Enabling Dhcp Snooping - Huawei Quidway S2700 Series Configuration Manual

Quidway S2700 Series Ethernet Switches
Configuration Guide - Security
Applicable Environment
The attacker may change the client hardware address (CHADDR) carried in DHCP messages
instead of the source MAC address in the frame header to apply for IP addresses continuously.
The S2700, however, only checks the validity of packets based on the source MAC address in
the frame header. The attack packets can still be forwarded normally. The MAC address limit
cannot take effect in this manner.
To prevent the attacker from changing the CHADDR field, you can configure DHCP snooping
on the S2700 to check the CHADDR field carried in DHCP Request messages. If the CHADDR
field matches the source MAC address in the frame header, the message is forwarded. Otherwise,
the message is discarded.
Pre-configuration Tasks
Before preventing the DoS attack by changing the CHADDR field, complete the following tasks:
l
Data Preparation
To prevent the DoS attack by changing the CHADDR field, you need the following data.
No.
1

3.4.2 Enabling DHCP Snooping

After DHCP snooping is enabled globally, it must be enabled on an interface or in a VLAN.
Otherwise, DHCP snooping does not take effect.
Context
To enable DHCP snooping, you need to comply with the following sequence:
l
l
l
Procedure
l
Issue 01 (2011-07-15)
Configuring the DHCP server
Enable DHCP globally.
Enable DHCP snooping globally.
Enable DHCP snooping on an interface or in a VLAN.
Enabling DHCP snooping in the VLAN view
1. Run:
system-view
The system view is displayed.
2. Run:
dhcp enable
DHCP is enabled globally.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
Data
Type and number of the interface enabled
with the check function
82