Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
3.5.7 Checking the Configuration
Checking the Configuration of Preventing the Attacker from Sending Bogus DHCP Messages
for Extending IP Address Leases.
Prerequisite
The configurations of preventing the attacker from sending bogus DHCP messages for extending
IP address leases are complete.
Procedure
l
l
l
l
l
----End
3.6 Setting the Maximum Number of DHCP Snooping Users
This section describes how to set the maximum number of DHCP snooping users. This is because
authorized users cannot access the network when an attacker applies for IP addresses
continuously.
3.6.1 Establishing the Configuration Task
This section describes how to establish the configuration task of preventing attackers from
sending bogus DHCP messages for extending IP address leases.
Applicable Environment
To prevent malicious users from applying for IP addresses, you can set the maximum number
of DHDCP snooping users.
When the number of DHCP snooping users reaches the maximum value, users cannot
successfully apply for IP addresses.
Pre-configuration Tasks
Before setting the maximum number of DHCP snooping users, complete the following tasks:
Issue 01 (2011-07-15)
Run the display dhcp snooping global command to check information about global DHCP
snooping.
Run the display dhcp snooping interface interface-type interface-number command to
check information about DHCP snooping on the interface.
Run the display dhcp { snooping | static } user-bind { dai-status | interface interface-
type interface-number | ip-address ip-address | ipsg-status | mac-address mac-address |
vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to
check the information about DHCP bind-table.
Run the display dhcpv6 { snooping | static } user-bind { interface interface-type
interface-number | ipv6-address ipv6-address | ipsg-status | mac-address mac-address |
vlan vlan-id [ interface interface-type interface-number ] | all [ verbose ] } command to
check the information about DHCPv6 bind-table.
Run the display dhcp option82 { interface interface-type interface-number | vlan vlan-
id } command to check the status of the Option 82 field.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 DHCP Snooping Configuration
105