Huawei dhcp snooping Configuration

Configuration ideas

1. enable DHCP Snooping.

2. Configure the trust status of the interface to ensure that the client obtains the IP address from the valid server.

3. Enable the association between ARP and DHCPSnooping to ensure that DHCP users update the binding table in real time when an exception occurs.

4. Enable the static MAC table item Function of the interface generated based on the DHCP Snooping binding table to prevent non-DHCP user attacks.

5. Enable the table binding check function for DHCP packets to prevent counterfeit DHCP packet attacks.

6. Configure the maximum allowable rate of the DHCP packet processing unit to prevent flood attacks of DHCP packets.

7. Configure the maximum number of users allowed for access and enable DHCP Request Detection

Procedure

1.Enable DHCP Snooping.

[SwitchC]Dhcp enable

[SwitchC]Dhcp snooping enable

2.Enable the DHCP Snooping function of the User-side interface.

[SwitchC]Dhcp snooping enable vlan 1 to 100Or enable the following directly on the Interface)

[SwitchC]Interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1]Dhcp snooping enable

3.Configure the interface trust status: Set the interface status connecting to the DHCP Server to "Trusted ". The dhcp port and the switch cascade port need to be configured.

[SwitchC]Interface gigabitethernet 0/0/3

[SwitchC-GigabitEthernet0/0/3]Dhcp snooping trusted

4.Enables the association between ARP and DHCPSnooping.

[SwitchC]Arp dhcp-snooping-detect enable

5.Enables the binding table matching check function for DHCP packets.

[SwitchC]Interface gigabitethernet0/0/1

[SwitchC-GigabitEthernet0/0/1]Dhcp snooping check dhcp-request enable

6.Configure the maximum allowed rate of the DHCP packet processing unit to send DHCP packets to 10 PPS.

[SwitchC]Dhcp snooping check dhcp-rate enable

[SwitchC]Dhcp snooping check dhcp-rate 10

7.The maximum number of users allowed to access the configuration interface.

[SwitchC]Interface gigabitethernet 0/0/1

[SwitchC-GigabitEthernet0/0/1]Dhcp snooping max-user-number 2

8.Configure the discard message alarm and message Speed Limit Alarm functions.

# Enable the discard packet alarm function and configure the discard packet alarm threshold. Take the GE0/0/1 interface as an example. GE0/0/2 has the same configuration.

[SwitchC]Interface gigabitethernet 0/0/1

[SwitchC]Dhcp snooping alarm dhcp-rate enable

[SwitchC]Dhcp snooping alarm dhcp-rate threshold 10

[SwitchC] dhcp snooping check user-bind enable

[SwitchC] dhcp snooping check mac-address enable allows you to check the MAC address in the DHCPRequest packet header.

Verify Configuration results

Display dhcp snooping configurationView the configuration information of DHCP Snooping.

Display dhcp snooping interfaceView the DHCP Snooping running information under the interface.

Reset dhcpsnooping user-bind vlan | interface | * reset the DHCPSnooping binding table

Dhcp snoopinguser-bind autosave file-name backup DHCPSnooping binding table.

Arp anti-attackcheck user-bind enable

Arp anti-attackcheck user-bind alarm enable

Arp anti-attackcheck user-bind alarm threshold 10

Arp anti-attackcheck user-bind check-item mac-address

Ip source checkuser-bind enable ip source Protection

Ip source checkuser-bind check-item {ip-address |Mac-address| Vlan} * configure IP packet check items

Ip source checkuser-bind alarm enable the IP Message check and alarm function.

Ip source checkuser-bind alarm threshold configure IP packet check alarm threshold of 100 by default.