Home » TP-Link Manuals » Hubs & Switches » TP-Link T2500-28TCTL-SL5428E » Manual Viewer

TP-Link T2500-28TCTL-SL5428E T2500-28TCUN V1 User Guide - Page 218

Option 82, DHCP Cheating Attack, DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet

View all TP-Link T2500-28TCTL-SL5428E manuals

Add to My Manuals
Save this manual to your list of manuals

Page 218 highlights

2. DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server selects an IP address from the IP pool according to the assigning priority of the IP addresses and replies to the Client with DHCP-OFFER packet carrying the IP address and other information. 3. DHCP-REQUEST Stage: In the situation that there are several DHCP Servers sending the DHCP-OFFER packets, the Client will only respond to the first received DHCP-OFFER packet and broadcast the DHCP-REQUEST packet which includes the assigned IP address of the DHCP-OFFER packet. 4. DHCP-ACK Stage: Since the DHCP-REQUEST packet is broadcasted, all DHCP Servers on the network segment can receive it. However, only the requested Server processes the request. If the DHCP Server acknowledges assigning this IP address to the Client, it will send the DHCP-ACK packet back to the Client. Otherwise, the Server will send the DHCP-NAK packet to refuse assigning this IP address to the Client.  Option 82 The DHCP packets are classified into 8 types with the same format basing on the format of BOOTP packet. The difference between DHCP packet and BOOTP packet is the Option field. The Option field of the DHCP packet is used to expand the function, for example, the DHCP can transmit the control information and network parameters via the Option field, so as to assign the IP address to the Client dynamically. For the details of the DHCP Option, please refer to RFC 2132. Option 82 records the location of the DHCP Client. Upon receiving the DHCP-REQUEST packet, the switch adds the Option 82 to the packet and then transmits the packet to DHCP Server. Administrator can be acquainted with the location of the DHCP Client via Option 82 so as to locate the DHCP Client for fulfilling the security control and account management of Client. The Server supported Option 82 also can set the distribution policy of IP addresses and the other parameters according to the Option 82, providing more flexible address distribution way. Option 82 can contain 255 sub-options at most. If Option 82 is defined, at least a sub-option should be defined. This switch supports two sub-options: Circuit ID and Remote ID. Since there is no universal standard about the content of Option 82, different manufacturers define the sub-options of Option 82 to their need. For this switch, the sub-options are defined as the following: The Circuit ID is defined to be the number of the port which receives the DHCP Request packets and its VLAN number. The Remote ID is defined to be the MAC address of DHCP Snooping device which receives the DHCP Request packets from DHCP Clients.  DHCP Cheating Attack During the working process of DHCP, generally there is no authentication mechanism between Server and Client. If there are several DHCP servers in the network, network confusion and security problem will happen. The common cases incurring the illegal DHCP servers are the following two:  It's common that the illegal DHCP server is manually configured by the user by mistake.  Hacker exhausted the IP addresses of the normal DHCP server and then pretended to be a legal DHCP server to assign the IP addresses and the other parameters to Clients. For example, hacker used the pretended DHCP server to assign a modified DNS server address to users so as to induce the users to the evil financial website or electronic trading website and cheat the users of their accounts and passwords. The following figure illustrates the DHCP Cheating Attack implementation procedure. 208

Section	Page
Package Contents	11
Chapter 1 About This Guide	12
1.1 Intended Readers	12
1.2 Conventions	12
1.3 Overview of This Guide	13
Chapter 2 Introduction	17
2.1 Overview of the Switch	17
2.2 Appearance Description	17
2.2.1 Front Panel	17
2.2.2 Rear Panel	18
Chapter 3 Login to the Switch	19
3.1 Login	19
3.2 Configuration	19
Chapter 4 System	21
4.1 System Info	21
4.1.1 System Summary	21
4.1.2 Device Description	23
4.1.3 System Time	23
4.1.4 Daylight Saving Time	24
4.1.5 System IP	26
4.1.6 System IPv6	27
4.2 User Management	35
4.2.1 User Table	35
4.2.2 User Config	35
4.3 System Tools	36
4.3.1 Config Restore	37
4.3.2 Config Backup	37
4.3.3 Firmware Upgrade	38
4.3.4 System Reboot	38
4.3.5 System Reset	39
4.4 Access Security	39
4.4.1 Access Control	39
4.4.2 SSL Config	41
4.4.3 SSH Config	42
Chapter 5 Switching	49
5.1 Port	49
5.1.1 Port Config	49
5.1.2 Port Mirror	50
5.1.3 Port Security	51
5.1.4 Port Isolation	53
5.1.5 Loopback detection	54
5.2 DDM	55
5.2.1 DDM Config	55
5.2.2 Temperature Threshold	56
5.2.3 Voltage Threshold	57
5.2.4 Bias Current Threshold	58
5.2.5 Tx Power Threshold	58
5.2.6 Rx Power Threshold	59
5.2.7 DDM Status	60
5.3 LAG	61
5.3.1 LAG Table	61
5.3.2 Static LAG	63
5.3.3 LACP Config	64
5.4 Traffic Monitor	66
5.4.1 Traffic Summary	66
5.4.2 Traffic Statistics	67
5.5 MAC Address	68
5.5.1 Address Table	69
5.5.2 Static Address	70
5.5.3 Dynamic Address	71
5.5.4 Filtering Address	73
Chapter 6 VLAN	75
6.1 802.1Q VLAN	76
6.1.1 VLAN Config	77
6.1.2 Port Config	79
6.2 MAC VLAN	81
6.2.1 MAC VLAN	82
6.2.2 Port Enable	83
6.3 Protocol VLAN	83
6.3.1 Protocol VLAN	84
6.3.2 Protocol Template	85
6.3.3 Port Enable	86
6.4 Application Example for 802.1Q VLAN	86
6.5 Application Example for MAC VLAN	88
6.6 Application Example for Protocol VLAN	89
6.7 VLAN VPN	91
6.7.1 VPN Config	92
6.7.2 VLAN Mapping	92
6.7.3 Port Enable	93
6.8 Private VLAN	95
6.8.1 PVLAN Config	98
6.8.2 Port Config	99
6.9 GVRP	101
6.10 Application Example for Private VLAN	104
Chapter 7 Spanning Tree	107
7.1 STP Config	111
7.1.1 STP Config	111
7.1.2 STP Summary	113
7.2 Port Config	114
7.3 MSTP Instance	115
7.3.1 Region Config	115
7.3.2 Instance Config	116
7.3.3 Instance Port Config	117
7.4 STP Security	119
7.4.1 Port Protect	119
7.4.2 TC Protect	121
7.5 Application Example for STP Function	122
Chapter 8 Ethernet OAM	126
8.1 Basic Config	129
8.1.1 Basic Config	129
8.1.2 Discovery Info	131
8.2 Link Monitoring	133
8.3 RFI	134
8.4 Remote Loopback	135
8.5 Statistics	136
8.5.1 Statistics	136
8.5.2 Event Log	137
8.6 DLDP	138
8.7 Application Example for DLDP	141
Chapter 9 DHCP	144
9.1 DHCP Relay	148
Chapter 10 Multicast	152
10.1 IGMP Snooping	156
10.1.1 Snooping Config	157
10.1.2 VLAN Config	158
10.1.3 Port Config	159
10.1.4 IP-Range	161
10.1.5 Multicast VLAN	162
10.1.6 Static Multicast IP	165
10.1.7 Packet Statistics	166
10.1.8 Querier Config	167
10.1.9 IGMP Authentication	168
10.2 MLD Snooping	169
10.2.1 Global Config	171
10.2.2 VLAN Config	172
10.2.3 Filter Config	174
10.2.4 Port Config	174
10.2.5 Static Multicast	175
10.2.6 Querier Config	176
10.2.7 Packet Statistics	177
10.3 Multicast Table	178
10.3.1 IPv4 Multicast Table	179
10.3.2 IPv6 Multicast Table	179
Chapter 11 QoS	181
11.1 DiffServ	184
11.1.1 Port Priority	184
11.1.2 DSCP Priority	185
11.1.3 802.1P/CoS Mapping	186
11.1.4 Schedule Mode	187
11.2 Bandwidth Control	188
11.2.1 Rate Limit	188
11.2.2 Storm Control	189
11.3 Voice VLAN	191
11.3.1 Global Config	193
11.3.2 Port Config	193
11.3.3 OUI Config	195
Chapter 12 ACL	197
12.1 Time-Range	197
12.1.1 Time-Range Summary	197
12.1.2 Time-Range Create	198
12.1.3 Holiday Config	199
12.2 ACL Config	199
12.2.1 ACL Summary	199
12.2.2 ACL Create	200
12.2.3 MAC ACL	201
12.2.4 Standard-IP ACL	201
12.2.5 Extend-IP ACL	202
12.2.6 Combined ACL	204
12.3 Policy Config	205
12.3.1 Policy Summary	205
12.3.2 Policy Create	206
12.3.3 Action Create	206
12.4 Policy Binding	208
12.4.1 Binding Table	208
12.4.2 Port Binding	208
12.4.3 VLAN Binding	209
12.5 Application Example for ACL	210
Chapter 13 Network Security	212
13.1 IP-MAC Binding	212
13.1.1 Binding Table	212
13.1.2 Manual Binding	213
13.1.3 ARP Scanning	215
13.2 DHCP Snooping	216
13.2.1 DHCP Snooping	220
13.2.2 Option 82	221
13.3 ARP Inspection	222
13.3.1 ARP Detect	225
13.3.2 ARP Defend	227
13.3.3 ARP Statistics	228
13.4 IP Source Guard	228
13.5 DoS Defend	229
13.5.1 DoS Defend	231
13.5.2 DoS Detect	232
13.6 802.1X	232
13.6.1 Global Config	236
13.6.2 Port Config	238
13.7 AAA	239
13.7.1 Global Config	240
13.7.2 Privilege Elevation	241
13.7.3 RADIUS Server Config	241
13.7.4 TACACS+ Server Config	242
13.7.5 Authentication Server Group Config	243
13.7.6 Authentication Method List Config	244
13.7.7 Application Authentication List Config	245
13.7.8 802.1X Authentication Server Config	246
13.7.9 Default Settings	246
13.8 PPPoE Config	247
Chapter 14 SNMP	250
14.1 SNMP Config	252
14.1.1 Global Config	252
14.1.2 SNMP View	253
14.1.3 SNMP Group	253
14.1.4 SNMP User	255
14.1.5 SNMP Community	257
14.2 Notification	259
14.2.1 Notification Config	259
14.2.2 Traps Config	260
14.3 RMON	263
14.3.1 History Control	264
14.3.2 Event Config	265
14.3.3 Alarm Config	266
Chapter 15 LLDP	268
15.1 Basic Config	271
15.1.1 Global Config	272
15.1.2 Port Config	273
15.2 Device Info	273
15.2.1 Local Info	273
15.2.2 Neighbor Info	274
15.3 Device Statistics	276
15.4 LLDP-MED	277
15.4.1 Global Config	278
15.4.2 Port Config	278
15.4.3 Local Info	281
15.4.4 Neighbor Info	282
Chapter 16 Cluster	284
16.1 NDP	285
16.1.1 Neighbor Info	285
16.1.2 NDP Summary	286
16.1.3 NDP Config	288
16.2 NTDP	289
16.2.1 Device Table	289
16.2.2 NTDP Summary	291
16.2.3 NTDP Config	292
16.3 Cluster	293
16.3.1 Cluster Summary	293
16.3.2 Cluster Config	296
16.3.3 Member Config	298
16.3.4 Cluster Topology	299
Chapter 17 Maintenance	302
17.1 System Monitor	302
17.1.1 CPU Monitor	302
17.1.2 Memory Monitor	303
17.2 Log	303
17.2.1 Log Table	304
17.2.2 Local Log	305
17.2.3 Remote Log	305
17.2.4 Backup Log	306
17.3 Device Diagnostics	307
17.4 Network Diagnostics	308
17.4.1 Ping	308
17.4.2 Tracert	309
Chapter 18 System Maintenance via FTP	310

Match case Limit results 1 per page

208

DHCP-OFFER Stage: Upon receiving the DHCP-DISCOVER packet, the DHCP Server

selects an IP address from the IP pool according to the assigning priority of the IP addresses

and replies to the Client with DHCP-OFFER packet carrying the IP address and other

information.

DHCP-REQUEST Stage: In the situation that there are several DHCP Servers sending the

DHCP-OFFER packets, the Client will only respond to the first received DHCP-OFFER packet

and broadcast the DHCP-REQUEST packet which includes the assigned IP address of the

DHCP-OFFER packet.

DHCP-ACK Stage: Since the DHCP-REQUEST packet is broadcasted, all DHCP Servers on

the network segment can receive it. However, only the requested Server processes the

request. If the DHCP Server acknowledges assigning this IP address to the Client, it will send

the DHCP-ACK packet back to the Client. Otherwise, the Server will send the DHCP-NAK

packet to refuse assigning this IP address to the Client.



Option 82

The DHCP packets are classified into 8 types with the same format basing on the format of

BOOTP packet. The difference between DHCP packet and BOOTP packet is the Option field. The

Option field of the DHCP packet is used to expand the function, for example, the DHCP can

transmit the control information and network parameters via the Option field, so as to assign the IP

address to the Client dynamically. For the details of the DHCP Option, please refer to RFC 2132.

Option 82 records the location of the DHCP Client. Upon receiving the DHCP-REQUEST packet,

the switch adds the Option 82 to the packet and then transmits the packet to DHCP Server.

Administrator can be acquainted with the location of the DHCP Client via Option 82 so as to locate

the DHCP Client for fulfilling the security control and account management of Client. The Server

supported Option 82 also can set the distribution policy of IP addresses and the other parameters

according to the Option 82, providing more flexible address distribution way.

Option 82 can contain 255 sub-options at most. If Option 82 is defined, at least a sub-option

should be defined. This switch supports two sub-options: Circuit ID and Remote ID. Since there is

no universal standard about the content of Option 82, different manufacturers define the

sub-options of Option 82 to their need. For this switch, the sub-options are defined as the following:

The Circuit ID is defined to be the number of the port which receives the DHCP Request packets

and its VLAN number. The Remote ID is defined to be the MAC address of DHCP Snooping

device which receives the DHCP Request packets from DHCP Clients.



DHCP Cheating Attack

During the working process of DHCP, generally there is no authentication mechanism between

Server and Client. If there are several DHCP servers in the network, network confusion and

security problem will happen. The common cases incurring the illegal DHCP servers are the

following two:



It’s common that the illegal DHCP server is manually configured by the user by mistake.



Hacker exhausted the IP addresses of the normal DHCP server and then pretended to be a

legal DHCP server to assign the IP addresses and the other parameters to Clients. For

example, hacker used the pretended DHCP server to assign a modified DNS server address

to users so as to induce the users to the evil financial website or electronic trading website

and cheat the users of their accounts and passwords. The following figure illustrates the

DHCP Cheating Attack implementation procedure.