This section describes how to configure defense against bogus DHCP message attacks using the rpc method.
Operation |
XPATH |
|---|---|
rpc |
|
Item |
Data |
Description |
|---|---|---|
| VLAN | VLAN10 | Enable the function of checking DHCP messages against the DHCP snooping binding table and the function of checking whether the source MAC address in a DHCP Request packet header is the same as the CHADDR field in VLAN 10. Configure the device to generate an alarm when the number of DHCPv4 request messages discarded on GE0/0/1 because these messages do not match the DHCP snooping binding table reaches the threshold. |
| Checking DHCP messages against the DHCP snooping binding table | true | |
| Checking whether the source MAC address in a DHCP Request packet header is the same as the CHADDR field | true | |
| Interface | GE0/0/1 | |
| DHCP snooping alarm type | dhcp-request | |
| DHCP snooping alarm function | true | |
| Alarm threshold for the number of discarded DHCP snooping messages | 200 |
<rpc message-id="123" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<edit-config>
<target>
<running/>
</target>
<config>
<vlans xmlns="urn:huawei:params:xml:ns:yang:huawei-vlan" xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
<vlan>
<id>10</id>
</vlan>
</vlans>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>GigabitEthernet0/0/1</name>
<description>savi</description>
<type xmlns:iana-if-type="urn:ietf:params:xml:ns:yang:iana-if-type">iana-if-type:ethernetCsmacd</type>
<enabled>true</enabled>
</interface>
<hw-savi:dhcp-config xmlns="urn:huawei:params:xml:ns:yang:huawei-dhcp">
<hw-savi:dhcpv4-config>
<hw-savi:enable>true</hw-savi:enable>
</hw-savi:dhcpv4-config>
</hw-savi:dhcp-config>
<hw-savi:savi xmlns="urn:huawei:params:xml:ns:yang:huawei-savi">
<hw-savi:dhcp-snooping xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
<hw-savi:snooping-global-enable>
<hw-savi:ipv4-enable>true</hw-savi:ipv4-enable>
</hw-savi:snooping-global-enable>
<hw-savi:snooping>
<hw-savi:vlan>
<hw-savi:start-vlan-id>10</hw-savi:start-vlan-id>
<hw-savi:check-dhcp-request>true</hw-savi:check-dhcp-request>
<hw-savi:check-dhcp-chaddr>true</hw-savi:check-dhcp-chaddr>
</hw-savi:vlan>
<hw-savi:interface>
<hw-savi:interface-name>GigabitEthernet0/0/1</hw-savi:interface-name>
<hw-savi:alarm>
<hw-savi:type>dhcp-request</hw-savi:type>
<hw-savi:enable>true</hw-savi:enable>
<hw-savi:threshold>200</hw-savi:threshold>
</hw-savi:alarm>
</hw-savi:interface>
</hw-savi:snooping>
</hw-savi:dhcp-snooping>
</hw-savi:savi>
</config>
</edit-config>
</rpc>
Sample of successful response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123"> <ok/> </rpc-reply>
Sample of failed response
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="123">
<rpc-error>
<error-app-tag>-1</error-app-tag>
<error-message> Please enable DHCP snooping in the global view first.</error-message>
<error-info>Error on node /huawei-savi:savi/dhcp-snooping/snooping/vlan/check-dhcp-request</error-info>
</rpc-error>
</rpc-reply>