Example for Configuring DHCP Snooping on a VPLS Network
Networking Requirements
In Figure 1, PE1 and PE2 are connected over a VPLS network. The DHCP client obtains an IPv4 address using DHCP. Attacks from unauthorized users prevent authorized users from obtaining IP addresses. The administrator needs to enable the device to defend against DHCP attacks on the network and provide better service to DHCP clients.
Only the S5720-HI, S5731-H, S5731S-H, S5732-H, S6730-H, S6730S-H, S5730-HI, and S6720-HI support this example.
Configuration Roadmap
The configuration roadmap is as follows:
- Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
- Enable DHCP snooping on the device on a VPLS network, ensuring that DHCP snooping configurations take effect on the VPLS network.
- Enable DHCP snooping on the interface.
- Configure an interface as the trusted interface to ensure that DHCP clients obtain IP addresses from the authorized server.
- Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks.
- Set the maximum rate of sending DHCP messages to the processing unit to prevent DHCP flood attacks.
- Enable the device to check whether the GIADDR field in the DHCP Request message is 0 and discard DHCP Request messages with non-0 GIADDR field.
- Set the maximum number of access DHCP clients and enable the device to check whether the MAC address in the DHCP Request message header matches the CHADDR field to prevent DHCP server DoS attacks.
Procedure
- Enable DHCP snooping.
# Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] dhcp enable [PE1] dhcp snooping enable ipv4
- Enable DHCP snooping on the device on a VPLS network.
[PE1] dhcp snooping over-vpls enable
- Enable DHCP snooping on the interface.
# Enable DHCP snooping on the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.
[PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] dhcp snooping enable [PE1-GigabitEthernet0/0/1] quit
- Configure the interface connected to the DHCP server as the trusted interface.
[PE1] interface gigabitethernet 0/0/3 [PE1-GigabitEthernet0/0/3] dhcp snooping trusted [PE1-GigabitEthernet0/0/3] quit
- Enable the device to check DHCP messages against the DHCP snooping binding table.
# Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.
[PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable [PE1-GigabitEthernet0/0/1] quit
- Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.
[PE1] dhcp snooping check dhcp-rate enable [PE1] dhcp snooping check dhcp-rate 90
- Enable the device to check whether the GIADDR field in a DHCP Request message is 0.
# Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.
[PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable [PE1-GigabitEthernet0/0/1] quit
- Set the maximum number of access users allowed on the interface and enable the device to check the CHADDR field.
# Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.
[PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] dhcp snooping max-user-number 20 [PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable [PE1-GigabitEthernet0/0/1] quit
- Configure the trap function for the number of discarded messages and the rate limit.
# Enable the trap function for discarding messages and set the alarm threshold. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as that on GE0/0/1 and is not mentioned here.
[PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120 [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 120 [PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 120 [PE1-GigabitEthernet0/0/1] quit
# Enable the trap function for the rate limit and set the alarm threshold.
[PE1] dhcp snooping alarm dhcp-rate enable [PE1] dhcp snooping alarm dhcp-rate threshold 80
- Verify the configuration.
# Run the display dhcp snooping configuration command to view the DHCP snooping configuration.
[PE1] display dhcp snooping configuration # dhcp snooping enable ipv4 dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping alarm dhcp-rate enable dhcp snooping alarm dhcp-rate threshold 80 dhcp snooping over-vpls enable # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/3 dhcp snooping trusted #
# Run the display dhcp snooping interface command to view DHCP snooping information on an interface.
[PE1] display dhcp snooping interface gigabitethernet 0/0/1 DHCP snooping running information for interface GigabitEthernet0/0/1 : DHCP snooping : Enable Trusted interface : No Dhcp user max number : 20 Current dhcp and nd user number : 0 Check dhcp-giaddr : Enable Check dhcp-chaddr : Enable Alarm dhcp-chaddr : Enable Alarm dhcp-chaddr threshold : 120 Discarded dhcp packets for check chaddr : 0 Check dhcp-request : Enable Alarm dhcp-request : Enable Alarm dhcp-request threshold : 120 Discarded dhcp packets for check request : 0 Check dhcp-rate : Disable (default) Alarm dhcp-rate : Disable (default) Alarm dhcp-rate threshold : 80 Discarded dhcp packets for rate limit : 0 Alarm dhcp-reply : Enable Alarm dhcp-reply threshold : 120 Discarded dhcp packets for check reply : 0
[PE1] display dhcp snooping interface gigabitethernet 0/0/3 DHCP snooping running information for interface GigabitEthernet0/0/3 : DHCP snooping : Disable (default) Trusted interface : Yes Dhcp user max number : 1024 (default) Current dhcp and nd user number : 0 Check dhcp-giaddr : Disable (default) Check dhcp-chaddr : Disable (default) Alarm dhcp-chaddr : Disable (default) Check dhcp-request : Disable (default) Alarm dhcp-request : Disable (default) Check dhcp-rate : Disable (default) Alarm dhcp-rate : Disable (default) Alarm dhcp-rate threshold : 80 Discarded dhcp packets for rate limit : 0 Alarm dhcp-reply : Disable (default)
Configuration Files
# Configuration file of the PE1
# sysname PE1 # dhcp enable # dhcp snooping enable ipv4 dhcp snooping check dhcp-rate enable dhcp snooping check dhcp-rate 90 dhcp snooping alarm dhcp-rate enable dhcp snooping alarm dhcp-rate threshold 80 dhcp snooping over-vpls enable # interface GigabitEthernet0/0/1 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/2 dhcp snooping enable dhcp snooping check dhcp-giaddr enable dhcp snooping check dhcp-request enable dhcp snooping alarm dhcp-request enable dhcp snooping alarm dhcp-request threshold 120 dhcp snooping check dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr enable dhcp snooping alarm dhcp-chaddr threshold 120 dhcp snooping alarm dhcp-reply enable dhcp snooping alarm dhcp-reply threshold 120 dhcp snooping max-user-number 20 # interface GigabitEthernet0/0/3 dhcp snooping trusted # return