No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


Defense Against Bogus DHCP Server Attacks


Due to lack of authentication mechanisms between DHCP servers and DHCP clients, each DHCP server newly configured on a network assigns IP addresses and other network parameters to DHCP clients. If the assigned IP addresses and other network parameters are incorrect, errors may occur on the network.

In Figure 12-46, authorized and unauthorized DHCP servers can receive DHCP Discover messages broadcast by DHCP clients.

Figure 12-46 DHCP client sending DHCP Discover messages

If a bogus DHCP server sends a bogus DHCP Reply message with the incorrect gateway address, Domain Name System (DNS) server address, and IP address to a DHCP client, as shown in Figure 12-47, the DHCP client cannot obtain the correct IP address and required information. The authorized user then fails to access the network and user information security is affected.

Figure 12-47 Bogus DHCP server attack


To prevent attacks from a bogus DHCP server, configure the trusted interface and untrusted interfaces on the device.

You can configure the interface directly or indirectly connected to the authorized DHCP server as the trusted interface and other interfaces as untrusted interfaces. The device then discards DHCP Reply messages received on untrusted interfaces, preventing bogus DHCP server attacks, as shown in Figure 12-48.

Figure 12-48 Trusted interface and untrusted interfaces

Attacks from Non-DHCP Users


On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. This brings security risks for authorized DHCP users.


To prevent attacks from non-DHCP users, you can enable the device to generate static MAC address entries based on the DHCP snooping binding table, and disable the interface from learning dynamic MAC address entries. Only the messages whose source MAC addresses match the static MAC address entries can pass through the user-side interface on the device, and other messages are discarded. To allow messages from non-DHCP users to pass through the interface, the administrator needs to manually configure static MAC address entries for them.

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry includes the MAC address, VLAN ID, and interface number of the DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

Defense Against DHCP Flood Attacks


On a DHCP network, if an attacker sends a large number of DHCP messages to the device within a short time, device performance may deteriorate and the device may fail to work properly. This attack is called DHCP flood attack.


To prevent DHCP flood attacks, you can enable DHCP snooping and enable the device to check the rate of sending DHCP messages to the processing unit. The device then sends only DHCP messages within a specified rate to the processing unit and discards those that exceed the rate.

Defense Against Bogus DHCP Message Attacks


An authorized DHCP client that has obtained an IP address sends a DHCP Request message or Release message to extend the lease or to release the IP address. If attackers continuously send DHCP Request messages to the DHCP server to extend the lease, the IP addresses cannot be reclaimed or obtained by authorized users. If attackers forge DHCP Release messages of authorized users to the DHCP server, the authorized users may be disconnected.


To prevent bogus DHCP message attacks, you can use the DHCP snooping binding table. The device checks DHCP Request messages and Release messages against binding entries to determine whether the messages are valid. If a message matches a binding entry, the device forwards the message; if a message matches no binding entry, the device discards the message.

Defense Against DHCP Server DoS Attacks


In Figure 12-49, if a large number of attackers request IP addresses on Interface1, IP addresses in the IP address pool are exhausted, which leaves no IP addresses for authorized users.

A DHCP server identifies the MAC address of a client based on the client hardware address (CHADDR) field in the DHCP Request message. If an attacker continuously applies for IP addresses by changing the CHADDR field, IP addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.

Figure 12-49 Defense against DHCP server DoS attacks


To prevent the DHCP server DoSattack, you can set the maximum number of access DHCP clients allowed on the device or an interface after enabling DHCP snooping on the device. When the number of DHCP clients reaches the maximum value, no DHCP client can obtain the IP address through the device or interface.

You can enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message. If the two values match, the message is forwarded; otherwise, the message is discarded.

Typical Application of the Option 82 Field

The DHCP Relay Agent Information Option (Option 82) field records the location of a DHCP client. A DHCP snooping-enabled device or a DHCP relay agent inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. Based on the Option 82 field, the DHCP server can properly assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

Option 82 Networking

Figure 12-50 Networking diagram of the Option 82 field

In Figure 12-50, the clients obtain IP addresses using DHCP. To improve network security, the administrator configures the device to control network access of clients connected to Interface1.

The DHCP server cannot detect the DHCP client location only based on the DHCP Request message. As a result, users in the same VLAN have the same right to access network resources.

To address this problem, the administrator can enable the Option 82 field after DHCP snooping is enabled on Switch ModuleA. Upon receiving a DHCP Request message to apply for an IP address, Switch ModuleA inserts the Option 82 field to the message to notify the DHCP server of the DHCP client location, including the MAC address, VLAN ID, and interface number of the client. The DHCP server can properly assign an IP address and other configurations to the client based on the IP address assignment or security policies on the server.

The Option 82 field records the location of a DHCP client and is encapsulated in a DHCP Request message sent to the DHCP server. To deploy different IP addresses or security policies for different clients, the DHCP server must support the Option 82 field and be configured with IP address assignment or security policies.

Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 60776

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next