Figure 2-3 Networking Diagram For Preventing The Bogus Dhcp Server Attack - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Networking Requirements
As shown in
network of the ISP. To prevent the bogus DHCP server attack, it is required that DHCP snooping
be configured on the S9300, the user-side interface be configured as untrusted, the network-side
interface be configured as trusted, and the packet discarding alarm function be configured.

Figure 2-3 Networking diagram for preventing the bogus DHCP server attack

S9300
Configuration Roadmap
The configuration roadmap is as follows: (Assume that the DHCP server has been configured.)
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
l
Issue 01 (2009-07-28)
Figure 2-3, the S9300 is deployed between the user network and the Layer 2
ISP network
L2 network
GE1/0/0
GE2/0/0
User network
Enable DHCP snooping globally and on the interface.
Configure the interface connected to the DHCP server as a trusted interface.
Configure the user-side interface as an untrusted interface. The DHCP Request messages
including Offer, ACK, and NAK messages received from the untrusted interface are
discarded.
Configure the packet discarding alarm function.
GE 1/0/0 being the trusted interface and GE 2/0/0 being the untrusted interface
Alarm threshold being 120
NOTE
This configuration example provides only the commands related to the DHCP snooping configuration.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 DHCP Snooping Configuration
L3 network
DHCP relay
DHCP server
2-25