Can DHCP snooping be configured in multiple VLANs at a time

24

In V100R006 and later versions, you can configure DHCP snooping in multiple VLANs at a time.
When performing the DHCP snooping configuration, pay attention to the following points:
--You can specify a range of VLAN IDs when running the dhcp snooping enable command in the system view, but the configuration is saved in configuration file in the VLAN view but not the system view.
--Ensure that all the specified VLANs exist on the device.
--If you specify a super-VLAN in the dhcp snooping enable command, DHCP snooping takes effect in all the sub-VLANs of the super-VLAN.
--The DHCP snooping configuration commands used in the VLAN view cannot specify multiple interfaces in a batch. For example, when you run the dhcp snooping trusted interface interface-type interface-number command in the VLAN view, you can specify only one interface each time.

Other related questions:
Support for batch configuration of dhcp snooping in VLAN view on S series switch
S series switches (except S1700 switches) in V100R006 and later versions allow you to configure DHCP snooping in multiple VLANs at a time. When performing the DHCP snooping configuration, pay attention to the following points: - You can specify a range of VLAN IDs when running the dhcp snooping enable command in the system view, but the configuration is saved in the configuration file in the VLAN view but not the system view. - Ensure that all the specified VLANs exist on the device. - If you specify a super-VLAN in the dhcp snooping enable command, DHCP snooping takes effect in all the sub-VLANs of the super-VLAN. - The DHCP snooping configuration commands used in the VLAN view cannot specify multiple interfaces in a batch. For example, when you run the dhcp snooping trusted interface interface-type interface-number command in the VLAN view, you can specify only one interface each time.

Configure DHCP snooping on S series switch
S series switches (except S1700 switches) support DHCP Snooping. DHCP Snooping provides the trust function and DHCP Snooping binding table checking functions. DHCP Snooping trust function ensures that clients obtain IP addresses from authorized DHCP servers. The DHCP Snooping binding table checking function prevents DHCP attacks, such as DHCP flood attacks, bogus DHCP server attacks, and DHCP server DoS attacks. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The configuration procedure is as follows: 1. Enable global DHCP Snooping. [Huawei] dhcp enable [Huawei] dhcp snooping enable 2. Enable DHCP Snooping on the user-side interface GE0/0/2. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping enable 3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface to prevent bogus DHCP server attacks. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] dhcp snooping trusted 4. Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit, and enable the alarm function for discarding packets to prevent DHCP flood attacks. # Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit to 90 pps. [Huawei] dhcp snooping check dhcp-rate enable [Huawei] dhcp snooping check dhcp-rate 90 # Enable the alarm function for discarding packets and set the alarm threshold for packet rate limiting. [Huawei] dhcp snooping alarm dhcp-rate enable [Huawei] dhcp snooping alarm dhcp-rate threshold 500 5. Configure the switch to check DHCP messages against the binding table, and enable the switch to generate an alarm when the number of packets discarded in binding table checking reaches the alarm threshold. This configuration prevents bogus DHCP server attacks. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request threshold 120 6. Set the maximum number of access users on an interface, enable the switch to check whether the MAC address in a DHCP Request frame header is the same as the CHADDR value in the data field, and enable the switch to generate an alarm when the number of packets discarded in CHADDR field check reaches the alarm threshold. This configuration prevents DHCP Server DoS attacks. [Huawei-GigabitEthernet0/0/2] dhcp snooping max-user-number 20 [Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr threshold 120

DHCP snooping configuration on USG firewalls
You can configure the DHCP snooping on USG firewalls as follows: The DHCP snooping is a DHCP security feature. It can protect devices against DHCP DoS attack, DHCP server spoofing, ARP man-in-the-middle attack, and IP/MAC spoofing attack when using the DHCP. The most commonly used function of the DHCP server snooping is to protect devices against the DHCP DoS attack. It can prevent users from obtaining IP addresses from other DHCP servers (such as private routers) except for the firewall. However, the firewall does not restrict private routers. The key configuration is as follows: 1. Enable the global and interface DHCP snooping. [USG] dhcp snooping enable [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] dhcp snooping enable [USG-GigabitEthernet0/0/1] quit [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping enable [USG-GigabitEthernet0/0/2] quit 2. Configure the Trusted interface to prevent DHCP server spoofing. Set the interface connected to the DHCP server to the Trusted mode and the interface connected to the DHCP client to the Untrusted mode (after the DHCP snooping is enabled for the interfaces, the interfaces are in Untrusted mode by default). [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping trusted [USG-GigabitEthernet0/0/2] quit Note: The DHCP snooping takes effect only when the firewall serves as the DHCP server or the upper-level device of the firewall is the DHCP server. If the lower-level switch interconnected to the USG firewall serves as the DHCP server, DHCP packets do not pass through the firewall. This configuration is invalid. Therefore, the DHCP snooping must be configured on the switch. For specific configurations, click DHCP Snooping Configuration on USG Firewalls.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top