Huawei Quidway S2700 Series Configuration Manual page 127
Hide thumbs
Also See for Quidway S2700 Series:
- Configuration manual (354 pages) ,
- Hardware installation and maintenance manual (183 pages) ,
- Quick start manual (62 pages)
Table of Contents
Advertisement
Quidway S2700 Series Ethernet Switches
Configuration Guide - Security
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
l
l
l
Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally.
<Quidway> system-view
[Quidway] dhcp enable
[Quidway] dhcp snooping enable
# Enable DHCP snooping on the interface at the user side. The configuration procedure of
Ethernet 0/0/2 is the same as the configuration procedure of Ethernet 0/0/1, and is not mentioned
here.
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] dhcp snooping enable
[Quidway-Ethernet0/0/1] quit
Step 2 Configure the interface as trusted.
# Configure the interface connecting to the DHCP server as the trusted interface and enable
DHCP snooping on all the interfaces connecting to the DHCP client. If the interface on the client
side is not configured as trusted, the default mode of the interface is untrusted after DHCP
snooping is enabled on the interface. This prevents bogus DHCP server attacks.
[Quidway] interface gigabitethernet 0/0/1
[Quidway-GigabitEthernet0/0/1] dhcp snooping trusted
[Quidway-GigabitEthernet0/0/1] quit
Step 3 Configure the checking for certain types of packets and alarm function.
# Enable the checking of DHCP Request messages and alarm function on the interfaces on the
DHCP client side to prevent attackers from sending bogus DHCP messages for extending IP
address leases. The configuration of Ethernet 0/0/2 is the same as the configuration of
Ethernet 0/0/1, and is not mentioned here.
Issue 01 (2011-07-15)
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
Configure the Option 82 function.
Configure the alarm function for discarded packets.
VLAN that the interface belongs to being 10
Ethernet 0/0/1 and Ethernet0/0/2 being untrusted interfaces and GE 0/0/1 being the trusted
interface
Static IP address from which packets are forwarded being 10.1.1.1/24 and corresponding
MAC address being 0001-0002-0003
Rate of sending DHCP messages to the protocol stack being 90
Mode of the Option 82 function being insert
Alarm threshold of the number of discarded packets being 120
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
116
Advertisement
Table of Contents
