No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Defense Against Bogus DHCP Server Attacks

Configuring Defense Against Bogus DHCP Server Attacks

This section describes how to configure defense against bogus Dynamic Host Configuration Protocol (DHCP) server attacks.

Applicable Environment

A bogus DHCP server on the network may send a DHCP offer packet to the DHCP client. The DHCP offer packet contains incorrect information such as the incorrect gateway address, incorrect Domain Name Server (DNS) server, and incorrect IP address. As a result, the DHCP client cannot connect to the network or may connect to an incorrect network.

To prevent a bogus DHCP server attack, configure DHCP snooping on the device, configure the network-side interface to be trusted and the user-side interface to be untrusted, and configure the device to discard DHCP reply packets received from untrusted interfaces.

Enable bogus DHCP server detection on the device. The device obtains relevant information about the DHCP server and logs the information, which helps you maintain the network.

Pre-configuration Tasks

Before you configure defense against bogus DHCP server attacks, configure the DHCP server.

Configuration Process

Figure 4-1 Flowchart of configuring defense against bogus DHCP server attacks

Enabling DHCP Snooping

To configure Dynamic Host Configuration Protocol (DHCP) snooping functions, enable DHCP snooping first.

Context

Enable DHCP snooping in the following sequence:
  1. Enable DHCP globally.
  2. Enable DHCP snooping globally.
  3. Enable DHCP snooping in an interface, BD, or VLAN view.

Procedure

  • Enable DHCP snooping globally for a VLAN to prevent Layer 2 devices from bogus DHCP server attacks.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run vlan vlan-id

      The VLAN view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the VLAN.

    6. Run quit

      Return to the system view.

    7. Run commit

      The configuration is committed.

  • Enable DHCP snooping in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run bridge-domain bd-id

      The BD view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled.

    6. Run commit

      The configuration is committed.

  • Enable DHCP snooping globally for an interface to prevent Layer 3 devices from bogus DHCP server attacks.
    1. Run system-view

      The system view is displayed.

    2. Run dhcp enable

      DHCP is enabled globally.

    3. Run dhcp snooping enable

      DHCP snooping is enabled globally.

    4. Run interface interface-type interface-number

      The interface view is displayed.

    5. Run dhcp snooping enable

      DHCP snooping is enabled for the interface.

    6. Run commit

      The configuration is committed.

Configuring an Interface as a Trusted Interface

After Dynamic Host Configuration Protocol (DHCP) snooping is enabled, trusted interfaces must be configured so that clients can go online through trusted interfaces.

Context

After DHCP snooping is enabled on a device, you can configure interfaces of the device as trusted or untrusted.
  • After receiving DHCP reply packets from a trusted interface, the device forwards the packets so that DHCP clients can obtain correct IP addresses.
  • After receiving DHCP reply packets from an untrusted interface, the device discards the packets to prevent DHCP clients from obtaining incorrect IP addresses.

Generally, the interfaces connected to legitimate DHCP servers are configured as trusted and all other interfaces are configured as untrusted.

NOTE:
After DHCP snooping is enabled, trusted interfaces must be configured and server-side interfaces and user-side interfaces must be in the same virtual local area network (VLAN). By default, server-side interfaces and user-side interfaces are in the same VLAN. DHCP clients cannot go online if server-side interfaces and user-side interfaces are in different VLANs.

Procedure

  • Configure an interface as a trusted interface in a VLAN to prevent Layer 2 devices from bogus DHCP server attacks.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping trusted [ interface interface-type interface-number ]

      An interface is configured as a trusted interface in the VLAN.

      NOTE:

      Before you configure an interface as a trusted interface in the VLAN view, make sure that the interface is in the VLAN.

    4. Run commit

      The configuration is committed.

  • Configure interfaces as trusted interfaces in the BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping trusted

      Interfaces are configured as trusted interfaces.

    4. Run commit

      The configuration is committed.

  • Configure an interface as a trusted interface in the interface view to prevent Layer 3 devices from bogus DHCP server attacks.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping trusted

      The interface is configured as a trusted interface.

      The dhcp snooping trusted command can be configured on the NNI in a VSI scenario. If multiple VSIs share the same NNI, the dhcp snooping trusted command takes effect on all VSIs, which may provoke the following problems:
      • VSIs cannot be identified when the NNI sends DHCP reply messages to the host. As a result, DHCP snooping does not take effect, but users can go online.
      • The NNI sends DHCP reply messages to the host even when DHCP snooping is not enabled on some of the VSIs, which increases device load.
      To prevent the preceding problems, do not run the dhcp snooping trusted command on the NNI, and run the dhcp snooping nni server enable command in the VSI view instead.

    4. Run commit

      The configuration is committed.

(Optional) Enabling Bogus DHCP Server Detection

After bogus Dynamic Host Configuration Protocol (DHCP) server detection is enabled, the system generates logs about DHCP servers.

Context

Before enabling bogus DHCP server detection, ensure that DHCP snooping is enabled globally for the interface. Otherwise, the detection function does not take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run dhcp snooping server record

    Bogus DHCP server detection is enabled.

  3. Run commit

    The configuration is committed.

(Optional) Configuring the Alarm Function for Discarded DHCP Reply Packets

By configuring the function described in this chapter, you can have an alarm generated when a specified number of Dynamic Host Configuration Protocol (DHCP) reply packets are discarded.

Context

After trusted and untrusted interfaces are configured, the device discards all DHCP reply packets received from untrusted interfaces. You can set a threshold for the number of discarded packets. When the number of discarded packets reaches the threshold, an alarm is generated.

For a Layer 2 device, configure the alarm function for discarded DHCP reply packets in a VLAN view. For a Layer 3 device, configure the alarm function for discarded DHCP reply packets in an interface view or in a BD view.

Procedure

  • Configure the alarm function for discarded DHCP reply packets in a VLAN view.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run dhcp snooping alarm dhcp-reply enable [ interface interface-type interface-number ]

      The alarm function for discarded DHCP reply packets is enabled for the VLAN.

    4. Run dhcp snooping alarm dhcp-reply threshold threshold [ interface interface-type interface-number ]

      The alarm threshold for the number of discarded packets is configured for the VLAN.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded DHCP packets with incorrect CHADDR fields in a BD view.
    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The BD view is displayed.

    3. Run dhcp snooping alarm dhcp-reply enable

      The alarm function for discarded DHCP reply packets is enabled.

    4. Run dhcp snooping alarm threshold threshold-value

      The alarm threshold for the number of discarded packets is configured in a BD.

    5. Run commit

      The configuration is committed.

  • Configure the alarm function for discarded DHCP reply packets in an interface view.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run dhcp snooping alarm dhcp-reply enable

      The alarm function for discarded DHCP reply packets is enabled for the interface.

    4. Run dhcp snooping alarm dhcp-reply threshold threshold-value

      The alarm threshold for the number of discarded packets is configured for the interface.

    5. Run commit

      The configuration is committed.

Verifying the Configuration of Defense Against Bogus DHCP Server Attacks

This section describes how to check the configuration of defense against bogus Dynamic Host Configuration Protocol (DHCP) server attacks.

Prerequisites

The configurations of defense against bogus DHCP server attacks are complete.

Procedure

  • Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-id [ interface interface-type interface-number ] | bridge-domain bd-id } command to check the DHCP snooping configuration.

Example

Run the display dhcp snooping command to check the configuration of defense against bogus DHCP server attacks.
<HUAWEI> display dhcp snooping vlan 10
 dhcp snooping enable
 dhcp snooping check arp enable
 dhcp snooping check ip enable
 dhcp snooping alarm ip enable
 dhcp snooping alarm ip threshold 205
 dhcp snooping alarm dhcp-reply enable
 dhcp snooping alarm dhcp-reply threshold 200
 dhcp check chaddr enable
 dhcp snooping alarm dhcp-request enable
 dhcp snooping alarm dhcp-request threshold 300
 dhcp snooping max-user-number 100
 arp total                  0
 ip total                   0
 dhcp-request total         0
 chaddr&src mac total       0
 dhcp-reply total           0    
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19649

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next