Figure 2-7 Networking Diagram For Configuring Dhcp Snooping - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
IP address. It is required that DHCP snooping be configured on user-side interfaces GE 1/0/0
and GE 1/0/1 of the S9300 to prevent the following type of attacks:
l
l
l
l

Figure 2-7 Networking diagram for configuring DHCP snooping

DHCP client1
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
Issue 01 (2009-07-28)
Bogus DHCP server attack
DoS attack by changing the value of the CHADDR field
Attack by sending bogus messages to extend IP address leases
Attack by sending a large number of DHCP Request messages
DHCP relay
GE2/0/0
S9300
GE1/0/0
GE1/0/1
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
Enable DHCP snooping globally and in the interface view.
Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
Configure the DHCP snooping binding table and check DHCP Request messages by
matching them with entries in the binding table to prevent attackers from sending bogus
DHCP messages for extending IP address leases.
Configure the checking of the CHADDR field in DHCP Request messages to prevent
attackers from changing the CHADDR field in DHCP Request messages.
Set the rate of sending DHCP Request messages to the protocol stack to prevent attackers
from sending a large number of DHCP Request messages.
Configure the Option 82 function and create the binding table that contains information
about the interface.
Configure the packet discarding alarm function and the alarm function for checking the
rate of sending packets.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 DHCP Snooping Configuration
DHCP server
2-35