Example For Applying Dhcp Snooping On A Layer 2 Network; Figure 3-7 Networking Diagram For Configuring Dhcp Snooping - Huawei Quidway S9300 Configuration Manual

3 DHCP Snooping Configuration

3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network

Networking Requirements
As shown in
client1 uses the dynamically allocated IP address and DHCP client2 uses the statically configured
IP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0
and GE 1/0/1 of the S9300 to prevent the following type of attacks:
l
l
l
l

Figure 3-7 Networking diagram for configuring DHCP snooping

DHCP client1
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
3-42
Figure 3-7, DHCP clients are connected to the S9300 through VLAN 10. DHCP
Bogus DHCP server attack
DoS attack by changing the value of the CHADDR field
Attack by sending bogus messages to extend IP address leases
Attack by sending a large number of DHCP Request messages
DHCP relay
GE2/0/0
S9300
GE1/0/0
GE1/0/1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
Enable DHCP snooping globally and in the interface view.
Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
Configure the checking of the CHADDR field in DHCP Request messages to prevent
attackers from changing the CHADDR field in DHCP Request messages.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
DHCP server
Issue 06 (2010–01–08)