Application Scenarios for DHCP Snooping

A Dynamic Host Configuration Protocol (DHCP) server dynamically assigns IP addresses to DHCP clients. Attacks, such as a bogus DHCP server attack and a DHCP denial of service (DoS) attack may occur during IP allocation. To address this problem, deploy DHCP snooping. DHCP snooping can be deployed on Layer 2 or Layer 3 devices. The DHCP relay is required when DHCP snooping is deployed on Layer 3 devices.

Figure 1 Networking diagram for configuring DHCP snooping on a Layer 2 device
Figure 2 Networking diagram for configuring DHCP snooping on a Layer 3 device
You can configure the following functions on Layer 2 or Layer 3 devices:

  • Configure a static DHCP snooping binding table to enable clients with static IP addresses to access the network.

  • Configure interfaces as trusted or untrusted to protect against bogus DHCP server attacks.

  • Configure the detection of DHCP request packets to protect against DHCP exhaustion attacks.

  • Configure the detection of Address Resolution Protocol (ARP) packets to protect against man-in-the-middle attacks.

  • Configure the detection of IP packets to protect against IP or media access control (MAC) spoofing attacks.

  • Configure the detection of MAC addressees to protect against DHCP DoS attacks.

Parent Topic: DHCP Snooping Description
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic