Configuration Examples; Example For Preventing The Bogus Dhcp Server Attack - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Procedure
l
----End

3.10 Configuration Examples

This section provides several configuration examples of DHCP snooping.

3.10.1 Example for Preventing the Bogus DHCP Server Attack

3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field
3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending
IP Address Leases
3.10.4 Example for Limiting the Rate of Sending DHCP Messages
3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network
3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent
3.10.7 Example for Configuring DHCP Snooping on a VPLS Network
3.10.1 Example for Preventing the Bogus DHCP Server Attack
Networking Requirements
As shown in
network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snooping
be configured on the S9300, the user-side interface be configured as untrusted, the network-side
interface be configured as trusted, and the packet discarding alarm function be configured.
Issue 06 (2010–01–08)
Run the dhcp snooping user-bind autosave file-name command to back up the DHCP
snooping binding table.
If the binding table is backed up, the system automatically backs up the binding table
–
to a specified path every one hour or after 300 dynamic binding entries are generated.
If the binding table is not backed up, the dynamic DHCP snooping binding table is lost
–
after the S9300 restarts. As a result, users that obtain IP addresses dynamically from
the DHCP server cannot communicate normally. Then, the users need to log in again.
Figure 3-3, the S9300 is deployed between the user network and the Layer 2
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
3-31