Configure DHCP snooping on S series switch

Created: Apr 11, 2017 08:40:28Latest reply: Apr 11, 2017 18:17:08 1178 2 0 0
Configure DHCP snooping on S series switch.
  • x
  • convention:

user_2790689     Created Apr 11, 2017 15:59:41 Helpful(0) Helpful(0)

ding
  • x
  • convention:

ms.america     Created Apr 11, 2017 18:17:08 Helpful(0) Helpful(0)

S series switches (except S1700 switches) support DHCP Snooping. DHCP Snooping provides the trust function and DHCP Snooping binding table checking functions. DHCP Snooping trust function ensures that clients obtain IP addresses from authorized DHCP servers. The DHCP Snooping binding table checking function prevents DHCP attacks, such as DHCP flood attacks, bogus DHCP server attacks, and DHCP server DoS attacks. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The configuration procedure is as follows:

1. Enable global DHCP Snooping.
[Huawei] dhcp enable
[Huawei] dhcp snooping enable

2. Enable DHCP Snooping on the user-side interface GE0/0/2.
[Huawei] interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2] dhcp snooping enable

3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface to prevent bogus DHCP server attacks.
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] dhcp snooping trusted

4. Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit, and enable the alarm function for discarding packets to prevent DHCP flood attacks.
# Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit to 90 pps.
[Huawei] dhcp snooping check dhcp-rate enable
[Huawei] dhcp snooping check dhcp-rate 90
# Enable the alarm function for discarding packets and set the alarm threshold for packet rate limiting.
[Huawei] dhcp snooping alarm dhcp-rate enable
[Huawei] dhcp snooping alarm dhcp-rate threshold 500

5. Configure the switch to check DHCP messages against the binding table, and enable the switch to generate an alarm when the number of packets discarded in binding table checking reaches the alarm threshold. This configuration prevents bogus DHCP server attacks.
[Huawei] interface gigabitethernet 0/0/2
[Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable
[Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request enable
[Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request threshold 120

6. Set the maximum number of access users on an interface, enable the switch to check whether the MAC address in a DHCP Request frame header is the same as the CHADDR value in the data field, and enable the switch to generate an alarm when the number of packets discarded in CHADDR field check reaches the alarm threshold. This configuration prevents DHCP Server DoS attacks.
[Huawei-GigabitEthernet0/0/2] dhcp snooping max-user-number 20
[Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable
[Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr enable
[Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr threshold 120
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top