No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Defense Against Attacks from Non-DHCP Users

Defense Against Attacks from Non-DHCP Users

Mechanism

On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. This brings security risks for authorized DHCP users.

Solution

To prevent attacks from non-DHCP users, enable the device to generate static MAC address entries based on the DHCP snooping binding table, and disable the interface from learning dynamic MAC address entries. Only the messages whose source MAC addresses match the static MAC address entries can pass through the user-side interface on the device, and other messages are discarded. To allow messages from non-DHCP users to pass through the interface, manually configure static MAC address entries for these users.

The device learns and generates dynamic MAC address entries, whereas static MAC address entries are configured using the CLI. A MAC address entry includes the MAC address, VLAN ID, and interface number of the DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 142036

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next