No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring DHCP Snooping on a VPLS Network

Example for Configuring DHCP Snooping on a VPLS Network

Networking Requirements

In Figure 9-14, PE1 and PE2 are connected over a VPLS network. The DHCP client obtains an IPv4 address using DHCP. Attacks from unauthorized users prevent authorized users from obtaining IP addresses. The administrator needs to enable the device to defend against DHCP attacks on the network and provide better service to DHCP clients.

Figure 9-14  Networking diagram for configuring DHCP snooping on a VPLS network
NOTE:

Only the S5720HI supports this example.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
  2. Enable DHCP snooping on the device on a VPLS network, ensuring that DHCP snooping configurations take effect on the VPLS network.
  3. Enable DHCP snooping on the interface.
  4. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP addresses from the authorized server.
  5. Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks.
  6. Set the maximum rate of sending DHCP messages to the processing unit to prevent DHCP flood attacks.
  7. Enable the device to check whether the GIADDR field in the DHCP Request message is 0 and discard DHCP Request messages with non-0 GIADDR field.
  8. Set the maximum number of access DHCP clients and enable the device to check whether the MAC address in the DHCP Request message header matches the CHADDR field to prevent DHCP server DoS attacks.

Procedure

  1. Enable DHCP snooping.

    # Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.

    <HUAWEI> system-view
    [HUAWEI] sysname PE1
    [PE1] dhcp enable
    [PE1] dhcp snooping enable ipv4

  2. Enable DHCP snooping on the device on a VPLS network.

    [PE1] dhcp snooping over-vpls enable

  3. Enable DHCP snooping on the interface.

    # Enable DHCP snooping on the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.

    [PE1] interface gigabitethernet 0/0/1
    [PE1-GigabitEthernet0/0/1] dhcp snooping enable
    [PE1-GigabitEthernet0/0/1] quit

  4. Configure the interface connected to the DHCP server as the trusted interface.

    [PE1] interface gigabitethernet 0/0/3
    [PE1-GigabitEthernet0/0/3] dhcp snooping trusted
    [PE1-GigabitEthernet0/0/3] quit

  5. Enable the device to check DHCP messages against the DHCP snooping binding table.

    # Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.

    [PE1] interface gigabitethernet 0/0/1
    [PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable
    [PE1-GigabitEthernet0/0/1] quit

  6. Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.

    [PE1] dhcp snooping check dhcp-rate enable
    [PE1] dhcp snooping check dhcp-rate 90

  7. Enable the device to check whether the GIADDR field in a DHCP Request message is 0.

    # Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.

    [PE1] interface gigabitethernet 0/0/1
    [PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable
    [PE1-GigabitEthernet0/0/1] quit

  8. Set the maximum number of access users allowed on the interface and enable the device to check the CHADDR field.

    # Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.

    [PE1] interface gigabitethernet 0/0/1
    [PE1-GigabitEthernet0/0/1] dhcp snooping max-user-number 20
    [PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
    [PE1-GigabitEthernet0/0/1] quit

  9. Configure the trap function for the number of discarded messages and the rate limit.

    # Enable the trap function for discarding messages and set the alarm threshold. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.

    [PE1] interface gigabitethernet 0/0/1
    [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable
    [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable
    [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable
    [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120
    [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 120
    [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 120
    [PE1-GigabitEthernet0/0/1] quit
    

    # Enable the trap function for the rate limit and set the alarm threshold.

    [PE1] dhcp snooping alarm dhcp-rate enable
    [PE1] dhcp snooping alarm dhcp-rate threshold 80

  10. Verify the configuration.

    # Run the display dhcp snooping configuration command to view the DHCP snooping configuration.

    [PE1] display dhcp snooping configuration
    #                                                                               
    dhcp snooping enable ipv4                                                            
    dhcp snooping check dhcp-rate enable                                            
    dhcp snooping check dhcp-rate 90                                                
    dhcp snooping alarm dhcp-rate enable                                            
    dhcp snooping alarm dhcp-rate threshold 80                                      
    dhcp snooping over-vpls enable                                      
    #                                                                               
    interface GigabitEthernet0/0/1                                                  
     dhcp snooping enable                                                          
     dhcp snooping check dhcp-giaddr enable  
     dhcp snooping check dhcp-request enable                                           
     dhcp snooping alarm dhcp-request enable                                           
     dhcp snooping alarm dhcp-request threshold 120                                    
     dhcp snooping check dhcp-chaddr enable                                         
     dhcp snooping alarm dhcp-chaddr enable                                         
     dhcp snooping alarm dhcp-chaddr threshold 120                                  
     dhcp snooping alarm dhcp-reply enable                                       
     dhcp snooping alarm dhcp-reply threshold 120                                  
     dhcp snooping max-user-number 20
    #                                                                               
    interface GigabitEthernet0/0/2
     dhcp snooping enable                                                          
     dhcp snooping check dhcp-giaddr enable  
     dhcp snooping check dhcp-request enable                                           
     dhcp snooping alarm dhcp-request enable                                           
     dhcp snooping alarm dhcp-request threshold 120                                    
     dhcp snooping check dhcp-chaddr enable                                         
     dhcp snooping alarm dhcp-chaddr enable                                         
     dhcp snooping alarm dhcp-chaddr threshold 120                                  
     dhcp snooping alarm dhcp-reply enable                                       
     dhcp snooping alarm dhcp-reply threshold 120                                  
     dhcp snooping max-user-number 20
    #                                                                               
    interface GigabitEthernet0/0/3                                                  
     dhcp snooping trusted                                                          
    #                                                           

    # Run the display dhcp snooping interface command to view DHCP snooping information on an interface.

    [PE1] display dhcp snooping interface gigabitethernet 0/0/1
     DHCP snooping running information for interface GigabitEthernet0/0/1 :        
     DHCP snooping                            : Enable                              
     Trusted interface                        : No                                  
     Dhcp user max number                     : 20                                  
     Current dhcp and nd user number          : 0                                            
     Check dhcp-giaddr                        : Enable                              
     Check dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr threshold              : 120                                 
     Discarded dhcp packets for check chaddr  : 0                                   
     Check dhcp-request                       : Enable                              
     Alarm dhcp-request                       : Enable                              
     Alarm dhcp-request threshold             : 120                                 
     Discarded dhcp packets for check request : 0                                   
     Check dhcp-rate                          : Disable  (default)                  
     Alarm dhcp-rate                          : Disable  (default)                  
     Alarm dhcp-rate threshold                : 80                                  
     Discarded dhcp packets for rate limit    : 0                                   
     Alarm dhcp-reply                         : Enable                              
     Alarm dhcp-reply threshold               : 120                                 
     Discarded dhcp packets for check reply   : 0                                   
    
    [PE1] display dhcp snooping interface gigabitethernet 0/0/3
     DHCP snooping running information for interface GigabitEthernet0/0/3 :         
     DHCP snooping                            : Disable  (default)                  
     Trusted interface                        : Yes                                 
     Dhcp user max number                     : 1024    (default)                  
     Current dhcp and nd user number          : 0                                          
     Check dhcp-giaddr                        : Disable  (default)                  
     Check dhcp-chaddr                        : Disable  (default)                  
     Alarm dhcp-chaddr                        : Disable  (default)                  
     Check dhcp-request                       : Disable  (default)                  
     Alarm dhcp-request                       : Disable  (default)                  
     Check dhcp-rate                          : Disable  (default)                  
     Alarm dhcp-rate                          : Disable  (default)                  
     Alarm dhcp-rate threshold                : 80                                  
     Discarded dhcp packets for rate limit    : 0                                   
     Alarm dhcp-reply                         : Disable  (default)   

Configuration Files

# Configuration file of the PE1

#                                                                               
sysname PE1
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable ipv4                                                       
dhcp snooping check dhcp-rate enable                                            
dhcp snooping check dhcp-rate 90                                                
dhcp snooping alarm dhcp-rate enable                                            
dhcp snooping alarm dhcp-rate threshold 80 
dhcp snooping over-vpls enable                                       
#
interface GigabitEthernet0/0/1
 dhcp snooping enable                                                           
 dhcp snooping check dhcp-giaddr enable                                         
 dhcp snooping check dhcp-request enable                                           
 dhcp snooping alarm dhcp-request enable                                           
 dhcp snooping alarm dhcp-request threshold 120                                    
 dhcp snooping check dhcp-chaddr enable                                         
 dhcp snooping alarm dhcp-chaddr enable                                         
 dhcp snooping alarm dhcp-chaddr threshold 120                                  
 dhcp snooping alarm dhcp-reply enable                                       
 dhcp snooping alarm dhcp-reply threshold 120                                
 dhcp snooping max-user-number 20 
#
interface GigabitEthernet0/0/2
 dhcp snooping enable                                                           
 dhcp snooping check dhcp-giaddr enable                                         
 dhcp snooping check dhcp-request enable                                           
 dhcp snooping alarm dhcp-request enable                                           
 dhcp snooping alarm dhcp-request threshold 120                                    
 dhcp snooping check dhcp-chaddr enable                                         
 dhcp snooping alarm dhcp-chaddr enable                                         
 dhcp snooping alarm dhcp-chaddr threshold 120                                  
 dhcp snooping alarm dhcp-reply enable                                       
 dhcp snooping alarm dhcp-reply threshold 120                                
 dhcp snooping max-user-number 20 
#
interface GigabitEthernet0/0/3
 dhcp snooping trusted
#
return
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 223398

Downloads: 722

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next