Example For Enabling Dhcp Snooping On The Dhcp Relay Agent; Figure 2-8 Networking Diagram For Enabling Dhcp Snooping On The Dhcp Relay Agent - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
dhcp snooping alarm untrust-reply enable
dhcp snooping alarm untrust-reply threshold 120
dhcp snooping check mac-address enable
dhcp snooping alarm mac-address enable
dhcp snooping alarm mac-address threshold 120
dhcp snooping check user-bind enable
dhcp snooping alarm user-bind enable
dhcp snooping alarm user-bind threshold 120
dhcp option82 insert enable
#
interface GigabitEthernet2/0/0
dhcp snooping enable
dhcp snooping trusted
#
return
2.9.6 Example for Enabling DHCP Snooping on the DHCP Relay
Agent
Networking Requirements
As shown in
DHCP relay function is enabled; DHCP client1 uses the dynamically allocated IP address and
DHCP client2 uses the statically configured IP address. It is required that DHCP snooping be
configured on the S9300 to prevent the following types of attacks:
l
l
l
l
When users log out abnormally after requesting for IP addresses, the system detects this failure
automatically, and then deletes the binding in the DHCP binding table, and notifies the DHCP
server to release IP addresses.

Figure 2-8 Networking diagram for enabling DHCP snooping on the DHCP relay agent

DHCP client1
Issue 01 (2009-07-28)
Figure 2-8, the S9300 is connected to the DHCP server and DHCP client; the
Bogus DHCP server attack
DoS attack by changing the value of the CHADDR field
Attack by sending bogus messages for extending IP address leases
Attack by sending a large number of DHCP Request messages
GE2/0/0
S9300
DHCP relay
GE1/0/0
DHCP client2
IP:10.1.1.1/24
MAC:0001-0002-0003
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
DHCP server
2 DHCP Snooping Configuration
2-39