No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring DHCP Snooping

Configuring DHCP Snooping

This chapter describes DHCP snooping configuration methods.

Configure Basic Functions of DHCP Snooping

DHCP snooping enables DHCP clients to obtain IP addresses from authorized servers and records mappings between IP addresses and MAC addresses of DHCP clients to generate the binding table.

Enabling DHCP Snooping

Context

Before configuring DHCP snooping security functions, you need to enable DHCP snooping.

You must enable DHCP snooping in the system view, and then on an interface or in a VLAN (Virtual Local Area Network).

NOTE:

Enable DHCP globally using the dhcp enable command before enabling DHCP snooping.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    dhcp snooping enable

    DHCP snooping is globally enabled.

    By default, DHCP snooping is globally disabled on the device.

  3. Enable DHCP snooping on an interface or in a VLAN.
    1. Run:

      vlan vlan-id

      The VLAN view is displayed.

      Or run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping enable

      DHCP snooping is enabled on the interface or in a VLAN.

      If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device.

      By default, DHCP snooping is disabled on the device.

      NOTE:

      Running the dhcp snooping enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system view is equivalent to running the dhcp snooping enable command in the VLAN view.

  4. Run:

    commit

    The configuration is committed.

Configuring an Interface as the Trusted Interface

Context

To enable DHCP clients to obtain IP addresses from authorized DHCP servers, you need to configure the interface directly or indirectly connected to a DHCP server trusted by the administrator as the trusted interface, and other interfaces as untrusted interfaces.
  • DHCP Reply messages are forwarded on the trusted interface.
  • The device discards DHCP ACK messages, NAK messages, and Offer messages on untrusted interfaces.
This prevents bogus DHCP servers from assigning IP addresses to DHCP clients.

After enabling DHCP snooping on the interface or in the VLAN connected to the user, configure the interface connected to the DHCP server as the trust interface, so that the dynamic DHCP snooping binding table is generated.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configure the interface as the trusted interface in the interface view or VLAN view.

    • In the interface view:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping trusted

      The interface is configured as the trusted interface.

      By default, an interface is an untrusted interface.

    • In the VLAN view:

    1. Run:

      vlan vlan-id

      The VLAN view is displayed.

    2. Run:

      dhcp snooping trusted interface interface-type interface-number

      The interface is configured as the trusted interface.

      By default, an interface is an untrusted interface.

      NOTE:

      If you run the dhcp snooping trusted command in the VLAN view, the command takes effect only on DHCP messages in this VLAN received from interfaces that belong to this VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

  3. Run:

    commit

    The configuration is committed.

(Optional) Disabling Location Fixation for DHCP Snooping Users

Context

In mobile applications, if a user goes online from interfaceA and then switches to interfaceB, you need to disable location fixation for DHCP snooping users.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    undo dhcp snooping fixed-port enable

    Location fixation is disabled for DHCP snooping users.

    By default, location fixation is disabled for DHCP snooping users.

  3. Run:

    commit

    The configuration is committed.

(Optional) Configuring Association Between ARP and DHCP Snooping

Context

When a DHCP snooping-enabled device receives a DHCP Release message sent from a DHCP client, the device deletes the binding entry of the DHCP client. However, if a client is disconnected and cannot send a DHCP Release message, the device cannot immediately delete the binding table of the DHCP client.

After association between ARP and DHCP snooping is enabled, when the ARP entry mapping an IP address ages, the DHCP snooping-enabled device detects the IP address by performing ARP probe. If the DHCP client is not detected after a specified number of probes, the device deletes the ARP entry. The device then detects the IP address again by performing ARP probe. If the DHCP client still cannot be detected after a specified number of probes, the device deletes the binding entry of the DHCP client.

NOTE:

The device supports association between ARP and DHCP snooping only when the device functions as a DHCP relay agent.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    dhcp snooping user-bind arp-detect enable

    Association between ARP and DHCP snooping is enabled.

    By default, association between ARP and DHCP snooping is disabled.

  3. Run:

    commit

    The configuration is committed.

(Optional) Configuring the Device to Clear the MAC Address Entry Immediately When the User Is Disconnected

Context

If a DHCP client is disconnected but its MAC address entry is not aged, the device forwards the message whose destination address is the IP address of the DHCP client based on the dynamic MAC address entries. This deteriorates device performance.

The DHCP client sends a DHCP Release message when it is disconnected. Upon receiving the message, the device immediately deletes the DHCP snooping binding entry of the DHCP client. You can enable the device to delete the mapping MAC address entry when a dynamic DHCP snooping binding entry is deleted.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    dhcp snooping user-offline remove mac-address

    The device deleted the MAC address entry of a DHCP client when the dynamic binding entry is deleted.

    By default, the device does not delete the MAC address entry of a DHCP client when the dynamic binding entry is deleted.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Context

You can check the DHCP snooping configuration after the configuration is complete.

Procedure

  • Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
  • Run the display user-bind dhcp snooping { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the binding table.

Configuring DHCP Snooping Attack Defense

After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses from the authorized DHCP server, preventing bogus DHCP server attacks on the network. However, many other DHCP attacks exist on the network. The administrator can configure DHCP snooping attack defense on the device as required.

Prerequisites

Basic DHCP snooping functions have been completely configured.

Configuring Defense Against Bogus DHCP Server Attacks

Context

After DHCP snooping is enabled and an interface is configured as the trusted interface, the device enables DHCP clients to obtain IP addresses from the authorized DHCP server, preventing bogus DHCP server attacks. However, the location of the bogus DHCP server cannot be detected, which brings security risks on the network.

After detection of DHCP servers is enabled, the DHCP snooping-enabled device checks and records information about the DHCP server, such as the IP address and port number, in the DHCP Reply messages in the log. The network administrator identifies whether bogus DHCP servers exist on the network based on logs.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    dhcp snooping server record

    Detection of DHCP servers is enabled.

    By default, detection of DHCP servers is disabled.

  3. Run:

    commit

    The configuration is committed.

Configuring Defense Against Attacks from Non-DHCP Users

Context

On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. This brings security risks for authorized DHCP users.

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry includes the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

After a static MAC address entry is configured on the user-side interface of the device, the device generates static MAC address entries based on dynamic DHCP snooping binding entries for all DHCP users connected to the interface, clears all the dynamic MAC address entries on the interface, disables the interface from learning dynamic MAC address entries, and enables the interface to match the source MAC address based on the MAC address entries. Only messages whose source MAC addresses match the static MAC address entries can pass through the interface; other messages are discarded. Therefore, the administrator needs to manually configure static MAC address entries for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    dhcp snooping sticky-mac

    The device is enabled to generate static MAC address entries based on the dynamic DHCP snooping binding table.

    By default, the device is disabled from generating static MAC address entries based on the DHCP snooping binding table.

    NOTE:

    The dhcp snooping sticky-mac command cannot be used simultaneously with commands of some other features. For details, see Precautions in dhcp snooping sticky-mac.

  4. Run:

    commit

    The configuration is committed.

Configuring Defense Against DHCP Flood Attacks

Context

On a DHCP network, if an attacker sends a large number of DHCP messages to the device within a short time, the device performance may be affected and the device may not work normally. To prevent DHCP Flood attacks, you can enable the device to check the rate of sending DHCP messages to the processing unit.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. You can limit the rate of sending DHCP messages in the system view, VLAN view, or the interface view.
    1. Run:

      vlan vlan-id

      The VLAN view is displayed.

      Or run:

      interface interface-type interface-number

      The interface view is displayed.

      Or perform the following configurations directly in the system view.

    2. Run:

      dhcp snooping rate-limit enable

      The device is enabled to check the rate of sending DHCP messages to the processing unit.

      By default, the device does not check the rate of sending DHCP messages to the processing unit.

      NOTE:

      If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device.

      Running the dhcp snooping rate-limit enab vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system view is equivalent to running the dhcp snooping rate-limit enable command in the VLAN view.

    3. Run:

      dhcp snooping rate-limit rate

      The maximum rate of sending DHCP messages to the processing unit is set.

      By default, the maximum rate of sending DHCP messages to the processing unit is 100 pps.

      NOTE:

      Running the dhcp snooping rate-limit vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system view is equivalent to running the dhcp snooping rate-limit rate command in the VLAN view.

  3. (Optional) Configure the trap function in the system view or interface view.
    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

      Or perform the following configurations directly in the system view.

    2. Run:

      dhcp snooping alarm rate-limit enable

      The device is enabled to generate an alarm when the number of discarded DHCP messages reaches the threshold.

      If you run this command in the system view, the command takes effect on all the interfaces of the device.

      By default, the device does not generate an alarm when the number of discarded DHCP messages reaches the threshold.

    3. Run:

      dhcp snooping alarm rate-limit threshold threshold

      The alarm threshold for the number of discarded DHCP messages is set on the interface.

      By default, the global DHCP packets discarded alarm threshold 100 packets, interface DHCP packets discarded alarm threshold the same as configuration in system view values.

  4. Run:

    commit

    The configuration is committed.

Configuring Defense Against Bogus DHCP Message Attacks

Context

If an attacker sends a bogus DHCP Request message to the DHCP server to extend the lease, the IP address cannot be released after the lease expires and authorized users cannot use the IP address. If the attacker forges a DHCP Release message of an authorized user and sends it to the DHCP server, the authorized user may be disconnected.

After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. Only DHCP messages that match entries are forwarded. This prevents unauthorized users from sending bogus DHCP Request messages or Release messages to extend the lease or to release IP addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. You can enable the device to check the DHCP messages against the binding table in the system view, VLAN view, or interface view.

    • In the system view:

    1. Run:

      dhcp snooping check binding enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

      The device is enabled to check DHCP messages in specified VLANs against the DHCP snooping binding table.

      By default, the device does not check DHCP messages against the DHCP snooping binding table.

    • In the VLAN view or interface view:

    1. Run:

      vlan vlan-id

      The VLAN view is displayed.

      Or run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping check binding enable

      The device is enabled to check DHCP messages against the DHCP snooping binding table.

      By default, the device does not check DHCP messages against the DHCP snooping binding table.

      NOTE:

      If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device.

    3. Run:

      quit

      Return to the system view.

  3. Enable the trap function for DHCP snooping in the interface view.
    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping alarm binding enable

      An alarm is generated when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold.

      By default, the trap function for discarded DHCP messages is disabled.

    3. Run:

      quit

      Return to the system view.

  4. (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in the system view or interface view.

    • In the system view:

    1. Run:

      dhcp snooping alarm threshold threshold

      The alarm threshold for the number of discarded messages by DHCP snooping is set.

      If you run this command in the system view, the command takes effect on all the interfaces of the device.

      By default, the alarm threshold for the number of messages discarded by DHCP snooping is 100.

    • In the interface view:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping alarm binding threshold threshold

      The alarm threshold for the number of messages discarded because they do not match the DHCP snooping binding entries is set.

      By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm threshold command in the system view.

  5. Run:

    commit

    The configuration is committed.

Configuring Defense Against DHCP Server DoS Attacks

Context

Malicious use of IP addresses exhausts IP addresses in the IP address pool, which leaves no IP address for authorized users. The DHCP server generally identifies the MAC address of a DHCP client based on the CHADDR (client hardware address) field in the DHCP Request message. If attackers continuously apply for IP addresses by changing the CHADDR field, IP addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.

To prevent malicious IP address application, you can set the maximum number of DHCP snooping binding entries to be learned on an interface. When the number of DHCP snooping binding entries reaches the maximum value, no DHCP client can obtain an IP address through the interface. To prevent attackers from continuously changing the CHADDR field in the DHCP Request message, you can enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message. If the two values match, the message is forwarded; if the two values do not match, the message is discarded.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Set the maximum number of DHCP snooping binding entries to be learned by an interface in the system view, VLAN view, or interface view.
    1. Run:

      vlan vlan-id

      The VLAN view is displayed.

      Or run:

      interface interface-type interface-number

      The interface view is displayed.

      Or perform the following configurations in the system view.

    2. Run:

      dhcp snooping user-bind max-number max-number

      The maximum number of DHCP snooping binding entries is set on the interface.

      If you run this command in the system view, the value specified in this command is the total number of DHCP snooping binding entries learned by all interfaces on the device.

      If you run this command in the VLAN view, the command takes effect for all the interfaces in the VLAN.

      By default, a maximum of 32768 DHCP snooping binding entries can be learned on an interface.

      NOTE:

      Running the dhcp snooping user-bind max-number max-number vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system view is equivalent to running the dhcp snooping user-bind max-number max-number command in the VLAN view.

      If you run this command in the system view, VLAN view, and the interface view, the smallest value takes effect.

  3. Enable the device to check the CHADDR field in the message in the system view, VLAN view, or interface view.

    • In the system view:

    1. Run:

      dhcp snooping check mac-address enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

      The device is enabled to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

      By default, the device does not check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

    • In the VLAN view or interface view:

    1. Run:

      vlan vlan-id

      The VLAN view is displayed.

      Or run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping check mac-address enable

      The device is enabled to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

      By default, the device does not check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

      NOTE:

      If you run the dhcp snooping check mac-address enable command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check mac-address enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.

    3. Run:

      quit

      Return to the system view.

  4. (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in the system view or interface view.

    • In the system view:

    1. Run:

      dhcp snooping alarm threshold threshold

      The global alarm threshold for the number of discarded messages by DHCP snooping is set.

      If you run this command in the system view, the command takes effect for all the interfaces on the device.

      By default, the global alarm threshold for the number of messages discarded by DHCP snooping is 100.

    • In the interface view:

    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      dhcp snooping alarm mac-address threshold threshold

      The alarm threshold for the number of DHCP messages discarded because the CHADDR field in the DHCP messages does not match the source MAC address in the Ethernet frame header is set.

      By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm threshold command in the system view.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Context

After DHCP snooping attack defense is completely configured, you can check configured parameters.

Procedure

  • Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
  • Run the display mac-address snooping [ interface-type interface-number | vlan vlan-id ] * command to view static MAC address entries generated from the DHCP snooping binding table.

Inserting the Option 82 Field to a DHCP Message

You can configure a device to insert the Option 82 field to a DHCP message to notify the DHCP server of the DHCP client location.

Context

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

NOTE:

DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP message sent to the DHCP server will not carry Option 82.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. You can configure the device to insert the Option 82 field to a DHCP message in the interface view or VLAN view. If the configuration is performed in the VLAN view, the configuration takes effect for all the DHCP message from this VLAN received by the interface. If the configuration is performed in the interface view, the configuration takes effect only for the specified interface.

    View

    Steps

    VLAN view

    1. Run the vlan vlan-id command to enter the vlan view.
    2. Run the dhcp option82 { insert | rebuild } enable command to enable the device to insert the Option 82 field to a DHCP message.

      By default, the device is disabled from inserting the Option 82 field to a DHCP message.

    3. Run the quit command to return to the system view.

    Interface view

    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the dhcp option82 { insert | rebuild } enable command to enable the device to insert the Option 82 field to a DHCP message.

      By default, the device is disabled from inserting the Option 82 field to a DHCP message.

    3. Run the quit command to return to the system view.

  3. (Optional) You can configure the format of the Option 82 field in the system view or interface view. If the configuration is performed in the system view, the configuration takes effect for all interfaces on the device. If the configuration is performed in the interface view, the configuration takes effect only for the specified interface.

    View

    Steps

    System view

    1. Run the dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.

      By default, the format of the Option 82 field in a DHCP message is default.

    Interface view

    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the dhcp option82 [ vlan vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.
      By default, the format of the Option 82 field in a DHCP message is default.
      NOTE:

      Layer 3 Ethernet interfaces do not support the vlan parameter.

  4. Run:

    commit

    The configuration is committed.

Checking the Configuration
  • Run the display dhcp option82 configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP Option 82 configuration.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57925

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next