DHCP snooping introduction

0

DHCP snooping is a DHCP security feature. Features such as MAC address limitation, DHCP snooping security binding, binding of IP addresses and MAC addresses, and Option82 can be used to filter untrusted DHCP messages. In this way, DHCP DoS attacks, DHCP server forgery, ARP man-in-the-middle attacks, and IP address/MAC address spoofing can be prevented for devices that use DHCP. DHCP snooping is similar to a firewall between a client and a DHCP server.

Other related questions:
Configure DHCP snooping on S series switch
S series switches (except S1700 switches) support DHCP Snooping. DHCP Snooping provides the trust function and DHCP Snooping binding table checking functions. DHCP Snooping trust function ensures that clients obtain IP addresses from authorized DHCP servers. The DHCP Snooping binding table checking function prevents DHCP attacks, such as DHCP flood attacks, bogus DHCP server attacks, and DHCP server DoS attacks. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The configuration procedure is as follows: 1. Enable global DHCP Snooping. [Huawei] dhcp enable [Huawei] dhcp snooping enable 2. Enable DHCP Snooping on the user-side interface GE0/0/2. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping enable 3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface to prevent bogus DHCP server attacks. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] dhcp snooping trusted 4. Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit, and enable the alarm function for discarding packets to prevent DHCP flood attacks. # Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit to 90 pps. [Huawei] dhcp snooping check dhcp-rate enable [Huawei] dhcp snooping check dhcp-rate 90 # Enable the alarm function for discarding packets and set the alarm threshold for packet rate limiting. [Huawei] dhcp snooping alarm dhcp-rate enable [Huawei] dhcp snooping alarm dhcp-rate threshold 500 5. Configure the switch to check DHCP messages against the binding table, and enable the switch to generate an alarm when the number of packets discarded in binding table checking reaches the alarm threshold. This configuration prevents bogus DHCP server attacks. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request threshold 120 6. Set the maximum number of access users on an interface, enable the switch to check whether the MAC address in a DHCP Request frame header is the same as the CHADDR value in the data field, and enable the switch to generate an alarm when the number of packets discarded in CHADDR field check reaches the alarm threshold. This configuration prevents DHCP Server DoS attacks. [Huawei-GigabitEthernet0/0/2] dhcp snooping max-user-number 20 [Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr threshold 120

How to enable DHCP snooping on a WLAN device
DHCP snooping is a DHCP security feature. To configure DHCP snooping security functions, enable DHCP snooping first. For ACs, you must enable DHCP snooping in the system view and then on an interface or in a VLAN. The operations are as follows: 1. Run the dhcp snooping enable [ ipv4 | ipv6 ] command in the system view to enable DHCP snooping globally. 2. Enable DHCP snooping in the system view, interface view, or VLAN view. - Run the dhcp snooping enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> command to enable DHCP snooping. - Run the vlan vlan-id command to enter the VLAN view, or run the interface interface-type interface-number command to enter the interface view. - Run the dhcp snooping enable command to enable DHCP snooping on the interface or in the VLAN. DHCP snooping is enabled on Fat APs by default.

DHCP snooping configuration on USG firewalls
You can configure the DHCP snooping on USG firewalls as follows: The DHCP snooping is a DHCP security feature. It can protect devices against DHCP DoS attack, DHCP server spoofing, ARP man-in-the-middle attack, and IP/MAC spoofing attack when using the DHCP. The most commonly used function of the DHCP server snooping is to protect devices against the DHCP DoS attack. It can prevent users from obtaining IP addresses from other DHCP servers (such as private routers) except for the firewall. However, the firewall does not restrict private routers. The key configuration is as follows: 1. Enable the global and interface DHCP snooping. [USG] dhcp snooping enable [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] dhcp snooping enable [USG-GigabitEthernet0/0/1] quit [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping enable [USG-GigabitEthernet0/0/2] quit 2. Configure the Trusted interface to prevent DHCP server spoofing. Set the interface connected to the DHCP server to the Trusted mode and the interface connected to the DHCP client to the Untrusted mode (after the DHCP snooping is enabled for the interfaces, the interfaces are in Untrusted mode by default). [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping trusted [USG-GigabitEthernet0/0/2] quit Note: The DHCP snooping takes effect only when the firewall serves as the DHCP server or the upper-level device of the firewall is the DHCP server. If the lower-level switch interconnected to the USG firewall serves as the DHCP server, DHCP packets do not pass through the firewall. This configuration is invalid. Therefore, the DHCP snooping must be configured on the switch. For specific configurations, click DHCP Snooping Configuration on USG Firewalls.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top