Configuration Examples; Example For Preventing Bogus Dhcp Server Attacks - Huawei Quidway S2700 Series Configuration Manual

Quidway S2700 Series Ethernet Switches
Configuration Guide - Security
Context
To clear entries in the DHCP snooping binding table, run the following command in the user
view or system view.
Procedure
l
----End

3.10 Configuration Examples

This section provides several configuration examples of DHCP snooping.

3.10.1 Example for Preventing Bogus DHCP Server Attacks

This section describes the configuration of preventing bogus DHCP server attacks, including
the configuration of the trusted interface and the alarm function for discarded DHCP Reply
packets.
Networking Requirements
As shown in
network of the ISP. To prevent bogus DHCP server attacks, it is required that DHCP snooping
be configured on the Switch, the user-side interface be configured as an untrusted interface, the
network-side interface be configured as the trusted interface, and the alarm function for discarded
DHCP Reply packets be configured.
Issue 01 (2011-07-15)
NOTE
After the networking environment changes, DHCP snooping binding entries do not age immediately.
However, the following information in DHCP snooping binding entries may change, causing packet
forwarding failure:
l VLAN ID in packets
l Interface information
Before changing the networking environment, clear all DHCP snooping binding entries manually so that
a device generates a new DHCP snooping binding table according to the new networking environment.
Run the reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interface-
*
number ] | ip-address ip-address | ipv6-address ipv6-address ] command to reset the
DHCP snooping binding table.
Figure 3-2, the Switch is deployed between the user network and the Layer 2
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
104