# Cisco C9800 WLC IP Theft 無線 IP 盜用功能 ###### tags: `cisco` `wireless` `security` 今天早上跟同事討論得知的一個小功能，就順手測試並記錄一下。 [toc] ## IP Theft 功能簡介 **The IP Theft feature prevents the usage of an IP address that is already assigned to another device**. If the controller finds that two wireless clients are **using the same IP address**, it declares the client with lesser precedence binding as the **IP thief** and allows the other client to continue. If blocked list is enabled, the client is put on the **exclusion list** and thrown out. The IP Theft feature is **enabled by default on the controller**. The **preference level** of the clients (new and existing clients in the database) are also used to report IP theft. The preference level is a learning type or source of learning, such as - **Dynamic Host Configuration Protocol (DHCP)**, - **Address Resolution Protocol (ARP)**, - **data glean (looking at the IP data packet that shows what IP address the client is using)** and so on. The **wired clients always get a higher preference level**. If a wireless client tries to steal the wired IP, that client is declared as a thief. The order of preference for IPv4 clients are: - DHCPv4 - ARP - Data packets The order of preference for IPv6 clients are: - DHCPv6 - NDP [官網連結](https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-10/config-guide/b_wl_17_10_cg/m_ip_theft.html) ## 測試紀錄 透過 WLC 確認連線的無線終端設備。其中 10.7.1.201 為測試目標。  確認 **IP Theft or IP Reuse** 啟用。 > **Configuration**> **Security**> **Wireless Protection Policies**> **Client Exclusion Policies**  使用 CLI 確認比較方便。 - **`show wireless wps summary`**  - **`show wireless client summary`**  - **`show wireless device-tracking database ip`**  - **`show wireless exclusionlist`**  :::warning :question: - 因為不知道該如何讓無線終端設備取得同一個 IP 位址 **10.7.1.201**，所以改用有線裝置設定相同 IP 位址進行測試。 - 另外不知道該如何讓 WLC 知道有線裝置使用同一個 IP 位址，所以手動在 Device-Tracking 資料庫中添加該筆紀錄。 ::: 使用以下命令完成有線裝置靜態指定。 ``` C9800#conf t C9800(config)#device-tracking binding vlan 1 10.7.1.201 int vlan 1 3a1c.1d90.aed3 ``` 並使用 **`show device-tracking database`** 確定組態。  此時，將有線裝置的 IP 位址設定為 **`10.7.1.201`**，並將無線裝置重新連線。 發現 **wireless device-tracking database** 紀錄已經被靜態設定所取代。  從 WLC 檢視 **Excluded Client** 紀錄，發現重新連線的無線裝置因為**盜取 IP 位址**而被列入**排除名單**。  從 CLI 確認 exclusion list 狀態。  **default-policy-profile** 預設的 Exclusion List 的 Timeout 為 **60**。 :::info 可使用命令調整預設 Timeout 閥值。 ``` C9800(config-wireless-policy)#wireless profile policy default-policy-profile C9800(config-wireless-policy)#exclusionlist timeout 5 ``` :::  從 WLC 的日誌文件可以檢視出相關紀錄。 ```log! 1 Jan 13 11:31:54: %SISF-4-IP_THEFT: Chassis 1 R0/0: wncd: IP Theft Collision hit !! legit client =3a1c.1d90.aed3 IP addr =10.7.1.201 Vlan =1 Ifhdl =CAPWAP 0x90000005 legit entry time =2023 Fri Jan 13 11:31:54.944215 thief client =f4f5.dbce.2d91 theft time =2023 Fri Jan 13 11:31:54.948259 2 Jan 13 11:31:54: %CLIENT_ORCH_LOG-5-ADD_TO_BLACKLIST_REASON: Chassis 1 R0/0: wncd: Client MAC: f4f5.dbce.2d91 with IP: 10.7.1.201 was added to exclusion list, legit Client MAC: 3a1c.1d90.aed3, IP: 10.7.1.201, reason: IP address theft ``` :::info - MAC 位址 - 有線裝置: 3a1c.1d90.aed3 - 無線裝置: f4f5.dbce.2d91 - 日誌紀錄解讀 - 第 1 行: 系統發現 IP 盜用行為。<font color=red>小偷客戶(thief client)</font>是 **`f4f5.dbce.2d91`**，<font color=blue>合法客戶(legit client)</font>是 **`3a1c.1d90.aed3`**。 - 第 2 行: 小偷客戶加入排除清單。 :::  :::success - IP Theft 的確可以增加網路安全！ - 如果是外部 DHCP 或是有線裝置，系統該如何收集相關訊息，目前並無相關資訊！如果你知道，務必告知我，謝謝。 - 我已經不懂這些網路組態了，可以用**光年**來度量了！ ::: ## 參考連結 - [Cisco Catalyst 9800 Series Wireless Controller Programmability Guide](https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/programmability-guide/b_c9800_programmability_cg/cisco-catalyst-9800-series-wireless-controller-programmability-guide.html) - [Deploying Cisco C9800 WLC on ESXi](https://rowelldionicio.com/deploying-cisco-catalyst-9800-controller-on-vmware-esxi/) - [Configuring Netconf Cisco C9800 WLC](https://rowelldionicio.com/configuring-netconf-cisco-c9800-wlc/) [](https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/catalyst-9800-programmability-telemetry-deployment-guide.html)