Got it
Huawei Enterprise Support Community
Community Forums Security
USG6000V DHCP Snooping

USG6000V DHCP Snooping

Created: Nov 25, 2018 00:45:18Latest reply: Dec 22, 2018 05:44:44 1456 19 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#
I'm trying to configure DHCP snooping function in USG6000V (V500R003). I reproduced the same example in the user manual for L3 interfaces and I cant get it to work. After full configuration in the example is done, DHCP still works as it should (I can get DHCP leases from DHCP server), but no traffic is forwarwarded beside DHCP. Is there a known bug about it? Thank you.

Like (0) Dislike (0) Favorite(0) Share Report
Previous: How do I update Signature DB locally by CLI?
Next: wrong IP after mac-bypass with S5700 series and Cisco ISE
Featured Answers

Recommended answer

(0) (0)
lizhi94
Created Dec 11, 2018 02:31:42

To prevent bogus DHCP server attacks, configure DHCP snooping, which works in either trusted or untrusted mode.

You can configure a trusted or untrusted physical or VLAN interface. DHCPRESPONSE messages (Offer, ACK, or NAK messages) received by an untrusted interface are directly discarded to prevent bogus DHCP server attacks. Figure 2 shows DHCP snooping that works in trusted or untrusted mode.

A DHCP snooping binding table can be used to prevent IP/MAC spoofing and middleman attacks.

When an interface receives an ARP or IP packet, the interface matches the source IP and MAC addresses of the packet with entries in a local DHCP snooping binding table. Packets that match the entries are forwarded, whereas unmatched packets are discarded. Figure 5 shows data transmission based on a DHCP snooping binding table.

ARP packets or IP packets sent by clients with static IP addresses are discarded. This is because these clients do not obtain IP addresses by sending DHCPREQUEST messages, and no DHCP snooping binding entry exists for them. As a result, these clients are prevented from accessing the network illegally. To allow the users with statically allocated IP addresses to access the network, configuring a static DHCP snooping binding table is mandatory.

Similarly, packets from a client that embezzle a legal IP address of other clients are discarded. The client does not obtain IP addresses by sending DHCPREQUEST messages. Hence the MAC address and interface information in the DHCP snooping binding table corresponding to the IP address are inconsistent with those of the embezzler. In this way, these clients are prevented from accessing the network illegally.
http://support.huawei.com/hedex/pages/EDOC1000177283AEG11207/02/EDOC1000177283AEG11207/02/resources/admin/sec_admin_network_dhcpsp_0002.html?ft=0&fe=10&hib=5.5.9.2&id=sec_admin_network_dhcpsp_0002&text=Mechanism&docid=EDOC1000177283>

Example for Configuring DHCP Snooping
http://support.huawei.com/hedex/pages/EDOC1000177283AEG11207/02/EDOC1000177283AEG11207/02/resources/admin/sec_admin_network_dhcpsp_0019.html?ft=0&fe=10&hib=5.5.9.9&id=sec_admin_network_dhcpsp_0019&text=CLI%3A%20Example%20for%20Configuring%20DHCP%20Snooping&docid=EDOC1000177283>
View more
  • x
  • convention:
All Answers
(0) (0)
2#
Mysterious.color
Mysterious.color Created Nov 25, 2018 07:08:57

what is the example you followed?
View more
  • x
  • convention:
(0) (0)
3#
ed.thin
ed.thin Created Nov 25, 2018 07:58:50

I followed the example: "CLI: Example for Configuring DHCP Snooping"
Under: "Administrator Guide / Network / DHCP Snooping"
From this document: "USG6000V V500R003C00 Product Documentation(chm)"
URL: https://support.huawei.com/enterprise/en/doc/EDOC1000177282
Thanks for your help.
View more
  • x
  • convention:
(0) (0)
4#
chenhui
chenhui Admin Created Dec 3, 2018 03:39:08

the author has solved the problem by himself. please refer to CLI: Example for Configuring DHCP Snooping     Under: "Administrator Guide / Network / DHCP Snooping"
View more
  • x
  • convention:
(0) (0)
5#
ed.thin
ed.thin Created Dec 3, 2018 04:30:34

I haven't solved this yet. I was just replying Mysterious.color's question (Sorry for not clicking on the reply button, just realizing it right now). I'm just trying to say that I followed the example step by step and simply it doesn't work. Can somebody help me? Thanks in advance.
View more
  • x
  • convention:
(0) (0)
6#
ed.thin
ed.thin Created Dec 3, 2018 04:35:21

Posted by cWX611640 at 2018-12-03 03:39 the author has solved the problem by himself. please refer to CLI: Example for Configuring DHCP Sno ...
Sorry, but I haven't solved it yet. Just realizing right now that I didn't click the reply button. I was just replying to Mysterious.color's question. I'm just trying to say that I followed the example step by step and it simply doesn't work. Can somebody help me? Please? Thanks in advance.
View more
  • x
  • convention:
(0) (0)
7#
chenhui
chenhui Admin Created Dec 7, 2018 00:43:54

Posted by ed.thin at 2018-12-03 04:35 Sorry, but I haven't solved it yet. Just realizing right now that I didn't click the reply button. ...
sorry for misunderstanding your meaning, USG6000V DHCP Snooping-2816523-1 please describe your topology and configuration so that we could check where the problem is. By the way, please erase your private information when uploading your configuration. USG6000V DHCP Snooping-2816523-2 @ed.thin
View more
  • x
  • convention:
(0) (0)
8#
ed.thin
ed.thin Created Dec 9, 2018 13:08:12

Posted by cWX611640 at 2018-12-07 00:43 sorry for misunderstanding your meaning, please describe your topology and configuration s ...
Thanks for your reply. My configuration and topology are exactly the same as that in the administrator guide, the one that I mentioned before. It simply doesn't work. DHCP snooping binding table doesn't get filled; any traffic but DHCP is dropped. Again, I really appreciate your help. Thank you.
View more
  • x
  • convention:
(0) (0)
9#
lizhi94
lizhi94 Created Dec 11, 2018 02:27:04

The Dynamic Host Configuration Protocol (DHCP) snooping, a DHCP security feature, filters untrusted DHCP messages by creating and maintaining a binding table. This binding table contains the following items:
View more
  • x
  • convention:
(0) (0)
10#
lizhi94
lizhi94 Created Dec 11, 2018 02:31:42

To prevent bogus DHCP server attacks, configure DHCP snooping, which works in either trusted or untrusted mode.

You can configure a trusted or untrusted physical or VLAN interface. DHCPRESPONSE messages (Offer, ACK, or NAK messages) received by an untrusted interface are directly discarded to prevent bogus DHCP server attacks. Figure 2 shows DHCP snooping that works in trusted or untrusted mode.

A DHCP snooping binding table can be used to prevent IP/MAC spoofing and middleman attacks.

When an interface receives an ARP or IP packet, the interface matches the source IP and MAC addresses of the packet with entries in a local DHCP snooping binding table. Packets that match the entries are forwarded, whereas unmatched packets are discarded. Figure 5 shows data transmission based on a DHCP snooping binding table.

ARP packets or IP packets sent by clients with static IP addresses are discarded. This is because these clients do not obtain IP addresses by sending DHCPREQUEST messages, and no DHCP snooping binding entry exists for them. As a result, these clients are prevented from accessing the network illegally. To allow the users with statically allocated IP addresses to access the network, configuring a static DHCP snooping binding table is mandatory.

Similarly, packets from a client that embezzle a legal IP address of other clients are discarded. The client does not obtain IP addresses by sending DHCPREQUEST messages. Hence the MAC address and interface information in the DHCP snooping binding table corresponding to the IP address are inconsistent with those of the embezzler. In this way, these clients are prevented from accessing the network illegally.
http://support.huawei.com/hedex/pages/EDOC1000177283AEG11207/02/EDOC1000177283AEG11207/02/resources/admin/sec_admin_network_dhcpsp_0002.html?ft=0&fe=10&hib=5.5.9.2&id=sec_admin_network_dhcpsp_0002&text=Mechanism&docid=EDOC1000177283>

Example for Configuring DHCP Snooping
http://support.huawei.com/hedex/pages/EDOC1000177283AEG11207/02/EDOC1000177283AEG11207/02/resources/admin/sec_admin_network_dhcpsp_0019.html?ft=0&fe=10&hib=5.5.9.9&id=sec_admin_network_dhcpsp_0019&text=CLI%3A%20Example%20for%20Configuring%20DHCP%20Snooping&docid=EDOC1000177283>
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.