No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring DHCP Snooping Attack Defense

Example for Configuring DHCP Snooping Attack Defense

Networking Requirements

In Figure 12-3, RouterA and RouterB are access devices, and RouterC is a DHCP relay agent. Client1 and Client2 are connected to RouterA through Eth2/0/0 and Eth2/0/1 respectively. Client3 is connected to RouterB through Eth2/0/0. Client1 and Client3 obtain IP addresses using DHCP, while Client2 uses the static IP address. Attacks from unauthorized users prevent authorized users from obtaining IP addresses. The administrator needs to enable the device to defend against DHCP attacks on the network and provide better service to DHCP clients.

Figure 12-3  Networking diagram for configuring DHCP snooping attack defense

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable DHCP snooping.
  2. Enable association between ARP and DHCP snooping to enable the device to update the binding entries when a DHCP user is disconnected.
  3. Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks.
  4. Set the maximum number of access DHCP clients and enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message to prevent DHCP server DoS attacks.

Procedure

  1. Enable DHCP snooping.

    # Enable DHCP snooping globally.

    <Huawei> system-view
    [Huawei] sysname RouterC
    [RouterC] dhcp enable
    [RouterC] dhcp snooping enable

    # Enable DHCP snooping on the user-side interface. Eth2/0/0 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned here.

    [RouterC] interface ethernet 2/0/0 [RouterC-Ethernet2/0/0] dhcp snooping enable [RouterC-Ethernet2/0/0] quit

  2. Enable association between ARP and DHCP snooping.

    [RouterC] arp dhcp-snooping-detect enable

  3. Enable the device to check DHCP messages against the DHCP snooping binding table.

    # Configure the user-side interface. Eth2/0/0 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned here.

    [RouterC] interface ethernet 2/0/0
    [RouterC-Ethernet2/0/0] dhcp snooping check user-bind enable
    [RouterC-Ethernet2/0/0] quit

  4. Enable the device to check whether the GIADDR field in a DHCP Request message is 0.

    # Configure the user-side interface. Eth2/0/0 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned here.

    [RouterC] interface ethernet 2/0/0 [RouterC-Ethernet2/0/0] dhcp snooping check dhcp-giaddr enable [RouterC-Ethernet2/0/0] quit

  5. Set the maximum number of access users allowed on the interface and enable the device to check the CHADDR field.

    # Configure the user-side interface. Eth2/0/0 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned here.

    [RouterC] interface ethernet 2/0/0 [RouterC-Ethernet2/0/0] dhcp snooping max-user-number 20
    [RouterC-Ethernet2/0/0] dhcp snooping check mac-address enable
    [RouterC-Ethernet2/0/0] quit

  6. Configure the trap function for the number of discarded messages and the rate limit.

    # Enable the trap function for discarding messages and set the alarm threshold. Eth2/0/0 is used as an example. The configuration on Eth2/0/1 is the same as the configuration on Eth2/0/0 and is not mentioned here.

    [RouterC] interface ethernet 2/0/0
    [RouterC-Ethernet2/0/0] dhcp snooping alarm mac-address enable [RouterC-Ethernet2/0/0] dhcp snooping alarm user-bind enable [RouterC-Ethernet2/0/0] dhcp snooping alarm untrust-reply enable [RouterC-Ethernet2/0/0] dhcp snooping alarm mac-address threshold 120 [RouterC-Ethernet2/0/0] dhcp snooping alarm user-bind threshold 120 [RouterC-Ethernet2/0/0] dhcp snooping alarm untrust-reply threshold 120 [RouterC-Ethernet2/0/0] quit 

  7. Verify the configuration.

    # Run the display dhcp snooping configuration command to view the DHCP snooping configuration.

    [RouterC] display dhcp snooping configuration
    #                                                                               
    dhcp snooping enable                                                            
    arp dhcp-snooping-detect enable                                                 
    #                                                                               
    interface Ethernet2/0/0                                        
     dhcp snooping enable                                                          
     dhcp snooping check dhcp-giaddr enable  
     dhcp snooping check user-bind enable                                           
     dhcp snooping alarm user-bind enable                                           
     dhcp snooping alarm user-bind threshold 120                                    
     dhcp snooping check mac-address enable                                         
     dhcp snooping alarm mac-address enable                                         
     dhcp snooping alarm mac-address threshold 120                                  
     dhcp snooping alarm untrust-reply enable                                       
     dhcp snooping alarm untrust-reply threshold 120                                
     dhcp snooping max-user-number 20
    #                                                                               
    interface Ethernet2/0/1                                        
     dhcp snooping enable                                                          
     dhcp snooping check dhcp-giaddr enable  
     dhcp snooping check user-bind enable                                           
     dhcp snooping alarm user-bind enable                                           
     dhcp snooping alarm user-bind threshold 120                                    
     dhcp snooping check mac-address enable                                         
     dhcp snooping alarm mac-address enable                                         
     dhcp snooping alarm mac-address threshold 120                                  
     dhcp snooping alarm untrust-reply enable                                       
     dhcp snooping alarm untrust-reply threshold 120                                
     dhcp snooping max-user-number 20
    #                                                           

    # Run the display dhcp snooping interface command to view DHCP snooping information on an interface.

    [RouterC] display dhcp snooping interface ethernet 2/0/0
     DHCP snooping running information for interface Ethernet2/0/0 :        
     DHCP snooping                            : Enable                              
     Trusted interface                        : No                                  
     Dhcp user max number                     : 20                                  
     Current dhcp user number                 : 0                                   
     Check dhcp-giaddr                        : Enable                              
     Check dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr threshold              : 120                                 
     Discarded dhcp packets for check chaddr  : 0                                   
     Check dhcp-request                       : Enable                              
     Alarm dhcp-request                       : Enable                              
     Alarm dhcp-request threshold             : 120                                 
     Discarded dhcp packets for check request : 0                                   
     Alarm dhcp-reply                         : Enable                              
     Alarm dhcp-reply threshold               : 120                                 
     Discarded dhcp packets for check reply   : 0                                   
    [RouterC] display dhcp snooping interface ethernet 2/0/1
     DHCP snooping running information for interface Ethernet2/0/0 :        
     DHCP snooping                            : Enable                              
     Trusted interface                        : No                                  
     Dhcp user max number                     : 20                                  
     Current dhcp user number                 : 0                                   
     Check dhcp-giaddr                        : Enable                              
     Check dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr                        : Enable                              
     Alarm dhcp-chaddr threshold              : 120                                 
     Discarded dhcp packets for check chaddr  : 0                                   
     Check dhcp-request                       : Enable                              
     Alarm dhcp-request                       : Enable                              
     Alarm dhcp-request threshold             : 120                                 
     Discarded dhcp packets for check request : 0                                   
     Alarm dhcp-reply                         : Enable                              
     Alarm dhcp-reply threshold               : 120                                 
     Discarded dhcp packets for check reply   : 0                                   

Configuration Files

# Configuration file of the RouterC

#                                                                               
sysname RouterC
#                                                                               
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                        
arp dhcp-snooping-detect enable   
#
interface Ethernet2/0/0
 dhcp snooping enable                                                           
 dhcp snooping check dhcp-giaddr enable                                         
 dhcp snooping check user-bind enable                                           
 dhcp snooping alarm user-bind enable                                           
 dhcp snooping alarm user-bind threshold 120                                    
 dhcp snooping check mac-address enable                                         
 dhcp snooping alarm mac-address enable                                         
 dhcp snooping alarm mac-address threshold 120                                  
 dhcp snooping alarm untrust-reply enable                                       
 dhcp snooping alarm untrust-reply threshold 120                                
 dhcp snooping max-user-number 20 
#
interface Ethernet2/0/1
 dhcp snooping enable                                                           
 dhcp snooping check user-bind enable                                           
 dhcp snooping alarm user-bind enable                                           
 dhcp snooping alarm user-bind threshold 120                                    
 dhcp snooping check mac-address enable                                         
 dhcp snooping alarm mac-address enable                                         
 dhcp snooping alarm mac-address threshold 120                                  
 dhcp snooping alarm untrust-reply enable                                       
 dhcp snooping alarm untrust-reply threshold 120
 dhcp snooping max-user-number 20 
#
return
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1100034236

Views: 104757

Downloads: 65

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next