No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides several DHCP snooping configuration examples, including network requirements, configuration roadmap, and configuration procedure.

Example for Configuring DHCP Snooping Attack Defense

Networking Requirements

In Figure 12-51, Switch ModuleA and Switch ModuleB are access devices, and Switch ModuleC is a DHCP relay agent. Client1 and Client2 are connected to Switch ModuleA through 10GE1/17/1 and 10GE1/17/2 respectively. Client3 is connected to Switch ModuleB through 10GE1/17/1. Client1 and Client3 obtain IP addresses using DHCP, while Client2 uses the static IP address. Attacks from unauthorized users prevent authorized users from obtaining IP addresses. The administrator needs to enable the device to defend against DHCP attacks on the network and provide better services to DHCP clients.

Figure 12-51 Networking diagram for configuring DHCP snooping attack defense
Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable DHCP snooping.
  2. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP addresses from the authorized server.
  3. Enable association between ARP and DHCP snooping to enable the device to update the binding entries when a DHCP user is disconnected.
  4. Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks.
  5. Set the maximum rate of sending DHCP messages to the processing unit to prevent DHCP flood attacks.
  6. Set the maximum number of access DHCP clients and enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message to prevent DHCP server DoS attacks.
  7. Configure the trap function for the number of discarded messages and the rate limit.

Procedure

  1. Enable DHCP snooping.

    # Enable DHCP snooping globally.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch ModuleC
    [*HUAWEI] commit
    [~Switch ModuleC] dhcp enable
    [*Switch ModuleC] dhcp snooping enable

    # Enable DHCP snooping on the user-side interface. 10GE1/17/1 is used as an example. The configuration on 10GE1/17/2 is the same as the configuration on 10GE1/17/1 and is not mentioned here.

    [*Switch ModuleC] interface 10ge 1/17/1
    [*Switch ModuleC-10GE1/17/1] dhcp snooping enable
    [*Switch ModuleC-10GE1/17/1] quit

  2. Configure the interface connected to the DHCP server as the trusted interface.

    [*Switch ModuleC] interface 10ge 2/17/1
    [*Switch ModuleC-10GE2/17/1] dhcp snooping trusted
    [*Switch ModuleC-10GE2/17/1] quit

  3. Enable association between ARP and DHCP snooping.

    [*Switch ModuleC] dhcp snooping user-bind arp-detect enable

  4. Enable the device to check DHCP messages against the DHCP snooping binding table.

    # Configure the user-side interface. 10GE1/17/1 is used as an example. The configuration on 10GE1/17/2 is the same as the configuration on 10GE1/17/1 and is not mentioned here.

    [*Switch ModuleC] interface 10ge 1/17/1
    [*Switch ModuleC-10GE1/17/1] dhcp snooping check binding enable
    [*Switch ModuleC-10GE1/17/1] quit

  5. Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.

    [*Switch ModuleC] dhcp snooping rate-limit enable
    [*Switch ModuleC] dhcp snooping rate-limit 90

  6. Set the maximum number of access users allowed on the interface and enable the device to check the CHADDR field.

    # Configure the user-side interface. 10GE1/17/1 is used as an example. The configuration on 10GE1/17/2 is the same as the configuration on 10GE1/17/1 and is not mentioned here.

    [*Switch ModuleC] interface 10ge 1/17/1
    [*Switch ModuleC-10GE1/17/1] dhcp snooping user-bind max-number 20
    [*Switch ModuleC-10GE1/17/1] dhcp snooping check mac-address enable
    [*Switch ModuleC-10GE1/17/1] quit

  7. Configure the trap function for the number of discarded messages and the rate limit.

    # Enable the trap function for discarding messages and set the alarm threshold. 10GE1/17/1 is used as an example. The configuration on 10GE1/17/2 is the same as the configuration on 10GE1/17/1 and is not mentioned here.

    [*Switch ModuleC] interface 10ge 1/17/1
    [*Switch ModuleC-10GE1/17/1] dhcp snooping alarm mac-address enable
    [*Switch ModuleC-10GE1/17/1] dhcp snooping alarm binding enable
    [*Switch ModuleC-10GE1/17/1] dhcp snooping alarm untrust-reply enable
    [*Switch ModuleC-10GE1/17/1] dhcp snooping alarm mac-address threshold 120
    [*Switch ModuleC-10GE1/17/1] dhcp snooping alarm binding threshold 120
    [*Switch ModuleC-10GE1/17/1] dhcp snooping alarm untrust-reply threshold 120
    [*Switch ModuleC-10GE1/17/1] quit

    # Enable the trap function for the rate limit and set the alarm threshold.

    [*Switch ModuleC] dhcp snooping alarm rate-limit enable
    [*Switch ModuleC] dhcp snooping alarm rate-limit threshold 500
    [*Switch ModuleC] commit

  8. Verify the configuration.

    # Run the display dhcp snooping interface command to view DHCP snooping information on an interface.

    [~Switch ModuleC] display dhcp snooping interface 10ge 1/17/1
     DHCP snooping                            : Enable                              
     Trusted interface                        : No                                  
     DHCP user max number                     : 20                                  
     Current DHCP user number                 : 0                                   
     Check MAC-address                        : Enable                              
     Alarm MAC-address                        : Enable                              
     Alarm MAC-address threshold              : 120                                 
     Discarded packets for check MAC-address  : 0                                   
     Check binding                            : Enable                              
     Alarm binding                            : Enable                              
     Alarm binding threshold                  : 120                                 
     Discarded packets for check binding      : 0                                   
     Rate-limit                               : Disable  (default)                  
     Alarm rate-limit                         : Disable  (default)                  
     Alarm rate-limit threshold               : 500                                 
     Discarded packets for rate-limit         : 0                                   
     Alarm untrust-reply                      : Enable                              
     Alarm untrust-reply threshold            : 120                                 
     Discarded packets for check untrust-reply: 0                                   
    [~Switch ModuleC] display dhcp snooping interface 10ge 2/17/1
     DHCP snooping                            : Disable  (default)                               
     Trusted interface                        : Yes                                  
     DHCP user max number                     : 32768    (default)                  
     Current DHCP user number                 : 0                                   
     Check MAC-address                        : Disable  (default)                  
     Alarm MAC-address                        : Disable  (default)                  
     Check binding                            : Disable  (default)                  
     Alarm binding                            : Disable  (default)                  
     Rate-limit                               : Disable  (default)                  
     Alarm rate-limit                         : Disable  (default)                  
     Alarm rate-limit threshold               : 500                                 
     Discarded packets for rate-limit         : 0                                   
     Alarm untrust-reply                      : Disable  (default) 

Configuration Files

# Configuration file of the Switch ModuleC

#                                                                               
sysname Switch ModuleC
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                            
dhcp snooping rate-limit enable                                            
dhcp snooping rate-limit 90                                                
dhcp snooping alarm rate-limit enable                                            
dhcp snooping alarm rate-limit threshold 500                                      
dhcp snooping user-bind arp-detect enable
#
interface 10GE1/17/1
 dhcp snooping enable                                                           
 dhcp snooping check binding enable                                           
 dhcp snooping alarm binding enable                                           
 dhcp snooping alarm binding threshold 120                                    
 dhcp snooping check mac-address enable                                         
 dhcp snooping alarm mac-address enable                                         
 dhcp snooping alarm mac-address threshold 120                                  
 dhcp snooping alarm untrust-reply enable                                       
 dhcp snooping alarm untrust-reply threshold 120                                
 dhcp snooping user-bind max-number 20   
#
interface 10GE1/17/2
 dhcp snooping enable                                                           
 dhcp snooping check binding enable                                           
 dhcp snooping alarm binding enable                                           
 dhcp snooping alarm binding threshold 120                                    
 dhcp snooping check mac-address enable                                         
 dhcp snooping alarm mac-address enable                                         
 dhcp snooping alarm mac-address threshold 120                                  
 dhcp snooping alarm untrust-reply enable                                       
 dhcp snooping alarm untrust-reply threshold 120                                
 dhcp snooping user-bind max-number 20   
#
interface 10GE2/17/1
 dhcp snooping trusted
#
return
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57158

Downloads: 3617

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next