Manuals / TP-Link / Computer Equipment / Switch

TP-Link TL-SL5428E manual ¾ Dhcp Cheating Attack, Dhcp Cheating Attack Implementation Procedure

Models: TL-SL5428E

1 259

Download 259 pages 46.72 Kb

Page 170

Option 82 can contain 255 sub-options at most. If Option 82 is defined, at least a sub-option should be defined. This Switch supports two sub-options: Circuit ID and Remote ID. Since there is no universal standard about the content of Option 82, different manufacturers define the sub-options of Option 82 to their need. For this Switch, the sub-options are defined as the following: The Circuit ID is defined to be the number of the port which receives the DHCP Request packets and its VLAN number. The Remote ID is defined to be the MAC address of DHCP Snooping device which receives the DHCP Request packets from DHCP Clients.

¾DHCP Cheating Attack

During the working process of DHCP, generally there is no authentication mechanism between Server and Client. If there are several DHCP servers in the network, network confusion and security problem will happen. The common cases incurring the illegal DHCP servers are the following two:

（1） It’s common that the illegal DHCP server is manually configured by the user by mistake.

（2） Hacker exhausted the IP addresses of the normal DHCP server and then pretended to be a legal DHCP server to assign the IP addresses and the other parameters to Clients. For example, hacker used the pretended DHCP server to assign a modified DNS server address to users so as to induce the users to the evil financial website or electronic trading website and cheat the users of their accounts and passwords. The following figure illustrates the DHCP Cheating Attack implementation procedure.

Figure 11-7 DHCP Cheating Attack Implementation Procedure

DHCP Snooping feature only allows the port connected to the DHCP Server as the trusted port to forward DHCP packets and thereby ensures that users get proper IP addresses. DHCP Snooping is to monitor the process of the Host obtaining the IP address from DHCP server, and record the IP address, MAC address, VLAN and the connected Port number of the Host for automatic binding. The bound entry can cooperate with the ARP Inspection, IP Source Guard and the other security protection features. DHCP Snooping feature prevents the network from the DHCP Server

162

Image 170

TP-Link TL-SL5428E manual ¾ Dhcp Cheating Attack, Dhcp Cheating Attack Implementation Procedure

Contents

Rev 1910010529 Copyright & Trademarks Contents Gvrp TC Protect 101 11.4.1 11.4.2 NtdpVII Package Contents Conventions About this GuideIntended Readers Overview of This GuidePath Switch, which facilitates you to monitor the Igmp messages Return to Contents Introduction Overview of the SwitchMain Features ¾ LEDs Name Status Indication Appearance DescriptionFront Panel Rear Panel Configuration Login to the SwitchLogin Return to Contents System Summary SystemSystem Info ¾ Port StatusType ¾ Port InfoPort Rate¾ Device Description Device Description¾ Bandwidth Utilization ¾ Time Info ¾ Time ConfigSystem Time System IP User Manage User TableUser Config ¾ User InfoConfirm Password Retype the password Config RestorePassword User ID, Name, Access Level and status Operation¾ Config Backup Config BackupFirmware Upgrade System Reboot System ResetAccess Security Access ControlIP Address&Mask ¾ Access Control Config¾ Session Config MAC AddressSSL Config ¾ Access User Number¾ Certificate Download SSH Config¾ Global Config ¾ Key DownloadMax Connect Idle TimeoutProtocol Download ¾ Configuration ProcedureKey Type ¾ Network RequirementsApplication Example 2 for SSH Page Return to Contents Port SwitchingPort Config Port SelectSpeed and Duplex Port MirrorDescription Flow ControlIngress ¾ Mirroring Port¾ Mirrored Port EgressPort Security ¾ Port SecurityLearned Num Port IsolationMax Learned MAC ¾ Port Isolation List ¾ Port Isolation ConfigForward Portlist Select the port that to be forwarded to Forward Portlist Display the forwardlistLAG LAG TableGroup Number Aggregate Arithmetic¾ LAG Table Member¾ LAG Config Static LAGLacp Config LAG will delete this LAGSystem Priority ¾ Lacp ConfigAdmin Key Port Priority¾ Auto Refresh Traffic MonitorTraffic Summary Traffic Statistics MAC Address Bound Type Configuration Way Aging outRelationship Address and the port¾ Search Option ¾ Address TableDisplays the corresponding Vlan ID of the MAC address MAC Address Displays the MAC address learned by the switchStatic Address ¾ Create Static AddressDynamic Address ¾ Static Address Table¾ Aging Config ¾ Dynamic Address TableFiltering Address Bind¾ Create Filtering Address ¾ Filtering Address TableVlan Vlan implementation802.1Q Vlan ¾ Link Types of portsVlan Config ¾ PvidDescription ： ¾ Vlan TableVlan ID Select Members Operation ：Is valid or not ¾ Vlan ConfigEnter the ID number of Vlan ¾ Vlan Members¾ Vlan Port Config Port Displays the port number¾ Vlan of Port Required. On the VLAN→802.1Q VLAN→Port Config page, setRequired. On the VLAN→802.1Q VLAN→VLAN Config Vlan DescriptionOptional. On the VLAN→802.1Q VLAN→VLAN Config MAC VlanMAC Select Port Enable¾ MAC Vlan Table Required. On the VLAN→MAC VLAN→Port Enable Protocol Vlan¾ Create Protocol Vlan Protocol VlanProtocol Template ¾ Protocol Vlan Table¾ Create Protocol Template ¾ Protocol Template TableApplication Example for 802.1Q Vlan Application Example for MAC Vlan Required. On VLAN→802.1Q VLAN→Port Config page, configureRequired. On VLAN→802.1Q VLAN→VLAN Config page, create a Operation Description¾ Network Diagram ¾ Configuration Procedure Application Example for Protocol Vlan Required. On VLAN→Protocol VLAN→Protocol Template On VLAN→Protocol VLAN→Protocol Vlan page, create protocol Protocol type Value¾ VPN Up-link Ports VPN ConfigVlan Mapping ¾ Vlan Mapping Config ¾ Vlan Mapping TableRequired. On the VLAN→VLAN VPN→Port Enable Required. On the VLAN→VLAN VPN→VPN ConfigOptional. On the VLAN→VLAN VPN→VPN Config Required. On the VLAN→VLAN VPN→VLAN MappingGvrp ¾ Garp¾ Gvrp ¾ Port Config Select Port Status Registration ModeConfiguration Procedure Private Vlan¾ Private Vlan Implementation ¾ Features of Private Vlan¾ The Elements of a Private Vlan Pvid ¾ Packet forwarding in Private Vlan Pvlan Primary Vlan ¾ Create Private Vlan¾ Private Vlan Table Secondary Vlan¾ Private Vlan Port Table Port Select the desired port for configuration Port TypeRequired. On the VLAN→Private VLAN→Port Configure Required. On the VLAN→Private VLAN→PVLANApplication Example for Private Vlan Required. On the VLAN→802.1Q VLAN→VLAN Config page, click Spanning Tree ¾ STP Elements¾ STP Timers ¾ Bpdu Comparing Principle in STP mode¾ STP Generation Step Operation¾ Mstp Elements Tips：¾ Rstp Elements ¾ Port States ¾ Port RolesSTP Config STP ConfigHello Time Forward DelayVersion Max AgeSTP Summary Port Config STP SummaryIntPath PriorityExtPath Edge PortPort Role Region ConfigMstp Instance Port StatusInstance Config ¾ Region ConfigInstance Instance Port Config¾ Instance Table ClearInstance ID Path CostSTP Security Port Protect¾ Bpdu Filter ¾ TC Protect¾ Bpdu Protect TC Protect Loop ProtectRoot Protect Bpdu ProtectTC Protect 11 TC ProtectApplication Example for STP Function On Spanning Tree→STP Config→STP ConfigOn Spanning Tree→STP Config→Port Config On Spanning Tree→MSTP Instance→InstanceBridge of Instance Configure Switch D ¾ Suggestion for Configuration ¾ Multicast Address Multicast¾ Multicast Overview ¾ Multicast Address Table Multicast IP Port¾ Igmp Snooping Process Igmp Snooping¾ Igmp Snooping ¾ Igmp MessagesSnooping Config ¾ Igmp Snooping Fundamentals¾ Igmp Snooping Status Description Displays Igmp Snooping status MemberIgmp Snooping Fast LeaveLeave Time Router Port TimeMember Port Time Static Router PortMulticast Vlan Snooping→Snooping Config and Port ConfigMulticast→IGMP Snooping→VLAN Config Router Port¾ Multicast Vlan Vlan On the Multicast→IGMP Snooping→Snooping ConfigApplication Example for Multicast Vlan Multicast→IGMP Snooping→Multicast VlanSnooping→Snooping Config ¾ Configuration Procedure Step Operation DescriptionSnooping→Port Config Multicast IPMulticast IP Table Static Multicast IP¾ Create Static Multicast ¾ Static Multicast IP TableMulticast Filter IP-Range¾ Port Filter Config Port FilterMulticast→Multicast Filter→Port Filter Packet StatisticsMulticast→Multicast Filter→IP-Range ¾ Igmp Statistics ¾ QoS ¾ Priority ModeQoS ¾ Schedule Mode 802.1Q frameSP-Mode Port Priority ¾ Port Priority ConfigDiffServ Displays the LAG number which the port belongs toSchedule Mode ¾ Schedule Mode Config¾ Priority Level ¾ 802.1P Priority Config3 802.1P Priority Dscp Priority Priority Level ¾ Dscp Priority ConfigIt ranges from 0 to Priority levels are labeled as TC0, TC1, TC2 and TC3Rate Limit ¾ Rate Limit ConfigBandwidth Control Egress Ratebps Storm ControlIngress Rate bps Bps ¾ Storm Control ConfigBroadcast Rate Multicast RateNumber OUI Address Vendor ¾ Port Voice Vlan ModeVoice Vlan ¾ Security Mode of Voice Vlan Packet Type Processing ModeGlobal Config 12 Global ConfigurationPort Mode 13 Port ConfigOUI Config Required. On QoS→Voice VLAN→Port Config Required. On VLAN→802.1Q VLAN→Port ConfigOptional. On QoS→Voice VLAN→OUI Config page, you Required. On QoS→Voice VLAN→Global ConfigTime-Range Summary ACLTime-Range IndexTime-Range Create ¾ Create Holiday ACL ConfigHoliday Config ¾ Holiday Table¾ Rule Table ACL SummaryACL Create ¾ Create ACLRule ID MAC ACL¾ Create MAC ACL EtherTypeFragment Standard-IP ACL¾ Create Standard-IP ACL MaskExtend-IP ACL ¾ Create Extend-IP ACLPolicy Config Policy SummarySelect Policy Policy CreateAction Create Desired policy, please click the Delete button11 Action Create ¾ Create ActionPort Binding Policy BindingBinding Table ¾ Policy Bind TableEnter the ID of the Vlan you want to bind Vlan BindingDirection Displays the binding direction Application Example for ACL ¾ VLAN-Bind TableOn ACL→ACL Config→ACL Create page, create ACL On ACL→ACL Config→Standard-IP ACL page, select ACL Network Security IP-MAC BindingManual Binding Protect Type Select the Protect Type for the entry ¾ Manual Binding OptionEnter the Vlan ID ¾ Manual Binding TableARP Scanning End IP Address Dhcp SnoopingStart IP Address ScanNetwork diagram for DHCP-snooping implementation ¾ Dhcp Working Principle¾ Option Dhcp Cheating Attack Implementation Procedure ¾ Dhcp Cheating Attack163 Decline Threshold Decline Flow Control ¾ Option 82 Config¾ Port Config Port Select Customization Circuit ID Remote ID¾ Cheating Gateway ARP Inspection¾ Imitating Gateway 10 ARP Attack Cheating Gateway ¾ Cheating Terminal Hosts¾ Man-In-The-Middle Attack ¾ ARP Flooding Attack ¾ Trusted Port ARP Detect¾ ARP Detect Network Security→ARP ARP DefendRequired. On the Network Security→IP-MAC Defend ARP Statistics¾ ARP Defend SpeedIP Source Guard ¾ Illegal ARP Packet¾ IP Source Guard Config DoS DefendDoS Attack Type Description DoS Defend DoS DetectDetect 11.5Detect Time Attack Type¾ The Mechanism of an 802.1X Authentication System ¾ 802.1X Authentication Procedure178 179 ¾ 802.1X Timer ¾ Guest VlanGuest Vlan Authentication Method802.1X Guest Vlan IDRetry Times Supplicant TimeoutServer Timeout Control Type Control ModeRadius Server AuthorizedRequired. On the Network Security→802.1X→Radius On the Network Security→802.1X→Global Config802.1X Client Software Required. On the Network Security→802.1X→Port¾ Snmp Management Frame Snmp¾ Snmp Overview ¾ Snmp Versions¾ Snmp Configuration Outline ¾ MIB Introduction¾ Remote Engine Snmp Config¾ Local Engine View Type Snmp ViewMIB Object ID View Name¾ Group Config Snmp GroupSnmp User ¾ Group TablePrivacy Mode Auth ModeAuth Password Privacy PasswordSnmp Community ¾ Community ConfigAccess MIB View Required. On the SNMP→SNMP Config→GlobalRequired. On the SNMP→SNMP Config→SNMP ¾ Community TableOn the SNMP→SNMP Config→SNMP NotificationUser TimeoutUDP Port RetryRmon Group Function Rmon¾ Rmon Group ¾ History Control Table Event ConfigHistory Control Alarm Config ¾ Event TableRising Threshold VariableSample Type Rising Event200 Cluster ¾ Cluster Role¾ Introduction to Cluster 13.1 NDPNeighbor Info ¾ Neighbor Info NDP Summary¾ Neighbor ¾ Port Status Displays the port number of the switch NDPAging Time NDP ConfigDetail ： Device Table Port Displays the port number of the switchNtdp Displays NDP status of the current portNtdp Summary Ntdp Summary Ntdp Hops Ntdp ConfigNtdp Interval Time Cluster Summary EnableCluster ¾ Global Cluster ¾ Global Config Cluster¾ Cluster Config ¾ Member InfoSwitch 11 Cluster Summary for Member Switch¾ Role Change Cluster Config¾ Current Role 14 Cluster Configuration for Commander Switch Member Config 16 Cluster Configuration for Individual SwitchDevice Name Cluster Topology¾ Create Member Member MAC18 Collect Topology ¾ Graphic ShowApplication Example for Cluster Function On Cluster→NDP→NDP Config page, enable NDP On Cluster→NTDP→NTDP Config page, enable220 CPU Monitor MaintenanceSystem Monitor Memory Monitor 14.2 Log Time ContentLog Table ModuleRemote Log ¾ Local Log ConfigLocal Log Log BufferHost IP Backup Log¾ Log Host Cable Test ¾ Backup LogDevice Diagnose ¾ Cable TestLoopback ErrorSwitch is available LengthPing ¾ Ping ConfigNetwork Diagnose Test¾ Tracert Config TracertConfigure the Hyper Terminal System Maintenance via FTPHardware Installation 232 Download Firmware via bootrom menu 5Port SettingsTP-LINK ifconfig ip 172.31.70.22 mask 255.255.255.0 gateway TP-LINK upgrade You can only use the port 1 to upgradeTP-LINK start Start User Access Login Appendix a Specifications Appendix B Configuring the PCs Configure TCP/IP component238 Now Installation Guide Appendix C 802.1X Client Software241 242 Uninstall Software Figure C-7 InstallShield Wizard CompleteConfiguration Figure C-10 Uninstall Complete245 Figure C-15 Connection Status FAQ Appendix D Glossary Ieee 802.1D Multicast SwitchingGroup Attribute Registration Protocol Garp Ieee 802.1QLink Aggregation Port AuthenticationRemote Authentication Dial-in User Service Radius Link Aggregation Control Protocol LacpSpanning Tree Algorithm STA Simple Network Management Protocol SnmpSimple Network Time Protocol Sntp Telnet