Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

2.5.4 Enabling the Checking of DHCP Request Messages

2.5.5 (Optional) Configuring the Option 82 Function

2.5.6 Checking the Configuration

2.5.1 Establishing the Configuration Task

Applicable Environment

The attacker pretends to be a valid user and continuously sends DHCP Request messages

intending to extend the IP address lease. As a result, certain expired IP addresses cannot be

reused.

To prevent the attacker from sending bogus DHCP messages to extend IP address leases, you

can create the DHCP snooping binding table on the S9300 to check DHCP Request messages.

If the source IP address, source MAC address, VLAN, and interface of the DHCP Request

messages match entries in the binding table, the DHCP Request messages are then forwarded.

Otherwise, the DHCP Request messages are discarded.

The S9300 checks DHCP Request messages as follows:

Pre-configuration Tasks

Before preventing the attacker from sending bogus DHCP messages for extending IP address

leases, complete the following tasks:

Data Preparation

To prevent the attacker from sending bogus DHCP messages for extending IP address leases,

you need the following data.

No.

Issue 01 (2009-07-28)

The S9300 checks whether the VLAN and CIADDR field of the DHCP Request messages

match the VLAN and IP address of entries in the binding table. If they do not match, the

S9300 considers that the user logs in for the first time and allows the DHCP Request

messages to pass through.

If they match, it indicates that the user has logged in before and the DHCP Request messages

may be bogus messages used to extend IP address leases. The S9300 then checks whether

the CIADDR field and interface of the DHCP Request messages match the MAC address

and interface of entries in the binding table. If yes, the S9300 forwards the DHCP Request

messages. Otherwise, the S9300 discards the DHCP Request messages.

Configuring the DHCP server

Configuring the DHCP relay agent

Huawei Proprietary and Confidential

2 DHCP Snooping Configuration

Data

Type and number of the interface enabled

with detection of bogus DHCP servers

Static IP addresses from which packets are

forwarded

2-11

Table of Contents

Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

2.5.1 Establishing the Configuration Task

Related Manuals for Huawei Quidway S9300

Related Content for Huawei Quidway S9300

Table of Contents