3.9 Maintaining DHCP Snooping.......................................................................................................................3-30

3.9.1 Clearing DHCP Snooping Statistics.....................................................................................................3-30

3.9.2 Resetting the DHCP Snooping Binding Table.....................................................................................3-30

3.9.3 Backing Up the DHCP Snooping Binding Table.................................................................................3-30

3.10 Configuration Examples..............................................................................................................................3-31

3.10.1 Example for Preventing the Bogus DHCP Server Attack..................................................................3-31

3.10.2 Example for Preventing the DoS Attack by Changing the CHADDR Field.....................................3-34

3.10.3 Example for Preventing the Attacker from Sending Bogus DHCP Messages for Extending IP Address

Leases............................................................................................................................................................3-36

3.10.4 Example for Limiting the Rate of Sending DHCP Messages............................................................3-39

3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network........................................................3-42

3.10.6 Example for Enabling DHCP Snooping on the DHCP Relay Agent.................................................3-46

3.10.7 Example for Configuring DHCP Snooping on a VPLS Network......................................................3-51

4 ARP Security Configuration....................................................................................................4-1

4.1 Introduction to ARP Security..........................................................................................................................4-2

4.2 ARP Security Supported by the S9300...........................................................................................................4-2

4.3 Limiting ARP Entry Learning.........................................................................................................................4-4

4.3.1 Establishing the Configuration Task......................................................................................................4-4

4.3.2 Enabling Strict ARP Entry Learning......................................................................................................4-5

4.3.3 Configuring Interface-based ARP Entry Limitation..............................................................................4-7

4.3.4 Checking the Configuration...................................................................................................................4-7

4.4 Configuring ARP Anti-Attack........................................................................................................................4-8

4.4.1 Establishing the Configuration Task......................................................................................................4-8

4.4.2 Preventing the ARP Address Spoofing Attack......................................................................................4-9

4.4.3 Preventing the ARP Gateway Duplicate Attack.....................................................................................4-9

4.4.4 Preventing the Man-in-the-Middle Attack...........................................................................................4-10

4.4.5 Configuring ARP Proxy on a VPLS Network.....................................................................................4-11

4.4.6 Configuring DHCP to Trigger ARP Learning.....................................................................................4-12

4.4.7 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets..............................................4-13

4.4.8 Enabling Log and Alarm Functions for Potential Attacks...................................................................4-13

4.4.9 Checking the Configuration.................................................................................................................4-14

4.5 Suppressing Transmission Rate of ARP Packets..........................................................................................4-15

4.5.1 Establishing the Configuration Task....................................................................................................4-15

4.5.2 Configuring Source-based ARP Suppression......................................................................................4-16

4.5.3 Configuring Source-based ARP Miss Suppression..............................................................................4-17

4.5.4 Setting the Suppression Time of ARP Miss Messages........................................................................4-17

4.5.5 Suppressing Transmission Rate of ARP Packets.................................................................................4-18

4.5.6 Checking the Configuration.................................................................................................................4-19

4.6 Maintaining ARP Security............................................................................................................................4-19

4.6.1 Displaying the Statistics About ARP Packets......................................................................................4-20

4.6.2 Clearing the Statistics on ARP Packets................................................................................................4-20

Issue 06 (2010-01-08)

Huawei Proprietary and Confidential

Contents

Table of Contents