Huawei Quidway S9300 Configuration Manual page 167

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
4.
5.
6.
Step 3 Verify the configuration.
After the configuration, users can dynamically apply for IP addresses.
Issue 06 (2010–01–08)
Set the maximum number of DHCP snooping users on interfaces at the DHCP client side.
In this manner, malicious IP address application can be prevented and authorized users can
successfully apply for IP addresses.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] dhcp snooping max-user-number 3000
[PE1-GigabitEthernet1/0/0] quit
Configure static binding entries. If users adopt static IP addresses, you need to manually
configure static DHCP snooping entries.
[PE1] user-bind static ip-address 10.1.1.1 mac-address 0001-0002-0003
interface gigabitethernet 1/0/0 vlan 20
Configure the checking of specific packets.
# Configure PE1.
# Check DHCP Request messages on the interfaces at the DHCP client side to prevent
attacks by sending bogus DHCP messages to extend IP address leases.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] dhcp snooping check user-bind enable
# Check the CHADDR field on the interfaces at the DHCP client side to prevent attacks
by changing the value of the CHADDR field.
[PE1-GigabitEthernet1/0/0] dhcp snooping check mac-address enable
[PE1-GigabitEthernet1/0/0] quit
Configure Option 82.
# Configure PE1.
# Configure DHCP messages to carry interface information; therefore, the binding table
covers more accurate interface information.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] dhcp option82 insert enable
[PE1-GigabitEthernet1/0/0] quit
Configure the alarm function.
# Configure PE1.
Enable the alarm function of discarding packets and set the alarm threshold for discarding
packets.
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] dhcp snooping alarm user-bind enable
[PE1-GigabitEthernet1/0/0] dhcp snooping alarm mac-address enable
[PE1-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply enable
[PE1-GigabitEthernet1/0/0] dhcp snooping alarm user-bind threshold 120
[PE1-GigabitEthernet1/0/0] dhcp snooping alarm mac-address threshold 120
[PE1-GigabitEthernet1/0/0] dhcp snooping alarm untrust-reply threshold 120
[PE1-GigabitEthernet1/0/0] quit
Enable the alarm function of limiting the rate of packets and set the alarm threshold for
limiting the rate of packets.
[PE1] dhcp snooping check dhcp-rate enable
[PE1] dhcp snooping check dhcp-rate alarm enable
[PE1] dhcp snooping check dhcp-rate alarm threshold 80
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
3-57