DHCP Snooping

This section describes concepts and the configuration procedure of Dynamic Host Configuration Protocol (DHCP) snooping, as well as provides configuration examples.

Overview of DHCP Snooping: DHCP snooping defends against the attacks launched using DHCP messages.

Understanding DHCP Snooping: This section describes the mechanism of Dynamic Host Configuration Protocol (DHCP) snooping.

Limitations and Precautions for DHCP Snooping

Configuring Defense Against Attacks Initiated by a Bogus DHCP Server: A bogus DHCP server attack means that an attacker forges itself as a DHCP server to prevent a target from accessing a network.

Configuring Defense Against Man-in-the-Middle and IP/MAC Spoofing Attacks: A man-in-the-middle attack means that an attacker pretends to be the server and client at the same time, transmits packets between the real server and client, and obtains user data.

Configuring Defense Against Attacks Launched by Changing the CHADDR Value: The attacker continuously applies for the IP address from the DHCP server by changing the CHADDR value.

Configuring Defense Against Attacks by Sending Bogus Packets for Extending IP Leases: The attacker continuously sends DHCP request packets to pretend to be a user for leasing the IP address again. As a result, the expired IP addresses cannot be reclaimed properly.

Configuring Alarms Used to Discard Packets: This section describes how to notify the NMS of attacks.

Maintaining DHCP Snooping: This section describes how to maintain DHCP snooping.

CLI: Example for Configuring DHCP Snooping: This example describes how to adopt DHCP snooping to defend against DHCP packet attacks launched by the attacker connected to the Layer-3 interface.

Parent Topic: Network

Copyright © Huawei Technologies Co., Ltd.

Copyright © Huawei Technologies Co., Ltd.

< Previous topic Next topic >