File Transfer (69)
  time              Time (37)
  who               Who(513)
  xdmcp             X Display Manager Control Protocol (177)


[sw2-acl4-advance-3001]rule 5 permit tcp source-port eq ?
  INTEGER<0-65535>  Port number
  bgp               Border Gateway Protocol (179)
  chargen           Character generator (19)
  cmd               Remote commands (rcmd, 514)
  daytime           Daytime (13)
  discard           Discard (9)
  domain            Domain Name Service (53)
  echo              Echo (7)
  exec              Exec (rsh, 512)
  finger            Finger (79)
  ftp               File Transfer Protocol (21)
  ftp-data          FTP data connections (20)
  gopher            Gopher (70)
  hostname          NIC hostname server (101)
  irc               Internet Relay Chat (194)
  klogin            Kerberos login (543)
  kshell            Kerberos shell (544)
  login             Login (rlogin, 513)
  lpd               Printer service (515)
  nntp              Network News Transport Protocol (119)
  pop2              Post Office Protocol v2 (109)
  pop3              Post Office Protocol v3 (110)
  smtp              Simple Mail Transport Protocol (25)
  sunrpc            Sun Remote Procedure Call (111)
  tacacs            TAC Access Control System (49)
  talk              Talk (517)
  telnet            Telnet (23)
  time              Time (37)
  uucp              Unix-to-Unix Copy Program (540)
  whois             Nicname (43)
  www               World Wide Web (HTTP, 80)

[sw2-acl4-advance-3001]rule 5 permit tcp source-port eq

(1)拓扑图

图片.png

sw1_2023.01.09.08时40分38秒.txt

sw2_2023.01.09.08时40分54秒.txt

(2)基本配置

sw1:
vlan batch 10 20

interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
 dhcp select global
#
interface GigabitEthernet0/0/1
 port link-type trunk                     
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20
 
dhcp enable

 ip pool vlan10
 gateway-list 192.168.10.254              
 network 192.168.10.0 mask 255.255.255.0
 excluded-ip-address 192.168.10.1 192.168.10.100
 excluded-ip-address 192.168.10.200 192.168.10.253
 dns-list 223.5.5.5 223.6.6.6
 
 
 sw2:
vlan batch 10 20

interface Vlanif10
 ip address 192.168.10.254 255.255.255.0
 dhcp select global
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/2
 port link-type access                    
 port default vlan 10
#
interface GigabitEthernet0/0/3
 port link-type access
 port default vlan 20
 
dhcp enable

ip pool vlan20
 gateway-list 192.168.20.254
 network 192.168.20.0 mask 255.255.255.0
 excluded-ip-address 192.168.20.1 192.168.20.100
 excluded-ip-address 192.168.20.200 192.168.20.253
 dns-list 8.8.8.8 114.114.114.114

(3)测试PC自动获取ip地址,结果,各个pc都可以自动获取ip地址

图片.png

(4.1)测试acl

 sw1:
 acl number 3001
 rule 5 deny udp source-port eq bootpc
 rule 100 permit ip
 
 interface GigabitEthernet0/0/1
 port link-type trunk                     
 port trunk allow-pass vlan 2 to 4094
 traffic-filter inbound acl 3001

结果:PC2与PC3获取不到ip地址

图片.png

(4.2)测试acl
 sw1:
acl number 3001
 rule 3 permit udp source 192.168.20.254 0
 rule 5 deny udp source-port eq bootpc
 rule 100 permit ip
 
 interface GigabitEthernet0/0/1
 port link-type trunk                     
 port trunk allow-pass vlan 2 to 4094
 traffic-filter inbound acl 3001

结果:PC3获取不到ip地址,PC2是可以获取到的

图片.png

在pc2上的抓包:

图片.png


(4.3)测试acl
 sw1:
acl number 3001
 rule 2 permit udp source 192.168.10.254 0
 rule 3 permit udp source 192.168.20.254 0
 rule 5 deny udp source-port eq bootpc
 rule 100 permit ip
 
 interface GigabitEthernet0/0/1
 port link-type trunk                     
 port trunk allow-pass vlan 2 to 4094
 traffic-filter inbound acl 3001

结果:PC3获取不到ip地址,PC2是可以获取到的。因为pc3的DHCP Discover数据包在进来时就被ACL拦截了。


1、本站资源长期持续更新。
2、本资源基本为原创,部分来源其他付费资源平台或互联网收集,如有侵权请联系及时处理。
3、本站大部分文章的截图来源实验测试环境,请不要在生产环境中随意模仿,以免带来灾难性后果。
转载请保留出处:  www.zh-cjh.com珠海陈坚浩博客 » bootpc、bootps (接入层的交换机在进入接口只允许合法dhcp服务器的udp67, 其他接口丢弃所有的udp67数据包)

作者: cjh


手机扫一扫,手机上查看此文章:

一切源于价值!

其他
加载中~

未雨绸缪、居安思危!

数据安全、有备无患!

注意操作、数据无价!

一切源于价值!