Enabling Dhcp Snooping - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Applicable Environment
With DHCP snooping configured, the S9300 discards packets sent from an attacker.
2-2
Table 2-2 Relation between the type of attacks and the type of discarded packets
Type of Attacks
Bogus attack
DoS attack by changing the CHADDR field
Attack by sending bogus messages to extend
IP address leases
Attack by sending a large number of DHCP
Request messages and ARP packets
After the packet discarding alarm function is enabled, an alarm is generated when the number
of discarded packets on the S9300 reaches the alarm threshold.
Pre-configuration Tasks
Before configuring the packet discarding alarm function, complete the following tasks:
l
l
l
l
l
l
Data Preparation
To configure the packet discarding alarm function, you need the following data.
No.
1

2.7.2 Enabling DHCP Snooping

Issue 01 (2009-07-28)
shows the relation between the type of attacks and the type of discarded packets.
Configuring the DHCP server
Configuring the DHCP relay agent
Configuring the S9300 to discard DHCP Reply messages on the untrusted interface at the
user side
Configuring the checking of DHCP messages
Configuring the checking of the CHADDR field in DHCP Request messages
Configuring the checking of the rate of sending DHCP messages
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 DHCP Snooping Configuration
Type of Discarded Packets
DHCP Reply messages received from
untrusted interfaces
DHCP Request messages whose CHADDR
field does not match the source MAC address
in the frame header
DHCP Request messages that do not match
entries in the binding table
Messages exceeding the rate limit
Data
Alarm threshold for the number of discarded
packets
Table
2-19