No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Defense Against Attacks from Non-DHCP Users

Configuring Defense Against Attacks from Non-DHCP Users


On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks. This brings security risks for authorized DHCP users.

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry includes the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

After a static MAC address entry is configured on the user-side interface of the device, the device generates static MAC address entries based on dynamic DHCP snooping binding entries for all DHCP users connected to the interface, clears all the dynamic MAC address entries on the interface, disables the interface from learning dynamic MAC address entries, and enables the interface to match the source MAC address based on the MAC address entries. Only messages whose source MAC addresses match the static MAC address entries can pass through the interface; other messages are discarded. Therefore, the administrator needs to manually configure static MAC address entries for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.


  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run dhcp snooping sticky-mac

    The device is enabled to generate static MAC address entries based on the dynamic DHCP snooping binding table.

    By default, the device is disabled from generating static MAC address entries based on the DHCP snooping binding table.


    The dhcp snooping sticky-mac command cannot be used simultaneously with commands of some other features. For details, see Precautions in dhcp snooping sticky-mac.

  4. Run commit

    The configuration is committed.

Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23494

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next