Huawei Quidway S3700 Series Configuration Manual page 104

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Figure 3-2 Networking diagram for applying DHCP snooping on the S3700 that functions as
the DHCP relay agent
DHCPv6 Snooping
The S3700 supports DHCPv6 snooping. That is, after DHCP snooping is enabled, binding entries
are also created for the users using IPv6 addresses. A DHCPv6 snooping binding entry consists
of the IPv6 address, MAC address, interface number, and VLAN ID of a user.
Type of Attacks Defended Against by DHCP Snooping
DHCP snooping provides different operation modes according to the type of attacks, as shown
in Table
Table 3-1 Matching table between type of attacks and DHCP snooping operation modes
Type of Attacks
Bogus DHCP server attack
DoS attack by changing the value of the
CHADDR field
Issue 01 (2011-07-15)
Trusted
Untrusted
L2
network
User
network
NOTE
When the S3700 is deployed on a Layer 2 network or functions as the DHCP relay agent, DHCP snooping
is enabled. In this manner, the S3700 can defend against attacks shown in
The difference is that: when the S3700 functions as the DHCP relay agent, it supports the association
function between ARP and DHCP snooping. The S3700, however, does not support the association function
when it is deployed on a Layer 2 network.
3-1.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
L3 network
Switch
DHCP relay
DHCP
server
DHCP Snooping Operation Mode
Setting an interface to trusted or untrusted
Checking the CHADDR field in DHCP
messages
3 DHCP Snooping Configuration
Table 3-1.
91