No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping Fundamentals

DHCP Snooping Fundamentals

DHCP snooping has two modes: DHCPv4 snooping and DHCPv6 snooping. Both modes function in a similar manner. This section uses DHCPv4 snooping as an example.

A DHCP snooping-enabled device forwards DHCP Request messages of users (DHCP clients) to an authorized DHCP server through the trusted interface. The device then generates DHCP snooping binding entries according to the DHCP ACK messages it receives from the DHCP server. To prevent attacks from unauthorized users, the device checks DHCP messages it receives through DHCP snooping-enabled interfaces against the binding table.

DHCP Snooping Trust Function

If a bogus DHCP server exists on a network, as shown in Figure 9-1, DHCP clients may obtain incorrect IP addresses and network configuration parameters from it, leading to communication failures. The trust function controls the source of DHCP Reply messages to prevent bogus DHCP servers from assigning IP addresses and other configurations to DHCP clients.

DHCP snooping involves two interface roles: trusted interface and untrusted interface. The interface roles ensure that DHCP clients obtain IP addresses from an authorized DHCP server.

Trusted interface and untrusted interfaces are used as follows:
  • DHCP ACK messages, NAK messages, and Offer messages are received from the trusted interface. In addition, the device only forwards DHCP Request messages from DHCP clients to the authorized DHCP server through the trusted interface.
  • DHCP ACK messages, NAK messages, and Offer messages are discarded on untrusted interfaces.

When DHCP snooping is enabled on a Layer 2 access device, as shown in Figure 9-1, the interface directly or indirectly connected to the authorized DHCP server is generally configured as a trusted interface (for example, if1). Other interfaces are configured as untrusted interfaces (for example, if2). To ensure that DHCP clients can obtain IP addresses only from the authorized DHCP server, the DHCP Request messages from DHCP clients are forwarded only through the trusted interface. Bogus DHCP servers cannot assign IP addresses to the DHCP clients.

Figure 9-1  DHCP snooping trust

DHCP Snooping Binding Table

In Figure 9-2, each PC connects to a Layer 2 access device and obtains an IP address automatically. The process is as follows:
  1. A PC, functioning as a DHCP client, broadcasts a DHCP Request message.
  2. The DHCP snooping-enabled Layer 2 access device forwards the message to the DHCP server through the trusted interface.
  3. The DHCP server unicasts the DHCP ACK message carrying an IP address to the PC.
  4. The Layer 2 access device obtains required information, such as the PC's MAC address, IP address, and lease time of the IP address, from the DHCP ACK messages. It learns information (interface number and VLAN ID) about the DHCP snooping-enabled interface connected to the PC and generates a DHCP snooping binding entry for the PC.
For example, the Layer 2 access device in Figure 9-2 obtains IP address, MAC address MACA, and interface if3 connected to PC1 upon receiving a DHCP ACK message for PC1, and then generates a DHCP snooping binding entry for PC1.
Figure 9-2  DHCP snooping binding table

A DHCP snooping binding entry is aged out when the IP address lease time expires. Alternatively, the entry is deleted when the client sends a DHCP Release message to release its IP address.

The DHCP snooping binding table records the mappings between IP addresses and MAC addresses of DHCP clients. The device can check DHCP messages against the DHCP snooping binding table to prevent attacks initiated by unauthorized users.

Configure DHCP snooping on the Layer 2 access devices or the first DHCP relay agent to ensure that the device obtains parameters such as MAC addresses for generating DHCP snooping binding entries.

If DHCP snooping is enabled on a DHCP relay agent, a trusted interface does not need to be configured on the DHCP relay agent. After receiving DHCP Request messages from clients, the DHCP relay agent modifies the source/destination IP addresses and MAC addresses, and unicasts the messages to the authorized DHCP server. Therefore, the DHCP ACK messages received by the DHCP relay agent are valid, and the DHCP snooping binding entries generated by the DHCP relay agent are correct.

Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 146309

Downloads: 79

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next