No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping

DHCP Snooping

The Dynamic Host Configuration Protocol (DHCP) snooping function ensures that DHCP clients can obtain IP addresses from authorized DHCP servers.

Context

The DHCP snooping function ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

Global Parameter Configuration

Before setting DHCP snooping parameters, you must enable the DHCP snooping function globally.

Context

The DHCP snooping function ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

Procedure

  1. Choose Security > DHCP Snooping > Global Parameter Configuration in the navigation tree to open the Global Parameter Configuration page, as shown in Figure 2-228.

    Figure 2-228  Global Parameter Configuration

  2. Enable the DHCP snooping function and click Apply.

Interface Status Configuration

Before setting DHCP snooping parameters on an interface, you must enable the DHCP snooping function on the interface.

Context

The DHCP snooping function ensures that DHCP clients obtain IP addresses from authorized DHCP servers and records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.

Before setting DHCP snooping parameters on an interface, you must enable the DHCP snooping function on the interface.

Procedure

  • Enable DHCP snooping on an interface.
    1. Choose Security > DHCP Snooping > Interface Status Configuration in the navigation tree to open the Interface Status Configuration page, as shown in Figure 2-229.

      Figure 2-229  Interface Status Configuration

      Table 2-134 describes the parameters on the page.

      Table 2-134  Interface Status Configuration

      Parameter

      Description

      Interface Name

      Indicates the name of the interface.

      Status

      Indicates whether DHCP snooping is enabled on the interface.

    2. Select interfaces and click Configure to open the Interface Status Configuration page, as shown in Figure 2-230.

      Figure 2-230  Interface Status Configuration on Specified Interface

      Table 2-135 describes the parameters on the page.

      Table 2-135  Interface Status Configuration on Specified Interface

      Parameter

      Description

      Interface name

      Indicates the interface where the DHCP snooping function will be configured.

      DHCP snooping status

      Indicates the DHCP snooping status on the interface, including enabled and disabled.

    3. Enable the DHCP snooping function and click OK.
  • Update the DHCP snooping status on the interface.
    1. Choose Security > DHCP Snooping > Interface Status Configuration in the navigation tree to open the Interface Status Configuration page.
    2. Click Refresh.
  • Query the DHCP snooping status on the interface.
    1. Choose Security > DHCP Snooping > Interface Status Configuration in the navigation tree to open the Interface Status Configuration page.
    2. In the Query area, select an interface type and enter the interface number, and click Query.

Interface Trust Configuration

After DHCP snooping is enabled, set the interface connected to the authorized DHCP server as trusted interface.

Context

On a network with DHCP snooping configured, the interfaces directly or indirectly connected to a valid DHCP server are generally configured as trusted interfaces.

Procedure

  • Configure the interface as a trusted interface.
    1. Choose Security > DHCP Snooping > Interface Trust Configuration in the navigation tree to open the Interface Trust Configuration page, as shown in Figure 2-231.

      Figure 2-231  Interface Trust Configuration

      Table 2-136 describes the parameters on the page.

      Table 2-136  Interface Trust Configuration

      Parameter

      Description

      Interface Name

      Indicates the name of the interface.

      Status

      Indicates whether the interface is a trusted interface.

    2. Select an interface and click Configure to open the Interface Trust Configuration page, as shown in Figure 2-232.

      Figure 2-232  Interface Trust Configuration on Specified Interface

      Table 2-137 describes the parameters on the page.

      Table 2-137  Interface Trust Configuration on Specified Interface

      Parameter

      Description

      Interface name

      Indicates the interface where the DHCP snooping function will be configured.

      Status

      Indicates the interface status, including trusted and untrusted.

    3. Enable the DHCP snooping function and click OK.
  • Update interface status.
    1. Choose Security > DHCP Snooping > Interface Trust Configuration in the navigation tree to open the Interface Trust Configuration page.
    2. Click Refresh.
  • Query interface status.
    1. Choose Security > DHCP Snooping > Interface Trust Configuration in the navigation tree to open the Interface Trust Configuration page.
    2. In the Query area, select an interface type and enter the interface number, and click Query.

Interface Parameter Settings

On a network with DHCP configured, attackers can take many methods to attack a network. You can configure DHCP snooping to prevent DHCP attacks.

Context

After the DHCP snooping basic function is configured on a switch, the switch ensures that DHCP clients obtain IP addresses from authorized DHCP servers. This function effectively prevents bogus DHCP server attack. On a network with DHCP configured, attackers can take many methods to attack a network. You can configure DHCP snooping to prevent DHCP attacks.

Procedure

  • Set interface parameters.
    1. Choose Security > DHCP Snooping > Interface Parameter Settings in the navigation tree to open the Interface Parameter Settings page, as shown in Figure 2-233.

      Figure 2-233  Interface Parameter Settings

      Table 2-138 describes the parameters on the page.

      Table 2-138  Interface Parameter Settings

      Parameter

      Description

      Interface Name

      Indicates the name of the interface.

      Packet Rate Limiting

      Indicates whether the function of detecting the rate of DHCP packets sent to the DHCP module is enabled.

      Packet Rate Alarm

      Indicates that an alarm is sent when the number of discarded DHCP packets reaches the limit.

      Alarm Threshold (packets)

      Indicates the alarm threshold for DHCP packet discarding. When the number of discarded DHCP packets reaches this threshold, an alarm is reported.

      Lease Extending Check

      Indicates whether the function of checking DHCP packets against binding table is enabled.

      Lease Extending Alarm

      Indicates whether the alarm function for DHCP packets discarded in binding table check is enabled.

      Alarm Threshold (packets)

      Indicates the alarm threshold for DHCP packet discarding. When the number of discarded DHCP packets reaches this threshold, an alarm is reported.

      CHADDR Check

      Indicates the function of comparing the source MAC address in DHCP Request packet header with the CHADDR field.

      CHADDR Alarm

      CHADDR alarm is reported when the number of packets discarded in CHADDR field check reaches the alarm threshold.

      Alarm Threshold (packets)

      When the number of packets discarded in CHADDR field check reaches this alarm threshold, the device generates a CHADDR alarm.

    2. Select interfaces and click Configure to open the Interface Parameter Settings page, as shown in Figure 2-234.

      Figure 2-234  Interface Parameter Settings on Specified Interface

      Table 2-139 describes the parameters on the page.

      Table 2-139  Interface Parameter Settings on Specified Interface

      Parameter

      Description

      Interface name

      Indicates the interface where the DHCP snooping function will be configured.

      Packet rate limiting

      Indicates the packet rate limiting function on the interface, including enabled and disabled.

      Packet rate alarm

      Indicates the packet rate limiting alarm on the interface, including enabled and disabled.

      Alarm threshold

      Indicates the packet rate alarm threshold.

      Lease extending check

      Indicates the status of the lease extending check function, including enabled and disabled.

      Lease extending alarm

      Indicates the status of lease extending check alarm, including enabled and disabled.

      Alarm threshold

      Indicates the lease extending alarm threshold.

      CHADDR check

      Indicates the status of CHADDR check function, including enabled and disabled.

      CHADDR alarm

      Indicates the status of CHADDR alarm function, including enabled and disabled.

      Alarm threshold

      Indicates the CHADDR alarm threshold.

    3. Set the required parameters.
    4. Click OK.
  • Update interface parameters.
    1. Choose Security > DHCP Snooping > Interface Parameter Settings in the navigation tree to open the Interface Parameter Settings page.
    2. Click Refresh.
  • Query interface parameters.
    1. Choose Security > DHCP Snooping > Interface Parameter Settings in the navigation tree to open the Interface Parameter Settings page.
    2. In the Query area, select an interface type and enter the interface number, and click Query.

Binding Table Information

DHCP snooping tables include dynamic and static binding tables. Dynamic binding entries are generated through DHCP packets, and static binding entries are manually configured.

Context

The DHCP snooping-enabled device forwards DHCP Request packets of users (DHCP clients) to a valid DHCP server through the trusted interface, and then generates DHCP snooping binding entries according to the DHCP ACK messages received from the DHCP server. When receiving DHCP messages from users through the DHCP snooping-enabled interfaces, the device checks the messages against the binding table, to prevent attacks initiated by unauthorized users.

DHCP snooping tables include dynamic and static binding tables. Dynamic binding entries are generated through DHCP packets, and static binding entries are manually configured. When many static binding entries need to be configured, use a profile to import the entries.

Procedure

  • Import static binding entries.
    1. Choose Security > DHCP Snooping > Binding Table Information in the navigation tree to open the Binding Table Information page, as shown in Figure 2-235.

      Figure 2-235  Binding Table

      Table 2-140 describes the parameters on the page.

      Table 2-140  Binding Table

      Parameter

      Description

      Interface Name

      Indicates the name of the interface where DHCP snooping binding tables are configured.

      VLAN ID

      Indicates the ID of the VLAN where DHCP snooping binding tables are configured.

      IP

      Indicates the IP address in a DHCP snooping binding entry.

      MAC

      Indicates the MAC address in a DHCP snooping binding entry.

      Type

      Indicates the type of a DHCP snooping binding table, including dynamic and static.

    2. Click Download profile and fill in the static binding table information.
    3. Click Browse to set the path where the profile is stored.
    4. Click Import.
  • Export static binding entries.
    1. Choose Security > DHCP Snooping > Binding Table Information in the navigation tree to open the Binding Table Information page.
    2. Click Export.
  • Query binding table information.
    1. Choose Security > DHCP Snooping > Binding Table Information in the navigation tree to open the Binding Table Information page.
    2. In the Query area, enter one of multiple of the following conditions:

      • Interface type and interface number
      • VLAN ID
      • IP address
      • MAC address

    3. Click Query.
  • Update binding table information.
    1. Choose Security > DHCP Snooping > Binding Table Information in the navigation tree to open the Binding Table Information page.
    2. Click Refresh.
  • Delete binding entries.
    1. Choose Security > DHCP Snooping > Binding Table Information in the navigation tree to open the Binding Table Information page.
    2. Select binding entries and click Delete. Click OK in the diaplayed dialog box.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000114003

Views: 50552

Downloads: 1059

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next