Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
mac-address&src mac total
untrust-reply total
----End
Configuration Files
#
sysname Quidway
#
dhcp snooping enable
#
interface GigabitEthernet1/0/0
dhcp snooping enable
dhcp snooping trusted
#
interface GigabitEthernet2/0/0
dhcp snooping enable
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
#
return
2.9.2 Example for Preventing the DoS Attack by Changing the
CHADDR Field
Networking Requirements
As shown in
network. To prevent the DoS attack by changing the CHADDR field, it is required that DHCP
snooping be configured on the S9300. The CHADDR field of DHCP Request messages is
checked. If the CHADDR field of DHCP Request messages matches the source MAC address
in the frame header, the messages are forwarded. Otherwise, the messages are discarded. The
packet discarding alarm function is configured.
Figure 2-4 Networking diagram for preventing the DoS attack by changing the CHADDR field
S9300
Issue 01 (2009-07-28)
Figure
2-4, the S9300 is deployed between the user network and the ISP Layer 2
ISP network
L2 network
GE1/0/0
GE2/0/0
User network
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
0
60
L3 network
DHCP relay
DHCP server
2 DHCP Snooping Configuration
2-27