No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring DHCP Snooping

Configuring DHCP Snooping

Configuring Basic Functions of DHCP Snooping

DHCP snooping allows DHCP clients to obtain IP addresses from authorized DHCP servers, and records mappings between IP addresses and MAC addresses of DHCP clients to a binding table.

Pre-configuration Tasks

Before configuring DHCP snooping, configure the DHCP function. (For the DHCP configuration, see DHCP Configuration.)

The procedures in Enabling DHCP Snooping and Configuring an Interface as a Trusted Interface also apply to DHCPv6 snooping.

NOTE:
DHCPv4 snooping can be configured on a Layer 2 access device and the first-hop DHCPv4 relay agent. DHCPv6 snooping can be configured on a Layer 2 access device, but cannot be configured on the first-hop DHCPv6 relay agent.
Configuration Procedure

Configure basic functions of DHCP snooping on a Layer 2 access device or the first DHCP relay agent from the device.

Enabling DHCP Snooping

Context

DHCP snooping ensures security of the DHCP service. Before configuring DHCP snooping functions, you need to enable DHCP snooping.

You must enable DHCP snooping first in the system view, and then on an interface or in a VLAN.

NOTE:

Use the dhcp enable command to enable DHCP globally before enabling DHCP snooping.

NOTE:

DHCP snooping does not support the BOOTP protocol, which is used by diskless workstations. Therefore, DHCP snooping binding entries cannot be generated for diskless workstations. IPSG and DAI are implemented based on binding entries. For this reason, to use them on a diskless workstation, you must configure static binding entries by running the user-bind static command.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcp snooping enable

    DHCP snooping is globally enabled.

    By default, DHCP snooping is globally disabled on the device.

    NOTE:

    The dhcp snooping enable command in the system view is the prerequisite for DHCP snooping-related functions. After the undo dhcp snooping enable command is run, all DHCP snooping-related configurations of the device are deleted. After DHCP snooping is enabled again using the dhcp snooping enable command, all DHCP snooping-related configurations of the device are restored to the default configurations.

  3. Enable DHCP snooping in the system, VLAN, or interface view.

    • In the system view:

    1. Run dhcp snooping enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

      DHCP snooping is enabled on the device.

      By default, DHCP snooping is disabled on the device.

    • In the VLAN view or interface view:

    1. Run vlan vlan-id

      The VLAN view is displayed.

      Or run interface interface-type interface-number

      The interface view is displayed.

    2. Run dhcp snooping enable

      DHCP snooping is enabled on the interface or in a VLAN.

      By default, DHCP snooping is disabled on the device.

    If you run this command in the VLAN view, the command takes effect on all the DHCP messages received by all interfaces from the specified VLAN. If you run this command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.

Configuring an Interface as a Trusted Interface

Context

To enable DHCP clients to obtain IP addresses only from authorized DHCP servers, configure the interfaces directly or indirectly connected to the DHCP servers trusted by the administrator as the trusted interfaces, and other interfaces as untrusted interfaces. This prevents bogus DHCP servers from assigning IP addresses to DHCP clients.

After enabling DHCP snooping on the interface connected to the user, configure the interface connected to the DHCP server as the trusted interface, so that the dynamic DHCP snooping binding table is generated.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure the interface as the trusted interface in the interface view.

    • In the interface view:

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run dhcp trust port

      The interface is configured as the trusted interface.

      By default, an interface is an untrusted interface.

    If you run the dhcp trust port command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

(Optional) Enabling Location Transition for DHCP Snooping Users

Context

In mobile applications, if a user goes online from interfaceA and then switches to interfaceB, you need to enable location transition for DHCP snooping users.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcp snooping user-transfer enable

    Location transition is enabled for DHCP snooping users.

    By default, location transition is enabled for DHCP snooping users.

(Optional) Configuring Association Between ARP and DHCP Snooping

Context

When a DHCP snooping-enabled device receives a DHCP Release message sent from a DHCP client, the device deletes the binding entry of the DHCP client. However, if a client is unexpectedly disconnected and cannot send a DHCP Release message, the device cannot immediately delete the binding entry of the DHCP client.

After association between ARP and DHCP snooping is enabled, the DHCP snooping-enabled device performs an ARP probe to detect the IP address when the ARP entry mapping an IP address ages. If the DHCP client is not detected after a specified number of probes, the device deletes the ARP entry. The device then performs an ARP probe again to detect the IP address. If the DHCP client still cannot be detected after a specified number of probes, the device deletes the binding entry of the DHCP client.

NOTE:

A device supports association between ARP and DHCP snooping only when the device functions as a DHCP relay agent.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp dhcp-snooping-detect enable

    Association between ARP and DHCP snooping is enabled.

    By default, association between ARP and DHCP snooping is disabled.

(Optional) Configuring the Device to Discard DHCP Request Messages When GIADDR Field Is Not 0

Context

The gateway IP address (GIADDR) field in a DHCP Request message records the IP address of the first DHCP relay agent through which the DHCP Request message passes. When a DHCP client sends a DHCP Request message, if the DHCP server and client are on different network segments, the first DHCP relay agent fills its own IP address in the GIADDR field before forwarding the DHCP Request message. The DHCP server then uses the IP address in this field to locate the DHCP client and select an appropriate address pool from which to assign an IP address to the client.

To ensure that the device obtains parameters such as MAC addresses for generating a binding table, enable DHCP snooping on Layer 2 access devices or the first DHCP relay agent. This ensures that the GIADDR field in the DHCP Request messages received by the DHCP snooping-enabled device is 0. If the GIADDR field is not 0, the message is considered to be invalid and discarded.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Enable the device to check whether the GIADDR field in the DHCP Request message is 0 in the system view, VLAN view, or interface view.

    • In the system view:

    1. Run dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

      The device is enabled to check whether the GIADDR field in a DHCP Request message is 0.

      By default, the device does not check whether the GIADDR field in a DHCP Request message is 0.

    • In the VLAN view or interface view:

    1. Run vlan vlan-id

      The VLAN view is displayed.

      Or run interface interface-type interface-number

      The interface view is displayed.

    2. Run dhcp snooping check dhcp-giaddr enable

      The device is enabled to check whether the GIADDR field in a DHCP Request message is 0.

      By default, the device does not check whether the GIADDR field in a DHCP Request message is 0.

    If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run this command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.

Verifying the DHCP Snooping Configuration

Context

You can verify the DHCP snooping configuration after the configuration is complete.

Procedure

  • Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
  • Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP snooping configuration.
  • Run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the DHCP snooping binding table.
  • Run the display dhcp snooping statistics command to check statistics on the received DHCP messages.

Configuring DHCP Snooping Attack Mitigation

After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses from the authorized DHCP server, preventing attacks on the network from bogus DHCP servers. However, many other DHCP attacks exist on the network. To mitigate these attacks, configure DHCP snooping attack mitigation functions on the device as required.

NOTE:

In this chapter, the function in Configuring Defense Against Bogus DHCP Message Attacks and the function in step 2 of Configuring Defense Against DHCP Server DoS Attacks are also applicable to DHCPv6 snooping.

Prerequisites

Basic DHCP snooping functions have been configured.

Configuring Defense Against Bogus DHCP Server Attacks

Context

After DHCP snooping is enabled and a trusted interface is configured, the device ensures DHCP clients obtain IP addresses from the authorized DHCP server, preventing attacks from bogus DHCP servers. However, the location of the bogus DHCP server cannot be detected, meaning the network security is still at risk.

After DHCP server detection is enabled, the DHCP snooping-enabled device checks information about the DHCP server, such as its IP address and connecting port number, in the DHCP Reply messages and records the information in the log. You can refer to these logs to check whether bogus DHCP servers exist on the network.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcp server detect

    DHCP server detection is enabled.

    By default, detection of DHCP servers is disabled.

Configuring Defense Against Bogus DHCP Message Attacks

Context

If an attack pretends to be an authorized user to send a bogus DHCP message to the DHCP server on a DHCP network, the authorized user cannot use the IP address or goes offline unexpectedly. After the DHCP snooping binding table is generated, the device can check DHCP messages against the binding table. Only messages that match the binding table can be forwarded; otherwise, the messages are discarded. This prevents unauthorized users from sending bogus DHCP messages to renew or release IP addresses.

Procedure

  1. Enable a device to check DHCP messages against the DHCP snooping binding table.

    If the function is configured in the VLAN view, it takes effect on all the interfaces in the VLAN; if the function is configured in the interface view, it takes effect only on the interface.

    • In the system view:

    1. Run system-view

      The system view is displayed.

    2. Run dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

      The device is enabled to check DHCP messages sent from a specified VLAN against the DHCP snooping binding table.

      By default, a device is not enabled to check DHCP Request messages against the DHCP snooping binding table.

    3. Run dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>

      The function of checking whether the CHADDR field is the same as the source MAC address of the header of a DHCP Request message is enabled.

      By default, the function of checking whether the CHADDR field is the same as the source MAC address of the header of a DHCP Request message is disabled.

    • In the VLAN view or interface view:

    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id or interface interface-type interface-number

      The VLAN or interface view is displayed, respectively.

    3. Run dhcp snooping check dhcp-request enable

      The device is enabled to check DHCP messages against the DHCP snooping binding table.

      By default, a device is not enabled to check DHCP messages against the DHCP snooping binding table.

    4. Run dhcp snooping check dhcp-chaddr enable

      The function of checking whether the CHADDR field is the same as the source MAC address of the header of a DHCP Request message is enabled.

      By default, the function of checking whether the CHADDR field is the same as the source MAC address of the header of a DHCP Request message is disabled.

  2. (Optional) Enable the DHCP snooping alarm function.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable

      The DHCP snooping alarm function is enabled.

      By default, the DHCP snooping alarm function is disabled.

  3. (Optional) Configure the alarm threshold.

    The alarm threshold can be set both in the system view and interface view. If the alarm threshold is configured in the system view and interface view, the smaller value takes effect.

    • In the system view:

    1. Run system-view

      The system view is displayed.

    2. Run dhcp snooping alarm threshold threshold

      The alarm threshold for the number of DHCP snooping-discarded messages is configured.

      If this command is run in the system view, it takes effect on all the interfaces of the device.

      By default, the alarm threshold for the number of DHCP snooping-discarded messages is 100.

    • In the interface view:

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } threshold threshold

      The alarm threshold for the number of DHCP snooping-discarded messages is configured.

      By default, the global alarm threshold for the number of DHCP snooping-discarded messages is 100, and the alarm threshold for the number of DHCP snooping-discarded messages on an interface is the value configured using the dhcp snooping alarm threshold command in the system view.

Configuring Defense Against DHCP Server DoS Attacks

Context

If attackers maliciously apply for IP addresses from the DHCP server, the IP address pool becomes exhausted, preventing authorized users from obtaining IP addresses. This can happen if attackers continuously apply for IP addresses by changing the client hardware address (CHADDR) field, which is the field that DHCP servers generally use to identify the MAC address of a DHCP client.

To prevent DHCP users on some interfaces from maliciously applying for IP addresses, you can limit the number of DHCP snooping binding entries that can be learned by an interface. When the number of DHCP snooping binding entries reaches the maximum value, no DHCP client can obtain an IP address through the interface. To prevent attacks carried out by continuously changing the CHADDR field in the DHCP Request message, enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message. With this function enabled, the message is only forwarded if the two values match.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Set the maximum number of DHCP snooping binding entries to be learned by an interface in the system, VLAN, or interface view.

    • In the system view:

    1. Run dhcp snooping max-user-number max-user-number vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

      The maximum number of DHCP snooping binding entries is set on the device.

      After running this command, the value specified in this command is the total number of DHCP snooping binding entries learned by all interfaces on the device.

    2. (Optional) Run dhcp snooping user-alarm percentage percent-lower-value percent-upper-value

      The alarm thresholds for the percentage of DHCP snooping binding entries are configured.

      By default, the lower alarm threshold for the percentage of DHCP snooping binding entries is 50, and the upper alarm threshold for the percentage of DHCP snooping binding entries is 100.

    • In the VLAN view and interface view:

    1. Run vlan vlan-id

      The VLAN view is displayed.

      Or run interface interface-type interface-number

      The interface view is displayed.

    2. Run dhcp snooping max-user-number max-user-number

      The maximum number of DHCP snooping binding entries is set on the interface.

      If you run this command in the VLAN view, the command takes effect for all the interfaces in the VLAN.

      If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run this command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.

      If you run this command in the system view, VLAN view, and interface view, the smallest value takes effect.

  3. Enable the device to check the CHADDR field in the message in the system view, VLAN view, or interface view.

    • In the system view:

    1. Run dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

      The device is enabled to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

      By default, the device does not check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

    • In the VLAN view or interface view:

    1. Run vlan vlan-id

      The VLAN view is displayed.

      Or run interface interface-type interface-number

      The interface view is displayed.

    2. Run dhcp snooping check dhcp-chaddr enable

      The device is enabled to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

      By default, the device does not check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message.

      If you run the dhcp snooping check dhcp-chaddr enable command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check dhcp-chaddr enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.

    3. Run quit

      Return to the system view.

  4. (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in the system view or interface view.

    • In the system view:

    1. Run dhcp snooping alarm threshold threshold

      The global alarm threshold for the number of discarded messages by DHCP snooping is set.

      If you run this command in the system view, the command takes effect for all the interfaces on the device.

      By default, the global alarm threshold for the number of messages discarded by DHCP snooping is 100.

    • In the interface view:

    1. Run interface interface-type interface-number

      The interface view is displayed.

    2. Run dhcp snooping alarm dhcp-chaddr threshold threshold

      The alarm threshold for the number of DHCP messages discarded because the CHADDR field in the DHCP messages does not match the source MAC address in the Ethernet frame header is set.

      By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm threshold command in the system view.

      NOTE:

      If the alarm threshold is set in the system view and interface view, the smaller value takes effect.

Verifying the DHCP Snooping Attack Defense Configuration

Context

After DHCP snooping attack defense is completely configured, check the configured parameters.

Procedure

  • Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
  • Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP snooping configuration.
  • Run the display dhcp snooping statistics command to check statistics on the received DHCP messages.

Inserting the Option 82 Field in a DHCP Message

Context

The Option 82 field records the location of a DHCP client, and is inserted into a DHCP Request message before being sent to the DHCP server. This allows the DHCP server to assign an IP address and other configurations to the DHCP client, facilitating DHCP client security.

NOTE:
  • DHCP Option 82 must be configured on the user side of a device; otherwise, the DHCP message sent to the DHCP server will not carry Option 82.
  • The total length of all Option82 fields must be between 1 byte to 255 bytes. If their total length exceeds 255 bytes, some Option82 information will be lost.

  • There is no limit on the number of Option 82 fields configured on a device. However, a large number of Option 82 fields will occupy a lot of memory and slow down device processing. To ensure device performance, take into account the service requirements and device memory size when configuring Option 82 fields.

Procedure

  1. Run system-view

    The system view is displayed.

  2. You can configure the device to insert the Option 82 field in a DHCP message in the interface view or VLAN view.

    View Steps
    VLAN view
    1. Run the vlan vlan-id command to enter the VLAN view.
    2. Run the dhcp option82 { insert | rebuild } enable interface interface-type interface-number1 [ to interface-number2 ] command to enable the device to insert the Option 82 field in a DHCP message.

      By default, the device is disabled from inserting the Option 82 field in a DHCP message.

    3. Run the quit command to return to the system view.
    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the dhcp option82 { insert | rebuild } enable command to enable the device to insert the Option 82 field in a DHCP message.

      By default, the device is disabled from inserting the Option 82 field in a DHCP message.

    3. Run the quit command to return to the system view.

  3. (Optional) You can configure the format of the Option 82 field in the system or interface view. If the configuration is performed in the system view, the configuration takes effect for all interfaces on the device. If the configuration is performed in the interface view, the configuration takes effect only for the specified interface.

    View Steps
    System view
    1. Run the dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.

      By default, the format of the Option 82 field in a DHCP message is default.

    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.

    2. Run the dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP message.

      By default, the format of the Option 82 field in a DHCP message is default.

    3. Run the quit command to return to the system view.

  4. (Optional) Run dhcp option82 subscriber-id format { ascii ascii-text | hex hex-text }

    The Sub6 suboption is inserted into the Option 82 field of DHCP messages and the format of the Sub6 suboption is configured.

    By default, the Sub6 suboption is not inserted into the Option 82 field of DHCP messages.

  5. (Optional) Run dhcp option82 vendor-specific format vendor-sub-option sub-option-num { ascii ascii-text | hex hex-text | ip-address ip-address &<1-8> | sysname }

    The Sub9 suboption is inserted into the Option 82 field of DHCP messages.

    By default, Sub9 suboption is not inserted into the Option 82 field of DHCP messages.

  6. (Optional) Configure suboptions inserted into the DHCP Option 82 field in the system view, VLAN view, or interface view. If the configuration is performed in the system view, the configuration takes effect for all interfaces on the device. If the configuration is performed in the VLAN view, the configuration takes effect for all DHCP messages from this VLAN that are received by all interfaces. If the configuration is performed in the interface view, the configuration takes effect only for the specified interface.

    View Steps
    System view
    1. Run the dhcp option82 encapsulation { circuit-id | remote-id | subscriber-id | vendor-specific-id } * command to configure suboptions inserted into the DHCP Option 82 field.

      By default, the circuit-id (CID) and remote-id (RID) suboptions are inserted into the DHCP Option 82 field.

    VLAN view
    1. Run the vlan vlan-id command to enter the VLAN view.
    2. Run the dhcp option82 encapsulation { circuit-id | remote-id | subscriber-id | vendor-specific-id } * command to configure suboptions inserted into the DHCP Option 82 field.

      By default, the circuit-id (CID) and remote-id (RID) suboptions are inserted into the DHCP Option 82 field.

    3. Run the quit command to return to the system view.
    Interface view
    1. Run the interface interface-type interface-number command to enter the interface view.
    2. Run the dhcp option82 encapsulation { circuit-id | remote-id | subscriber-id | vendor-specific-id } * command to configure suboptions inserted into the DHCP Option 82 field.

      By default, the circuit-id (CID) and remote-id (RID) suboptions are inserted into the DHCP Option 82 field.

    3. Run the quit command to return to the system view.

  7. (Optional) Disable the interface from generating DHCP snooping binding entries after the DHCP snooping function has been enabled.

    When this configuration is performed in the VLAN view, the configuration takes effect for all DHCP users belonging to this VLAN on all interfaces. When this configuration is performed in the interface view, the configuration takes effect for all DHCP users connecting to this interface.

    By default, an interface generates DHCP snooping binding entries after DHCP snooping is enabled.

    Configuration Dimension

    Step

    VLAN-based configuration

    For a batch of VLANs in the system view

    • Run the dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to disable the interfaces from generating DHCP snooping binding entries after DHCP snooping is enabled.

    For a single VLAN in the VLAN view

    1. Run the vlan vlan-id command to enter the VLAN view.
    2. Run the dhcp snooping enable no-user-binding command to disable the interfaces from generating DHCP snooping binding entries after DHCP snooping is enabled.
    3. Run the quit command to return to the system view.
    Interface-based configuration
    1. Run the interface interface-type interface-number command to enter the interface view.
    2. Run the dhcp snooping enable no-user-binding command to disable the interfaces from generating DHCP snooping binding entries after DHCP snooping is enabled.
    3. Run the quit command to return to the system view.

Verifying the Configuration
  • Run the display dhcp option82 configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP Option 82 configuration.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 117918

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next