Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
Example for Configuring D...

Example for Configuring DHCP Snooping Attack Defense

Latest reply: Aug 29, 2020 18:44:10 491 4 4 0 0
View the author 1#

Hello everyone,

This section describes the principles and configuration methods of DHCP snooping and provides configuration examples.

Example for configuring DHCP snooping attack defense.


Networking Requirements

As shown in the preceding figure, Switch A and Switch B are access devices, and Switch C is a DHCP relay agent. Client 1 and Client 2 are connected to Switch A through GE0/0/1 and GE0/0/2, respectively. Client 3 is connected to Switch B through GE0/0/1. Client 1 and Client 3 obtain IPv4 addresses through DHCP, and Client 2 uses static IPv4 addresses.

The network is attacked by unauthorized users. As a result, authorized users cannot obtain IP addresses. The administrator wants to prevent DHCP attacks on the network and provide better services for DHCP users.


Networking diagram for configuring DHCP snooping attack defense

Networking diagram for configuring DHCP snooping attack defense


Configuration Roadmap

The configuration roadmap is as follows:

1. DHCP snooping is enabled and the device is configured to process only DHCPv4 packets.

2. Configure the trust status of the interface to ensure that the client obtains an IP address from a valid server.

3. Association between ARP and DHCP snooping is enabled to ensure that DHCP users are updated in real time when they go offline abnormally.

Binding table

4. Enable the function of generating static MAC entries based on the DHCP snooping binding table to prevent non-DHCP packets.

User attacks.

5. Enable DHCP packets to match the binding table to prevent bogus DHCP packet attacks.

6. Set the maximum rate at which DHCP packets are sent to the DHCP packet processing unit to prevent DHCP packet flood attacks.

7. Set the maximum number of users allowed to access the DHCP server and enable the function of checking whether the MAC address in the frame header of a DHCP Request packet is the same as the CHADDR field in the DHCP data field to prevent DoS attacks from the DHCP server.


Procedure

1. DHCP snooping is enabled.

# Enable DHCP snooping globally and configure the device to process only DHCPv4 packets.

<HUAWEI> system-view

[HUAWEI] sysname SwitchC

[SwitchC] dhcp enable

[SwitchC] dhep snooping enable ipv4

# Enable DHCP snooping on the user-side interface. The following uses GE0/0/1 as an example. The configurations on GE0/0/2 are the same and are not mentioned here.

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping enable

[SwitchC-GigabitEthernet0/0/1] quit

2. Configure the trusted status of the interface. Set the status of the interface connected to the DHCP server to Trusted.

[SwitchC] interface gigabitethernet 0/0/3

[SwitchC-GigabitEthernet0/0/3] dhcp snooping trusted

[SwitchC-GigabitEthernet0/0/3] quit

3. Association between ARP and DHCP snooping is enabled.

[SwitchC] arpdhcp-snooping-detect enable

4. The device is enabled to generate static MAC address entries based on DHCP snooping binding entries.

# Configure a user-side interface. The following uses GE0/0/1 as an example. The configurations on GE0/0/2 are the same and are not mentioned here.

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping sticky-mac

[SwitchC-GigabitEthernet0/0/1] quit

5. The device is enabled to check DHCP packets against the binding table.

# Configure a user-side interface. The following uses GE0/0/1 as an example. The configurations on GE0/0/2 are the same and are not mentioned here.

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable

[SwitchC-GigabitEthernet0/0/1] quit

6. Set the maximum rate at which DHCP packets are sent to the DHCP processing unit to 90 pps.

[SwitchC] dhcp snooping check dhcp-rate enable

[SwitchC] dhcp snooping check dhcp-rate 90

7. Enables the device to check whether the GIADDR field in DHCP Request packets is 0.

# Configure a user-side interface. The following uses GE0/0/1 as an example. The configurations on GE0/0/2 are the same and are not mentioned here.

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping max-user-number 20

[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable

[SwitchC-GigabitEthernet0/0/1] quit

8. Configuring the Alarm Function for Discarded Packets and Rate Limiting Packets

# Enable the alarm function for discarded packets and set the alarm threshold for discarded packets. The following uses GE0/0/1 as an example. The configurations on GE0/0/2 are the same and are not mentioned here.

[SwitchC] interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddrenable

[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable

[SwitchC-GigabitEthernet0/0/1] dhep snooping alarm dhcp-reply enable

[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold

120

[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold

120

[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-repl1y threshold 120

[SwitchC-GigabitEthernet0/0/1] quit

# Enable the alarm function for the rate limit and set the alarm threshold for the rate limit.

[SwitchC] dhcp snooping alarm dhcp-rate enable

[SwitchC] dhcp snooping alarm dhcp-rate threshold 500


Verifying the Configuration

Run the display dhcp snooping configuration command to check the DHCP snooping.

Run the display dhcp snooping interface command to check DHCP snooping running information on an interface.


That is all I want to share with you! Thank you!

 


Like (4) Dislike (0) Favorite(0) Share Report
Previous: Access port
Next: 10Gig Switch model
(0) (0)
2#
IndianKid
Moderator Author Created Aug 29, 2020 09:52:09

Helpful.
View more
  • x
  • convention:
(0) (0)
3#
Unicef
MVE Created Aug 29, 2020 10:13:15

Well note
View more
  • x
  • convention:
(0) (0)
4#
gabo.lr
Created Aug 29, 2020 13:09:16

Thank you for sharing!
View more
  • x
  • convention:
(0) (0)
5#
ulrichwandja
Created Aug 29, 2020 18:44:10

important
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.