DHCP Snooping

16/02/2018 HedEx Startpage
S1720&S2700&S5700&S6720 V200R010C00 Product Documentation

Product Version: V200R010C00
Library Version: 05
Date: 2017-11-30
For any question, please contact us.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.
DHCP Snooping Configuration

Contents
1 DHCP Snooping Configuration
1.1 Overview
1.2 Principles
1.2.1 DHCP Snooping Basics
1.2.2 Option 82 Supported by DHCP Snooping
1.2.3 LDRA Supported by DHCPv6 Snooping
1.2.4 Option 18 and Option 37 Fields Supported by DHCPv6 Snooping
1.3 Application
1.3.1 Defense Against Bogus DHCP Server Attacks
1.3.2 Attacks from Non-DHCP Users
1.3.3 Defense Against DHCP Flood Attacks
1.3.4 Defense Against Bogus DHCP Message Attacks
1.3.5 Defense Against DHCP Server DoS Attacks
1.3.6 Typical Application of the Option 82 Field
1.3.7 Detecting Client Locations Through the LDRA
1.4 Configuration Notes
1.5 Default Configuration
1.6 Configuring Basic Functions of DHCP Snooping
1.6.1 Enabling DHCP Snooping
1.6.2 Configuring an Interface as the Trusted Interface
1.6.3 (Optional) Disabling Location Transition for DHCP Snooping Users
1.6.4 (Optional) Configuring an Association Between ARP and DHCP Snooping
1.6.5 (Optional) Configuring the Device to Clear the MAC Address Entry Immediately When a User Is Disconnected
1.6.6 (Optional) Configuring the Device to Discard DHCP Request Messages with Non-0 GIADDR Field
1.6.7 Checking the Configuration
1.7 Configuring DHCP Snooping Attack Defense
1.7.1 Enabling DHCP Server Detection
1.7.2 Configuring Defense Against DHCP Flood Attacks
1.7.3 Configuring Defense Against Bogus DHCP Message Attacks
1.7.4 Configuring Defense Against DHCP Server DoS Attacks
1.8 Inserting the Option 82 Field in a DHCP Message
1.9 Configuring the LDRA to Detect Client Locations
1.10 Inserting the Option 18 or Option 37 Field in a DHCPv6 Message
1.11 Maintaining DHCP Snooping
1.11.1 Clearing DHCP Snooping Statistics
1.11.2 Clearing DHCP Snooping Binding Entries
1.11.3 Backing Up DHCP Snooping Binding Entries
1.11.4 Restoring DHCP Snooping Binding Entries
1.12 Configuration Examples
1.12.1 Example for Configuring DHCP Snooping Attack Defense
1.12.2 Example for Configuring DHCP Snooping on a VPLS Network
1.12.3 Example for Configuring the LDRA to Detect Client Locations
1.13 Common Misconfigurations
1.13.1 Some Users Cannot Obtain IP Addresses after DHCP Snooping Is Enabled
1.13.2 Users Cannot Obtain IP Address after DHCP Snooping Is Enabled
1.14 FAQ
1.14.1 Which Devices Support DHCP Snooping?
1.14.2 Why Can't Users Obtain IP Addresses after DHCP Snooping Is Configured?
1.14.3 Why Can't a PC Access the Internet after Obtaining an IP Address Through DHCP
1.15 References
< Home
1 DHCP Snooping Configuration

This chapter describes how to configure DHCP snooping on devices.
Overview
http://127.0.0.1:7890/printtopics.html?time=Fri%20Feb%2016%202018%2011:04:44%20GMT-0200%20(Hor%C3%A1rio%20brasileiro%20de%2… 1/35
Principles
Application
Configuration Notes
Default Configuration
Configuring Basic Functions of DHCP Snooping
DHCP snooping allows DHCP clients to obtain IP addresses from authorized DHCP servers, and records mappings between IP addresses and
MAC addresses of DHCP clients to a binding table.
Configuring DHCP Snooping Attack Defense
After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses from the authorized DHCP server, preventing
bogus DHCP server attacks on the network. However, many other DHCP attacks exist on the network. The administrator can configure
DHCP snooping attack defense on the device as required.
Inserting the Option 82 Field in a DHCP Message
You can configure a device to insert the Option 82 field in a DHCP message to notify the DHCP server of the DHCP client location.
Configuring the LDRA to Detect Client Locations
You can configure the LDRA to notify the DHCP server of the DHCPv6 client location.
Inserting the Option 18 or Option 37 Field in a DHCPv6 Message
You can configure a device to insert the Option 18 or Option 37 field in a DHCPv6 message to notify the DHCP server of the DHCPv6 client
location.
Maintaining DHCP Snooping
Configuration Examples
Common Misconfigurations
FAQ
References
Parent Topic: Security Configuration Guide

Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
1.1 Overview
Definition
The Dynamic Host Configuration Protocol (DHCP) snooping feature ensures that DHCP clients obtain IP addresses from authorized DHCP servers and
records mappings between IP addresses and MAC addresses of DHCP clients, preventing DHCP attacks on the network.
Purpose
Some attacks are launched on DHCP (RFC 2131). These attacks include the bogus DHCP server attack, DHCP server DoS attack, and bogus DHCP
message attack.
DHCP snooping is equivalent to a firewall between DHCP clients and the DHCP server to prevent DHCP attacks on the network, ensuring security for
communication services.
Benefits
The device can defend against DHCP attacks on the network. The DHCP attack defense capability enhances device reliability and ensures stable
network operating.
Users are provided with more stable services on a more secure network.
Parent Topic: DHCP Snooping Configuration

Next topic >
< Home
1.2 Principles
DHCP Snooping Basics
Option 82 Supported by DHCP Snooping
LDRA Supported by DHCPv6 Snooping
Option 18 and Option 37 Fields Supported by DHCPv6 Snooping

< Home
1.2.1 DHCP Snooping Basics

DHCP snooping has two modes: DHCPv4 snooping and DHCPv6 snooping, which have similar principles. This section uses DHCPv4 snooping as an
example.
The DHCP snooping-enabled device forwards DHCP Request packets of users (DHCP clients) to a valid DHCP server through the trusted interface, and
then generates DHCP snooping binding entries according to the DHCP ACK messages received from the DHCP server. When receiving DHCP messages
from users through the DHCP snooping-enabled interfaces, the device checks the messages against the binding table, to prevent attacks initiated by
unauthorized users.
DHCP Snooping Trust Function

If a bogus DHCP server exists on a network, as shown in Figure 1, DHCP clients may obtain incorrect IP addresses and network configuration parameters
from it, leading to communication failures. The trust function controls the source of DHCP Reply messages to prevent bogus DHCP servers from
assigning IP addresses and other configurations to DHCP clients.
DHCP snooping involves two interface roles: trusted interface and untrusted interface. The interface roles ensure that DHCP clients obtain IP addresses
from a valid DHCP server.
Trusted interface and untrusted interfaces are used as follows:
The device receives DHCP ACK messages, NAK messages, and Offer messages through the trusted interface. In addition, the device forwards
the DHCP Request messages from DHCP clients to the valid DHCP server through the trusted interface.
The device discards DHCP ACK messages, NAK messages, and Offer messages on untrusted interfaces.
When DHCP snooping is enabled on a Layer 2 access device, as shown in Figure 1, the interface directly or indirectly connected to the valid DHCP server
is generally configured as a trusted interface, such as if1, and other interfaces are configured as untrusted interfaces, such as if2. The DHCP Request
messages from DHCP clients are forwarded through the trusted interface, so DHCP clients can only obtain IP addresses from the valid DHCP server.
Bogus DHCP servers cannot assign IP addresses to DHCP clients.
Figure 1 DHCP Snooping trust
DHCP Snooping Binding Table
In Figure 2, a PC connecting to a Layer 2 access device obtains an IP address automatically. The process is as follows:
1. PC functions as a DHCP client to broadcast DHCP Request messages.

2. The DHCP snooping-enabled Layer 2 access device forwards the messages to the DHCP server through the trusted interface.
3. the DHCP server sends the DHCP ACK messages carrying IP addresses to the PC in unicast mode.
4. The Layer 2 access device obtains required information, such as the PC's MAC address, IP address, and address lease, from the DHCP ACK
messages, learns information (interface number and VLAN ID) about the DHCP snooping-enabled interface connected to the PC, and generates
a DHCP snooping binding entry for the PC.
For example, when receiving a DHCP ACK message for PC1 in Figure 2, the Layer 2 access device obtains IP address 192.168.1.253, MAC address
MACA, and interface if3 connected to PC1, and then generates a DHCP snooping binding entry for PC1.
Figure 2 DHCP Snooping binding table
The DHCP snooping binding entries are aged out when the DHCP release expires, or the entries are deleted when users send DHCP Release packets to
release IP addresses.
The DHCP snooping binding table records the mapping between IP addresses and MAC addresses of DHCP clients. The device can check DHCP
messages against the DHCP snooping binding table to prevent attacks initiated by unauthorized users.
To ensure that the device obtains parameters such as MAC addresses for generating a DHCP snooping binding table, configure DHCP snooping on the
Layer 2 access devices or the first DHCP relay agent from the device to the DHCP server.
When DHCP snooping is enabled on a DHCP relay agent, a trusted interface does not need to be configured on the DHCP relay agent. After receiving
DHCP Request messages from users, the DHCP relay agent converts the source/destination IP addresses and MAC addresses, and forwards the messages
to the valid DHCP server in unicast mode. Therefore, the DHCP ACK messages received by the DHCP relay agent are valid, and the DHCP snooping
binding entries generated by the DHCP relay agent are correct.
Parent Topic: Principles

Next topic >
< Home
1.2.2 Option 82 Supported by DHCP Snooping

Overview
During traditional dynamic IP address allocation, a DHCP server cannot detect the DHCP client location based on the received DHCP Request message.
As a result, DHCP clients in the same VLAN have the same rights to access network resources. The network administrator cannot control network access
of clients in the same VLAN, which brings challenges to security control.
RFC 3046 defines the DHCP Relay Agent Information Option, that is, the Option 82 field, which records the location of a DHCP client. A DHCP
snooping-enabled device or a DHCP relay agent inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client
location. In addition to an IP address, the DHCP server also assigns other configurations to the DHCP client, ensuring DHCP client security.
The Option 82 field contains two commonly used suboptions: circuit ID and remote ID. The circuit ID distinguishes VLAN ID and interface number of a
client, and the remote ID distinguishes the MAC address of the device the client connects.
As a DHCP relay agent, the device supports the Option 82 field regardless of whether DHCP snooping is enabled on the device. However, as an access
device on a Layer 2 network, the device supports the Option 82 field only after DHCP snooping is enabled.
The Option 82 field records the location of a DHCP client and is encapsulated in a DHCP Request message that is sent to the DHCP server. To deploy
different IP addresses or security policies for different clients, the DHCP server must support the Option 82 field and be configured with IP address
assignment or security policies.
The Option 82 field is different from parameters recorded in a DHCP snooping binding table. The device adds the Option 82 field to the DHCP Request
message when the DHCP client requests an IP address. At this time, the client does not have an IP address. A DHCP snooping binding table is generated
based on the DHCP ACK messages received from the DHCP server. At this time, an IP address has been assigned to the client.
Implementation
As a DHCP relay agent or an access device on the Layer 2 network, the device supports the Option 82 field after DHCP snooping is enabled. The device
inserts the Option 82 field to a DHCP Request message in two modes:
Insert mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request
message contains the Option 82 field, the device checks whether the Option 82 field contains a remote ID. If so, the device retains the Option 82
field; if not, the device inserts a remote ID.
Rebuild mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP
Request message contains the Option 82 field, the device deletes the original Option 82 field and inserts the Option 82 field set by the
administrator.
The device handles the reply packets from the DHCP server in the same way regardless of whether the Insert or Rebuild method is used.
The DHCP reply packets contain the Option 82 field:

If the DHCP request packets received by the device do not contain the Option 82 field, the device deletes the Option 82 field from the
DHCP reply packets, and forwards the reply packets to the DHCP client.
If the DHCP request packets contain the Option 82 field, the device changes the Option 82 format in the DHCP reply packets into the
Option 82 format in the DHCP request packets, and then forwards the reply packets to the DHCP client.
If the DHCP reply packets do not contain the Option 82 field, the device directly forwards the packets.

< Home
1.2.3 LDRA Supported by DHCPv6 Snooping

Overview
The Lightweight DHCPv6 Relay Agent (LDRA), defined in RFC 6221, is used to insert relay agent options in DHCPv6 message exchanges to identify
user locations.
Similar to Option 82 in DHCPv4, the LDRA provides specific locations of users in DHCPv6. Generally, the LDRA is configured on the client-side access
devices with DHCP snooping enabled.
Implementation
The working mechanism of the LDRA is similar to the working mechanism of DHCPv6 relay. When receiving a DHCPv6 request from a client, the
LDRA-enabled device encapsulates the client location information (such as the network-side interface on the client) in a Relay-Forward message, and
forwards the message to the DHCPv6 server. The DHCPv6 server obtains the location information of the client, and accordingly assigns an IP address,
QoS policy, and access control policy for the client.
Figure 1 shows the LDRA interaction process.
Figure 1 LDRA interaction process
1. A DHCPv6 client sends a DHCPv6 request message to the LDRA-enabled device.

2. The LDRA-enabled device encapsulates the request message into the relay agent option in a Relay-Forward message, encapsulates the location
information of the client into the interface-id or remote-id option in the Relay-Forward message, and forwards the Relay-Forward message to
the DHCPv6 server.
3. The DHCPv6 server obtains the request message and location information of the client from the Relay-Forward message, selects an IPv6
address and other parameters for the client, encapsulates the reply into a Relay-Reply message, and returns the Relay-Reply message to the
LDRA-enabled device.
4. The LDRA-enabled device obtains the reply from the Relay-Reply message, and forwards the reply to the DHCPv6 client. The client obtains
the address of the DHCPv6 server, and obtains an IPv6 address and other parameters from the server.
For details about the Relay-Forward and Relay-Reply messages, see DHCPv6 Packets in "DHCPv6 Configuration" in the S1720&S2700&S5700&S6720
V200R010C00 Configuration Guide-IP Service.

< Home
1.2.4 Option 18 and Option 37 Fields Supported by DHCPv6 Snooping

The function of the Option 18 and Option 37 fields is similar to that of the Option 82 field. The device inserts the Option 82 field to a DHCPv4 message,
and inserts the Option 18 and Option 37 fields to a DHCPv6 message to record the DHCPv6 client location.
NOTE:
The device supports the Option 18 and Option 37 fields only after DHCPv6 snooping is enabled. For details, see Inserting the Option 18 or Option 37 Field in a DHCPv6 Message.

< Previous topic
< Home
1.3 Application
Defense Against Bogus DHCP Server Attacks
Attacks from Non-DHCP Users
Defense Against DHCP Flood Attacks
Defense Against Bogus DHCP Message Attacks
Defense Against DHCP Server DoS Attacks
Typical Application of the Option 82 Field
Detecting Client Locations Through the LDRA

< Home
1.3.1 Defense Against Bogus DHCP Server Attacks

Mechanism
Because DHCP servers and DHCP clients lack authentication mechanisms between them, each DHCP server newly configured on a network assigns IP
addresses and other network parameters to DHCP clients. If the assigned IP addresses and other network parameters are incorrect, errors may occur on the
network.
In Figure 1, authorized and unauthorized DHCP servers can receive DHCP Discover messages broadcast by DHCP clients.
Figure 1 DHCP client sending DHCP Discover messages
If a bogus DHCP server sends a bogus DHCP Reply message with the incorrect gateway address, Domain Name System (DNS) server address, and IP
address to a DHCP client, as shown in Figure 2, the DHCP client cannot obtain the correct IP address and required information. The authorized user then
fails to access the network and user information security is affected.
Figure 2 Bogus DHCP server attack
Solution
To prevent attacks from a bogus DHCP server, configure the trusted interface and untrusted interfaces on the device.
You can configure the interface directly or indirectly connected to the authorized DHCP server as the trusted interface and other interfaces as untrusted
interfaces. The device then discards DHCP Reply messages received through untrusted interfaces, preventing bogus DHCP server attacks, as shown in
Figure 3.
Figure 3 Trusted interface and untrusted interfaces
Parent Topic: Application

Next topic >
< Home
1.3.2 Attacks from Non-DHCP Users

Mechanism
On a DHCP network, users with static IP addresses may initiate attacks such as bogus DHCP server attacks and bogus DHCP Request message attacks.
This brings security risks for authorized DHCP users.
Solution
To prevent attacks from non-DHCP users, enable the device to generate static MAC address entries based on the DHCP snooping binding table, and
disable the interface from learning dynamic MAC address entries. Only the messages whose source MAC addresses match the static MAC address entries
can pass through the user-side interface on the device, and other messages are discarded. To allow messages from non-DHCP users to pass through the
interface, the administrator needs to manually configure static MAC address entries for them.
Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC
address entry includes the MAC address, VLAN ID, and interface number of the DHCP client. The device implements Layer 2 forwarding based on MAC
address entries.

< Home
1.3.3 Defense Against DHCP Flood Attacks

Mechanism
On a DHCP network, if an attacker sends a large number of DHCP messages to the device within a short time, device performance may deteriorate and
the device may fail to work properly. This attack is called a DHCP flood attack.
Solution
To prevent DHCP flood attacks, enable DHCP snooping and enable the device to check the rate of sending DHCP messages to the processing unit. The
device then sends only DHCP messages within a specified rate to the processing unit and discards those that exceed the rate.

< Home
1.3.4 Defense Against Bogus DHCP Message Attacks

Mechanism
An authorized DHCP client that has obtained an IP address sends a DHCP Request message or Release message to extend the lease or to release the IP
address. If attackers continuously send DHCP Request messages to the DHCP server to extend the lease, the IP addresses cannot be reclaimed or obtained
by authorized users. If attackers forge DHCP Release messages of authorized users to the DHCP server, the authorized users may be disconnected.
Solution
To prevent bogus DHCP message attacks, use the DHCP snooping binding table. The device checks DHCP Request messages and Release messages
against binding entries to determine whether the messages are valid. (The device checks whether the VLAN IDs, IP addresses, MAC addresses, and
interfaces in messages match binding entries.) If a message matches a binding entry, the device forwards the message; if a message does not match a
binding entry, the device discards the message.

< Home
1.3.5 Defense Against DHCP Server DoS Attacks

Mechanism
In Figure 1, if a large number of attackers request IP addresses on if1, IP addresses in the IP address pool are exhausted, and there are no IP addresses for
authorized users.
A DHCP server identifies the MAC address of a client based on the client hardware address (CHADDR) field in the DHCP Request message. If an
attacker continuously applies for IP addresses by changing the CHADDR field, IP addresses in the address pool on the DHCP server may be exhausted.
As a result, authorized users cannot obtain IP addresses.
Figure 1 Defense against DHCP server DoS attacks
Solution
To prevent the DHCP server DoS attacks, set the maximum number of access DHCP clients allowed on the device or an interface after enabling DHCP
snooping on the device. When the number of DHCP clients reaches the maximum value, DHCP clients cannot obtain the IP address through the device or
interface.
You can enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message. If the two
values match, the message is forwarded; if not, the message is discarded.

< Home
1.3.6 Typical Application of the Option 82 Field
The DHCP Relay Agent Information Option (Option 82) field records the location of a DHCP client. A DHCP snooping-enabled device or a DHCP relay
agent inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. Based on the Option 82 field, the
DHCP server can properly assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.
Figure 1 Using the Option 82 field
In Figure 1, the clients use the DHCP to obtain IP addresses. To improve network security, the administrator configures the device to control network
access of clients connected to Interface1.
The DHCP server cannot detect the DHCP client location based only on the DHCP Request message. As a result, users in the same VLAN have the same
rights to access network resources.
To address this problem, the administrator can enable the Option 82 field after DHCP snooping is enabled on SwitchA. Upon receiving a DHCP Request
message to apply for an IP address, SwitchA inserts the Option 82 field in the message to notify the DHCP server of the DHCP client location, including
the MAC address, VLAN ID, and interface number of the client. The DHCP server can properly assign an IP address and other configurations to the client
based on the IP address assignment or security policies on the server.
The Option 82 field records the location of a DHCP client and is encapsulated in a DHCP Request message that is sent to the DHCP server. To deploy
different IP addresses or security policies for different clients, the DHCP server must support the Option 82 field and be configured with IP address
assignment or security policies.

< Home
1.3.7 Detecting Client Locations Through the LDRA

An LDRA-enabled device can record client location information and forward the information to the DHCPv6 server. The DHCPv6 server then assigns IP
addresses, accounting policies, and access control policies to the clients based on the client location information.
As shown in Figure 1, users expect to obtain IPv6 addresses through DHCPv6. The administrator wants to restrict the network access rights of the users on
interface1 to improve network security.
Figure 1 LDRA application
In traditional IPv6 address allocation process, the DHCPv6 server cannot obtain the physical locations of clients, so the server cannot assign specified IP
addresses or policies to users on a certain interface.
To solve this problem, the administrator enables DHCP snooping and the LDRA functions on the Switch. The Switch then can obtain the location
information of clients and forward the information to the DHCPv6 server. The server assigns IP addresses and security policies to clients based on the
client location information.
The LDRA function only records the client location information and forwards the information to the DHCPv6 server through Relay-Forward messages.
The differentiated policies for IP address allocation, accounting, and access control are configured on the DHCPv6 server.

< Previous topic
< Home
1.4 Configuration Notes

Involved Network Elements
Other network elements are not required.
License Support
DHCP snooping can be available only after the S1720GW and S1720GWR have the license loaded. DHCP snooping is available on other models without
loading the license.
For details about how to apply for a license, see S Series Switch License Use Guide.
Version Support
Table 1 Products and versions supporting DHCP snooping

Product Product Model Software Version
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00
S1720GW and V200R010C00

S1720GWR
S1720GW-E and V200R010C00

S1720GWR-E
S2700 S2700SI Not supported
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00
S2750EI V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00,

V200R010C00
S3700 S3700SI and S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00, V200R003(C00&C02&C10), V200R005C00SPC300, V200R006C00,

V200R007C00, V200R008C00, V200R009C00, V200R010C00
S5700S-LI V200R001C00, V200R002C00, V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00,

V200R008C00, V200R009C00, V200R010C00
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00
S5700SI V100R005C01, V100R006C00, V200R001C00, V200R002C00, V200R003C00, V200R005C00
S5700EI V100R005C01, V100R006(C00&C01), V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02&C03)
S5710EI V200R001C00, V200R002C00, V200R003C00, V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00, V200R010C00
S5720LI and S5720S-LI V200R010C00
S5720SI and S5720S-SI V200R008C00, V200R009C00, V200R010C00
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00, V200R009C00, V200R010C00
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00, V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00
S6720S-EI V200R009C00, V200R010C00
NOTE:
To know details about software mappings, see Version Mapping Search for Huawei Switches.
Feature Dependencies and Limitations
If the number of online users on the device reaches the maximum number of entries in the DHCP snooping binding table, the offline users cannot
go online.
On an S5720HI, the DHCP snooping function applies to wired users only.

< Home
1.5 Default Configuration

Table 1 lists the default DHCP snooping configuration.
Table 1 Default DHCP snooping configuration

Parameter Default Setting
DHCP snooping globally and on an interface Disabled
Interface status Untrusted
Location transition for DHCP snooping users Enabled
Association between DHCP snooping and ARP Disabled
Option 82 Disabled
Static MAC address entries generated based on dynamic DHCP snooping binding Disabled
entries
Maximum rate of sending DHCP messages to the processing unit 100 pps
Checking DHCP messages against the DHCP snooping binding table Disabled
Checking whether the CHADDR field matches the source MAC address in the Disabled
header of a DHCP Request message
Checking whether the GIADDR field in a DHCP Request message is 0 Disabled

< Home
1.6 Configuring Basic Functions of DHCP Snooping

DHCP snooping allows DHCP clients to obtain IP addresses from authorized DHCP servers, and records mappings between IP addresses and MAC
addresses of DHCP clients to a binding table.
Pre-configuration Tasks
Before configuring DHCP snooping, configure the DHCP function (For the DHCP configuration, see DHCP Configuration in the
S1720&S2700&S5700&S6720 V200R010C00 Configuration Guide - IP Service.)
Configuration Process
The basic function of DHCP snooping is configured on the Layer 2 access device or the first DHCP relay agent from the device.
Enabling DHCP Snooping
Configuring an Interface as the Trusted Interface
(Optional) Disabling Location Transition for DHCP Snooping Users
(Optional) Configuring an Association Between ARP and DHCP Snooping
(Optional) Configuring the Device to Clear the MAC Address Entry Immediately When a User Is Disconnected
(Optional) Configuring the Device to Discard DHCP Request Messages with Non-0 GIADDR Field
Checking the Configuration

< Home
1.6.1 Enabling DHCP Snooping

Context
DHCP snooping ensures security of the DHCP service. Before configuring DHCP snooping functions, you need to enable DHCP snooping.
You must enable DHCP snooping in the system view, and then on an interface or in a VLAN.
As shown in Figure 1, Switch_1 is a Layer 2 access device that forwards the DHCP Request packets from user PCs to the DHCP server. For example, when
you configure DHCP snooping on Switch_1, note the following:
Enable DHCP globally using the dhcp enable command before enabling DHCP snooping.
After DHCP snooping is globally enabled, enable DHCP snooping on the interfaces (such as if1, if2, and if3) connecting to users or the VLAN
(such as VLAN 10) to which these interfaces belong.
When multiple user PCs belong to the same VLAN, you can enable DHCP snooping in this VLAN to simplify configuration.
NOTE:
DHCP snooping does not support the BOOTP protocol. However, diskless workstations use the BOOTP protocol. Therefore, DHCP snooping binding entries cannot be generated for
diskless workstations. IPSG and DAI are implemented based on binding entries. To use them on a diskless workstation, configure static binding entries by running the user-bind static
command.
http://127.0.0.1:7890/printtopics.html?time=Fri%20Feb%2016%202018%2011:04:44%20GMT-0200%20(Hor%C3%A1rio%20brasileiro%20de%… 10/35
Figure 1 DHCP snooping networking diagram
Perform the following steps on the Layer 2 access device or the first DHCP relay agent from the device.
Procedure
1. Run:
system-view
The system view is displayed.

2. Run:
dhcp snooping enable [ ipv4 | ipv6 ]
DHCP snooping is globally enabled.

By default, DHCP snooping is globally disabled on the device.
3. (Optional) Run:
dhcp snooping over-vpls enable
DHCP snooping is enabled on the device on a VPLS network.

By default, DHCP snooping is disabled on the device on a VPLS network.
NOTE:
This step is only supported by the S5720HI supports.
DHCPv6 snooping does not support this command.
The device management interfaces do not support DHCP snooping on a VPLS network.
4. Enable DHCP snooping in the system, VLAN, or interface view.

In the system view:
a. Run:
dhcp snooping enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
DHCP snooping is enabled on the device.

By default, DHCP snooping is disabled on the device.
In the VLAN view or interface view:
a. Run:
vlan vlan-id
The VLAN view is displayed.

Or run:
interface interface-type interface-number
The interface view is displayed.
b. Run:
dhcp snooping enable
DHCP snooping is enabled on the interface or in a VLAN.

By default, DHCP snooping is disabled on the device.
If you run this command in the VLAN view, the command takes effect on all the DHCP messages received by all interfaces from the specified
VLAN. If you run this command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.
Parent Topic: Configuring Basic Functions of DHCP Snooping

Next topic >
< Home
1.6.2 Configuring an Interface as the Trusted Interface

Context
To enable DHCP clients to obtain IP addresses from authorized DHCP servers, as shown in Figure 1, configure the interfaces (such as if0) directly or
indirectly connected to the DHCP servers trusted by the administrator as the trusted interfaces, and other interfaces (such as if2) as untrusted interfaces.
This prevents bogus DHCP servers from assigning IP addresses to DHCP clients.
After enabling DHCP snooping on the interface or in the VLAN connected to the user, configure the interface connected to the DHCP server as the trusted
interface, so that the dynamic DHCP snooping binding table is generated.
Figure 1 DHCP snooping networking diagram
Perform the following steps on the Layer 2 access device.
Procedure
1. Run:
system-view

2. Configure the interface as the trusted interface in the interface view or VLAN view.
In the interface view:
a. Run:
b. Run:
dhcp snooping trusted
The interface is configured as the trusted interface.

By default, an interface is an untrusted interface.
In the VLAN view:
a. Run:
vlan vlan-id
b. Run:
dhcp snooping trusted interface interface-type interface-number
The interface is configured as the trusted interface.

By default, an interface is an untrusted interface.
If you run this command in the VLAN view, the command takes effect only on DHCP messages in this VLAN received from interfaces that
belong to this VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP
messages received on the specified interface.

< Home
1.6.3 (Optional) Disabling Location Transition for DHCP Snooping

Users
Context
When a mobile user goes online through interface A, goes offline, and then goes online through interface B, the user sends a DHCP Discover message to
apply for an IP address. By default, if DHCP snooping is enabled on the device, the device allows the user to go online and updates the DHCP snooping
binding entries. However, this may bring security risks. For example, if an attacker pretends to be an authorized user and sends a DHCP Discover
message, the authorized user cannot access the network after the DHCP snooping binding table is updated. To prevent such attacks, disable the DHCP
snooping location transition function. After this function is disabled, the device discards the DHCP Discover messages sent by a user who has an entry in
the DHCP snooping binding table (user's MAC address exists in the DHCP snooping binding table) through another interface.
NOTE:
Interface A and interface B must belong to the same VLAN.
Procedure
1. Run:
system-view

2. Run:
undo dhcp snooping user-transfer enable
Location transition is disabled for DHCP snooping users.
By default, location transition is enabled for DHCP snooping users.

< Home
1.6.4 (Optional) Configuring an Association Between ARP and DHCP

Snooping
Context
When a DHCP snooping-enabled device receives a DHCP Release message sent from a DHCP client, the device deletes the binding entry of the DHCP
client. However, if a client is disconnected and cannot send a DHCP Release message, the device cannot immediately delete the binding entry of the
DHCP client.
After association between ARP and DHCP snooping is enabled, the DHCP snooping-enabled device performs an ARP probe to detect the IP address
when the ARP entry mapping an IP address ages. If the DHCP client is not detected after a specified number of probes, the device deletes the ARP entry.
The device then performs an ARP probe again to detect the IP address. If the DHCP client still cannot be detected after a specified number of probes, the
device deletes the binding entry of the DHCP client.
NOTE:
The device supports association between ARP and DHCP snooping only when the device functions as a DHCP relay agent.
Procedure
1. Run:
system-view

2. Run:
arp dhcp-snooping-detect enable
Association between ARP and DHCP snooping is enabled.

By default, association between ARP and DHCP snooping is disabled.

< Home
1.6.5 (Optional) Configuring the Device to Clear the MAC Address

Entry Immediately When a User Is Disconnected
Context
If a DHCP client is disconnected but its MAC address entry is not aged, the device forwards the message whose destination address is the IP address of
the DHCP client based on the dynamic MAC address entry. This deteriorates device performance.
The DHCP client sends a DHCP Release message when it is disconnected. Upon receiving the message, the device immediately deletes the DHCP
snooping binding entry of the DHCP client. You can enable the device to delete the mapping MAC address entry when a dynamic DHCP snooping
binding entry is deleted.
Procedure
1. Run:
system-view

2. Run:
dhcp snooping user-offline remove mac-address
The device deleted the MAC address entry of a DHCP client when the dynamic binding entry was deleted.
By default, the device does not delete the MAC address entry of a DHCP client when the dynamic binding entry was deleted.

< Home
1.6.6 (Optional) Configuring the Device to Discard DHCP Request

Messages with Non-0 GIADDR Field
Context
The GIADDR field in a DHCP Request message records the IP address of the first DHCP relay agent through which the DHCP Request message passes.
If the DHCP server and client are on different network segments, the first DHCP relay agent fills its own IP address in the GIADDR field before
forwarding the DHCP Request message. The DHCP server then locates the DHCP client and selects an appropriate address pool to assign an IP address to
the client.
To ensure that the device obtains parameters such as MAC addresses for generating a binding table, as shown in Figure 1, enable DHCP snooping on Layer
2 access devices or the first DHCP relay agent (DHCP Relay1). Then, the GIADDR field in the DHCP Request messages received by the DHCP
snooping-enabled device is 0. If the GIADDR field is not 0, the message is considered to be invalid and discarded. This function is recommended if
DHCP snooping is enabled on the DHCP relay agent.
In normal situations, the GIADDR field in DHCP messages sent by user PCs is 0. If the GIADDR field is not 0, the DHCP server cannot correctly
allocate IP addresses. To prevent attackers from applying for IP addresses with the DHCP messages containing a non-0 GIADDR field, you are advised to
configure this function.
Figure 1 DHCP message processing when multiple DHCP relay agents exist (DHCP Request message is used as an example)
Procedure
1. Run:
system-view

2. Enable the device to check whether the GIADDR field in the DHCP Request message is 0 in the system view, VLAN view, or interface view.
In the system view:
a. Run:
dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The device is enabled to check whether the GIADDR field in a DHCP Request message is 0.
By default, the device does not check whether the GIADDR field in a DHCP Request message is 0.
In the VLAN view and interface view:
a. Run:
vlan vlan-id

Or run:
b. Run:
dhcp snooping check dhcp-giaddr enable
The device is enabled to check whether the GIADDR field in a DHCP Request message is 0.
By default, the device does not check whether the GIADDR field in a DHCP Request message is 0.
If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the
interfaces on the device. If you run this command in the interface view, the command takes effect on all the DHCP messages received by the
specified interface.

< Home

Prerequisites
All configurations of DHCP snooping basic functions are complete.
Procedure
Check the configuration and running information of DHCP snooping.
Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP
snooping configuration.
Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running
information.
Check the DHCP snooping binding table.

Run the display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-
address | vlan vlan-id } * | all } [ verbose ] command to check the DHCP snooping binding table.
Run the display dhcpv6 snooping user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-
address mac-address | vlan vlan-id } * | all } [ verbose ] command to check the DHCPv6 snooping binding table.
Run the display dhcpv6 snooping user-bind ipv6-prefix { prefix/prefix-length | all } [ verbose ] command to check the IPv6 prefix binding
table.
Run the display dhcp snooping statistics command to check statistics on the received DHCP messages.

< Previous topic
< Home
1.7 Configuring DHCP Snooping Attack Defense

After basic DHCP snooping functions are configured, DHCP clients can obtain IP addresses from the authorized DHCP server, preventing bogus DHCP
server attacks on the network. However, many other DHCP attacks exist on the network. The administrator can configure DHCP snooping attack defense
on the device as required.
In this chapter, the function in Configuring Defense Against Bogus DHCP Message Attacks and the function in step 2 of Configuring Defense Against DHCP Server DoS
Attacks are also applicable to DHCPv6 snooping.
Prerequisites
Basic DHCP snooping functions have been completely configured.
Enabling DHCP Server Detection
Configuring Defense Against DHCP Flood Attacks
Configuring Defense Against Bogus DHCP Message Attacks
Configuring Defense Against DHCP Server DoS Attacks

< Home
1.7.1 Enabling DHCP Server Detection

Context
After DHCP snooping is enabled and a trusted interface is configured, the device enables DHCP clients to obtain IP addresses from the authorized DHCP
server, to prevent bogus DHCP server attacks. However, the location of the bogus DHCP server cannot be detected, which brings security risks on the
network.
After DHCP server detection is enabled, the DHCP snooping-enabled device checks information about the DHCP server, such as the IP address and port
number, in the DHCP Reply messages and records the information to the log. The network administrator identifies whether bogus DHCP servers exist on
the network based on logs.
Procedure
1. Run:
system-view

2. Run:
dhcp server detect
Detection of DHCP servers is enabled.

By default, detection of DHCP servers is disabled.
Parent Topic: Configuring DHCP Snooping Attack Defense

Next topic >
< Home
1.7.2 Configuring Defense Against DHCP Flood Attacks

Context
On a DHCP network, if an attacker sends a large number of DHCP messages to the device within a short time, the device performance may deteriorate
and the device may not work normally. To prevent DHCP flood attacks, enable the device to check the rate of sending DHCP messages to the processing
unit.
Procedure
1. Run:
system-view

2. You can limit the rate of sending DHCP messages in the system view, VLAN view, or interface view.
In the system view:
a. Run:
dhcp snooping check dhcp-rate enable
The device is enabled to check the rate of sending DHCP messages to the processing unit.
By default, the device does not check the rate of sending DHCP messages to the processing unit.
Running the dhcp snooping check dhcp-rate enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system view is
equivalent to running the dhcp snooping check dhcp-rate enable command in the VLAN view.
b. Run:
dhcp snooping check dhcp-rate rate
The maximum rate of sending DHCP messages to the processing unit is set.
By default, the maximum rate of sending global DHCP messages to the processing unit is 100 pps, which is the same as the
maximum rate of sending DHCP messages on interfaces to the processing unit.
In the VLAN view:
a. Run:
vlan vlan-id

b. Run:
Running the dhcp snooping check dhcp-rate enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command in the system view is
equivalent to running the dhcp snooping check dhcp-rate enable command in the VLAN view.
c. Run:
a. Run:

b. Run:
c. Run:
3. (Optional) Configure the trap function in the system view or interface view.
In the system view:
a. Run:
dhcp snooping alarm dhcp-rate enable
The device is enabled to generate an alarm when the number of discarded DHCP messages reaches the threshold.
If you run this command in the system view, the command takes effect for all the interfaces of the device.
By default, the device does not generate an alarm when the number of discarded DHCP messages reaches the threshold.
b. Run:
dhcp snooping alarm dhcp-rate threshold threshold
The alarm threshold for the number of discarded DHCP messages is set on the interface.
By default, the global alarm threshold for the number of discarded DHCP packets is 100, and the threshold on an interface
is the same as the configuration in system view.
If the alarm threshold is set in the system view and interface view, the smaller value takes effect.
a. Run:

b. Run:
The device is enabled to generate an alarm when the number of discarded DHCP messages reaches the threshold.
By default, the device does not generate an alarm when the number of discarded DHCP messages reaches the threshold.
c. Run:
dhcp snooping alarm dhcp-rate threshold threshold
The alarm threshold for the number of discarded DHCP messages is set on the interface.
By default, the global alarm threshold for the number of discarded DHCP packets is 100, and the threshold on an interface
is the same as the configuration in system view.

< Home
1.7.3 Configuring Defense Against Bogus DHCP Message Attacks

Context
If an attacker sends a bogus DHCP Request message to the DHCP server to extend the lease, the IP address cannot be released after the lease expires and
authorized users cannot use the IP address. If the attacker forges a DHCP Release message of an authorized user and sends it to the DHCP server, the
authorized user may be disconnected.
After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. Only DHCP
messages that match entries are forwarded. This prevents unauthorized users from sending bogus DHCP Request messages or Release messages to extend
the lease or to release IP addresses.
Procedure
1. Run:
system-view

2. You can enable the device to check the DHCP messages against the binding table in the system view, VLAN view, or interface view.
In the system view:
a. Run:
dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] }&<1-10>
The device is enabled to check DHCP messages in specified VLANs against the DHCP snooping binding table.
By default, the device does not check DHCP messages against the DHCP snooping binding table.
a. Run:
vlan vlan-id

Or run:
b. Run:
dhcp snooping check dhcp-request enable
The device is enabled to check DHCP messages against the DHCP snooping binding table.
By default, the device does not check DHCP messages against the DHCP snooping binding table.
If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by
all the interfaces on the device.
c. Run:
quit
Return to the system view.
3. Enable the trap function for DHCP snooping in the interface view.
a. Run:
b. Run:
dhcp snooping alarm dhcp-request enable
An alarm is generated when the number of DHCP messages that are discarded because they do not match DHCP snooping binding
entries reaches the threshold.
By default, the trap function for discarded DHCP messages is disabled.
c. Run:
quit
4. (Optional) Set the alarm threshold for the number of messages discarded by DHCP snooping in the system view or interface view.
In the system view:
a. Run:
dhcp snooping alarm threshold threshold
The alarm threshold for the number of discarded messages by DHCP snooping is set.
By default, the alarm threshold for the number of messages discarded by DHCP snooping is 100.
a. Run:
b. Run:
dhcp snooping alarm dhcp-request threshold threshold
The alarm threshold for the number of messages discarded because they do not match the DHCP snooping binding entries is set.
By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold
on an interface is set using the dhcp snooping alarm threshold command in the system view.

< Home
1.7.4 Configuring Defense Against DHCP Server DoS Attacks

Context
Malicious use of IP addresses exhausts IP addresses in the IP address pool, so authorized users cannot obtain IP addresses. The DHCP server generally
identifies the MAC address of a DHCP client based on the CHADDR (client hardware address) field in the DHCP Request message. If attackers
continuously apply for IP addresses by changing the CHADDR field, IP addresses in the address pool on the DHCP server may be exhausted. As a result,
authorized users cannot obtain IP addresses.
To prevent DHCP users on some interfaces from applying IP addresses maliciously, you can limit the number of DHCP snooping binding entries that can
be learned by an interface to control the number of online users. When the number of DHCP snooping binding entries reaches the maximum value, no
DHCP client can obtain an IP address through the interface. To prevent attackers from continuously changing the CHADDR field in the DHCP Request
message, enable the device to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP message. If the two
values match, the message is forwarded; if the two values do not match, the message is discarded.
Procedure
1. Run:
system-view

2. Set the maximum number of DHCP snooping binding entries to be learned by an interface in the system, VLAN, or interface view.
In the system view:
a. Run:
dhcp snooping max-user-number max-user-number vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The maximum number of DHCP snooping binding entries is set on the device.
After running this command, the value specified in this command is the total number of DHCP snooping binding entries learned by
all interfaces on the device.
By default, the maximum number of DHCP snooping binding entries that can be learned on an interface is 256 for S1720GFR,
S2720, and S2750EI, 512 for S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S5720LI, S5720S-LI, S5700LI and S5710-X-LI,
and 1024 for other models.
b. (Optional) Run:
dhcp snooping user-alarm percentage percent-lower-value percent-upper-value
The alarm thresholds for the percentage of DHCP snooping binding entries are configured.
By default, the lower alarm threshold for the percentage of DHCP snooping binding entries is 50, and the upper alarm threshold for
the percentage of DHCP snooping binding entries is 100.
In the VLAN view and interface view:
a. Run:
vlan vlan-id

Or run:
b. Run:
dhcp snooping max-user-number max-user-number
The maximum number of DHCP snooping binding entries is set on the interface.
If you run this command in the VLAN view, the command takes effect for all the interfaces in the VLAN.
If you run this command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by
all the interfaces on the device. If you run this command in the interface view, the command takes effect on all the DHCP messages
received by the specified interface.
If you run this command in the system view, VLAN view, and the interface view, the smallest value takes effect.
The S1720GFR , S2720, and S2750EI on an IPv4 network allow a maximum of 256 users to go online after DHCP snooping is
enabled. If more than 256 users need to be online at the same time, disable DHCP snooping.
3. Enable the device to check the CHADDR field in the message in the system view, VLAN view, or interface view.
In the system view:
a. Run:
dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The device is enabled to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP
message.
By default, the device does not check whether the MAC address in the Ethernet frame header matches the CHADDR field in the
DHCP message.
b. (Optional) Run:
dhcp snooping alarm threshold threshold
The global alarm threshold for the number of discarded messages by DHCP snooping is set.
If you run this command in the system view, the command takes effect for all the interfaces on the device.
By default, the global alarm threshold for the number of messages discarded by DHCP snooping is 100.
a. Run:
vlan vlan-id

Or run:
b. Run:
dhcp snooping check dhcp-chaddr enable
The device is enabled to check whether the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP
message.
By default, the device does not check whether the MAC address in the Ethernet frame header matches the CHADDR field in the
DHCP message.
If you run the dhcp snooping check dhcp-chaddr enable command in the VLAN view, the command takes effect on all the DHCP
messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check dhcp-chaddr
enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.
c. (Optional) Run:
dhcp snooping alarm dhcp-chaddr enable
The device is configured to generate a DHCP snooping alarm when the number of packets dropped in CHADDR field check reaches
the alarm threshold.
By default, the DHCP snooping alarm function is disabled.
NOTE:
This command can only be used in the interface view.
d. (Optional) Run:
dhcp snooping alarm dhcp-chaddr threshold threshold
The alarm threshold for the number of DHCP messages discarded because the CHADDR field in the DHCP messages does not
match the source MAC address in the Ethernet frame header is set.
By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold
on an interface is set using the dhcp snooping alarm threshold command in the system view.
NOTE:
This command can only be used in the interface view.

< Home

Context
After DHCP snooping attack defense is completely configured, check the configured parameters.
Procedure
Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to view DHCP snooping running information.
Run the display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP snooping
configuration.
Run the display mac-address snooping [ interface-type interface-number | vlan vlan-id ] * [ verbose ] command to view static MAC address entries
generated from the DHCP snooping binding table.
Run the display dhcp snooping statistics command to check statistics on the received DHCP messages.

< Previous topic
< Home
1.8 Inserting the Option 82 Field in a DHCP Message

You can configure a device to insert the Option 82 field in a DHCP message to notify the DHCP server of the DHCP client location.
Context
The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field into a DHCP Request message to notify the DHCP server
of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.
NOTE:
DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP message sent to the DHCP server will not carry Option 82.
All Option82 fields configured share a length of 1-255 bytes. If their total length exceeds 255 bytes, some Option82 information will be lost.
There is no limit on the number of Option 82 fields configured on the device. However, a large number of Option 82 fields will occupy a lot of memory and prolong the device
processing time. To ensure device performance, you are advised to configure Option 82 fields based on the service requirements and device memory size.
Procedure
1. Run:
system-view

2. You can configure the device to insert the Option 82 field in a DHCP message in the interface view or VLAN view. If the configuration is
performed in the VLAN view, the configuration takes effect for all DHCP messages from this VLAN that are received by the interface. If the
configuration is performed in the interface view, the configuration takes effect only for the specified interface.
View Steps
VLAN view 1. Run the vlan vlan-id command to enter the VLAN view.
2. Run the dhcp option82 { insert | rebuild } enable interface interface-type interface-number1 [ to interface-
number2 ] command to enable the device to insert the Option 82 field in a DHCP message.
By default, the device is disabled from inserting the Option 82 field in a DHCP message.
3. Run the quit command to return to the system view.
View Steps
Interface view 1. Run the interface interface-type interface-number command to enter the interface view.
2. Run the dhcp option82 { insert | rebuild } enable command to enable the device to insert the Option 82
field in a DHCP message.
By default, the device is disabled from inserting the Option 82 field in a DHCP message.
3. (Optional) You can configure the format of the Option 82 field in the system or interface view. If the configuration is performed in the system
view, the configuration takes effect for all interfaces on the device. If the configuration is performed in the interface view, the configuration
takes effect only for the specified interface.
View Steps
System view 1. Run the dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default |
common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP
message.
By default, the format of the Option 82 field in a DHCP message is default.
2. Run the dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default |
common | extend | user-defined text } command to configure the format of the Option 82 field in a DHCP
message.
By default, the format of the Option 82 field in a DHCP message is default.
4. (Optional) Run:
dhcp option82 subscriber-id format { ascii ascii-text | hex hex-text }
The Sub6 suboption is inserted into the Option 82 field of DHCP messages.
By default, Sub6 suboption is not inserted into the Option 82 field of DHCP messages.
5. (Optional) Run:
dhcp option82 vendor-specific format vendor-sub-option sub-option-num { ascii ascii-text | hex hex-text | ip-address ip-address &<1-8> |
The Sub9 suboption is inserted into the Option 82 field of DHCP messages.
By default, Sub9 suboption is not inserted into the Option 82 field of DHCP messages.
6. (Optional) Configure suboptions inserted into the DHCP Option 82 field in the system view, VLAN view, or interface view. If the configuration
is performed in the system view, the configuration takes effect for all interfaces on the device. If the configuration is performed in the VLAN
view, the configuration takes effect for all DHCP messages from this VLAN that are received by all interfaces. If the configuration is performed
in the interface view, the configuration takes effect only for the specified interface.
View Steps
System view
1. Run the dhcp option82 encapsulation { circuit-id | remote-id | subscriber-id | vendor-specific-id } *
command to configure suboptions inserted into the DHCP Option 82 field.
By default, the circuit-id (CID) and remote-id (RID) suboptions are inserted into the DHCP Option 82 field.
VLAN view 1. Run the vlan vlan-id command to enter the VLAN view.
Run the display dhcp option82 configuration [ vlan vlan-id | interface interface-type interface-number ] command to view the DHCP Option 82
configuration.

< Home
1.9 Configuring the LDRA to Detect Client Locations

You can configure the LDRA to notify the DHCP server of the DHCPv6 client location.
Context
To allow a DHCPv6 server to detect client locations on a DHCPv6 network, configure the LDRA on the client-side access device.
After the LDRA is configured on a trusted DHCPv6 network with a large number of clients, disable the device from generating DHCP snooping binding
entries because new users cannot go online if the number of DHCP snooping binding entries reaches the upper limit. In addition, the LDRA-enabled
device inserts the interface-id or remote-id option into the Relay-Forward message to record client location information. You can configure the formats of
interface-id and remote-id in accordance with your actual situation.
Procedure
1. Run:
system-view

2. Run:
vlan vlan-id

3. Run:
dhcpv6 snooping relay-information enable [ trust ]
The LDRA is enabled for DHCPv6 snooping.

By default, the LDRA is disabled for DHCPv6 snooping.
4. Run:
quit

5. (Optional) Run:
dhcpv6 interface-id format { default | user-defined text }
The format of the interface-id option in the DHCPv6 packets is configured.

By default, the interface-id option is in the default format.
6. (Optional) Run:
dhcpv6 remote-id format { default | user-defined text }
The format of the remote-id option in the DHCPv6 packets is configured.

By default, the remote-id option is in the default format.
7. (Optional) Disable the interface from generating DHCP snooping binding entries after the DHCP snooping function has been enabled.
When this configuration is performed in the VLAN view, the configuration takes effect for all DHCP users belonging to this VLAN on all
interfaces. When this configuration is performed in the interface view, the configuration takes effect for all DHCP users connecting to this
interface.
By default, an interface generates DHCP snooping binding entries after DHCP snooping is enabled.
Configuration Dimension Step
VLAN-based configuration For a batch of VLANs in the system view

Run the dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to disable the
interfaces from generating DHCP snooping binding entries after DHCP snooping is enabled.
For a single VLAN in the VLAN view
1. Run the vlan vlan-id command to enter the VLAN view.
2. Run the dhcp snooping enable no-user-binding command to disable the interfaces from generating DHCP
snooping binding entries after DHCP snooping is enabled.
Interface-based configuration 1. Run the interface interface-type interface-number command to enter the interface view.
2. Run the dhcp snooping enable no-user-binding command to disable the interfaces from generating DHCP
snooping binding entries after DHCP snooping is enabled.

< Home
1.10 Inserting the Option 18 or Option 37 Field in a DHCPv6 Message

You can configure a device to insert the Option 18 or Option 37 field in a DHCPv6 message to notify the DHCP server of the DHCPv6 client location.
Context
The function of the Option 18 and Option 37 field in a DHCPv6 message is similar to that of the Option 82 field in a DHCPv4 message. The Option 18
field contains the port number of a client and the Option 37 field contains the MAC address of the client. A device inserts the Option 18 or Option 37 field
to a DHCPv6 Request message to notify the DHCP server of the DHCPv6 client location. The DHCP server can assign an IP address and other
configurations to the DHCPv6 client, ensuring DHCP client security.
Procedure
1. Run:
system-view
2. Run:

3. Run:
dhcpv6 { option18 | option37 } { insert | rebuild } enable
The device is enabled to insert the Option 18 or Option 37 field to a DHCPv6 Request message.
By default, the device is disabled from inserting the Option 18 or Option 37 field in a DHCPv6 message.
NOTE:
If you run the dhcpv6 { option18 | option37 } enable command in the VLAN view, the command takes effect for all the DHCPv6 messages received from the specified
VLAN. If you run the dhcpv6 { option18 | option37 } enable command in the interface view, the command takes effect for all the DHCPv6 messages received on the
specified interface.
4. Run:
quit

5. (Optional) You can configure the format of Option 18 field inserted in DHCPv6 packets in the system view, VLAN view, or interface view.
In the system view:
a. Run:
dhcpv6 option18 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format user-defined text
The format of Option 18 field inserted in DHCPv6 packets is configured.

By default, the format of Option 18 field inserted in DHCPv6 packets is not configured.
In the VLAN view:
a. Run:
vlan vlan-id

b. Run:

a. Run:

b. Run:

NOTE:
If you run the dhcpv6 option18 format command in the system view, the command takes effect for the Option 18 field in all DHCPv6 messages. If you run the dhcpv6
option18 format command in the VLAN view, the command takes effect for the Option 18 field in all DHCPv6 messages received from the specified VLAN. If you run the
dhcpv6 option18 format command in the interface view, the command takes effect for the Option 18 field in all DHCPv6 messages received on the specified interface.
6. (Optional) You can configure the format of Option 37 field inserted in DHCPv6 packets in the system view, VLAN view, or interface view.
In the system view:
a. Run:

In the VLAN view:
a. Run:
vlan vlan-id

b. Run:

a. Run:

b. Run:

NOTE:
If you run the dhcpv6 option37 format command in the system view, the command takes effect for the Option 37 field in all DHCPv6 messages. If you run the dhcpv6
option37 format command in the VLAN view, the command takes effect for the Option 37 field in all DHCPv6 messages received from the specified VLAN. If you run the
dhcpv6 option37 format command in the interface view, the command takes effect for the Option 37 field in all DHCPv6 messages received on the specified interface.

< Home
1.11 Maintaining DHCP Snooping

Clearing DHCP Snooping Statistics
Clearing DHCP Snooping Binding Entries
Backing Up DHCP Snooping Binding Entries
Restoring DHCP Snooping Binding Entries

< Home
1.11.1 Clearing DHCP Snooping Statistics

Context
NOTICE:
The cleared statistics cannot be restored. Exercise caution when you run the command.
Procedure
Run the reset dhcp snooping statistics global command in the user view to clear statistics on globally discarded DHCP messages.
Run the reset dhcp snooping statistics interface interface-type interface-number [ vlan vlan-id ] command in the user view to clear statistics on
discarded DHCP messages on an interface.
Run the reset dhcp snooping statistics vlan vlan-id [ interface interface-type interface-number ] command in the user view to clear statistics on
discarded DHCP messages in a VLAN.
Parent Topic: Maintaining DHCP Snooping

Next topic >
< Home
1.11.2 Clearing DHCP Snooping Binding Entries

Context
After the networking environment changes, DHCP snooping binding entries do not age immediately. The following information in DHCP snooping
binding entries may change, causing packet forwarding failure:
VLAN to which a DHCP client belongs.

Interface to which DHCP clients are connected.
Before changing the networking environment, clear all DHCP snooping binding entries manually so that the device generates a new DHCP snooping
binding table based on the new networking environment.
NOTICE:
After the DHCP snooping binding entries are cleared, network communication can be recovered only after all the DHCP users connected to the device re-
log in and new binding entries are generated. Exercise caution when you run the command.
Procedure
In the user view, run the following commands to clear DHCP snooping binding entries:
reset dhcp snooping user-bind [ vlan vlan-id | interface interface-type interface-number ] * [ ipv4 | ipv6 ]
reset dhcp snooping user-bind [ ip-address [ ip-address ] | ipv6-address [ ipv6-address ] | vpls vpls-name ]
reset dhcp snooping user-bind [ ipv6-prefix [ prefix/prefix-length ] ]
NOTE:
The parameter vpls vpls-name is only supported by the S5720HI.

< Home
1.11.3 Backing Up DHCP Snooping Binding Entries

Context
If binding entries are not backed up, the binding entries will be lost after the device restarts. DHCP users must log in again so that the device can generate
DHCP snooping binding entries for DHCP users to communicate. After DHCP snooping binding entries are backed up, DHCP snooping binding entries
can be restored after the device restarts.
Procedure
1. Run:
system-view

2. Run the following commands as required.
Run:
dhcp snooping user-bind autosave file-name [ write-delay delay-time ]
The device is enabled to back up DHCP snooping binding entries locally.

By default, local automatic backup of the DHCP snooping binding table is disabled.
Run:
dhcp snooping user-bind ftp remotefilename filename host-ip ip-address username username password password [ write-delay delay
The device is enabled to automatically back up DHCP snooping binding entries on the remote FTP server.
By default, the device is not enabled to automatically back up DHCP snooping binding entries on the remote FTP server.
Run:
dhcp snooping user-bind sftp remotefilename filename host-ip ip-address username username password password [ write-delay dela
The device is enabled to automatically back up DHCP snooping binding entries on the remote SFTP server.
By default, the device is not enabled to automatically back up DHCP snooping binding entries on the remote SFTP server.
Run:
dhcp snooping user-bind tftp remotefilename filename host-ip ip-address [ write-delay delay-time ]
The device is enabled to automatically back up DHCP snooping binding entries on the remote TFTP server.
By default, the device is not enabled to automatically back up DHCP snooping binding entries on the remote TFTP server.
NOTE:
You can only use one of the preceding backup modes on the device.
FTP and TFTP will bring risk to device security. The SFTP mode is recommended.

< Home
1.11.4 Restoring DHCP Snooping Binding Entries

Context
After DHCP snooping binding entries are backed up on the remote FTP, SFTP, or TFTP server, you can restore the backup DHCP snooping binding
entries.
Procedure
1. Run:
system-view

2. Configure the device to obtain and restore DHCP snooping binding entries from the remote FTP, SFTP, or TFTP server.
Run:
dhcp snooping user-bind ftp load remotefilename filename host-ip ip-address username username password password
The device is configured to obtain and restore DHCP snooping binding entries from the remote FTP server.
Run:
dhcp snooping user-bind sftp load remotefilename filename host-ip ip-address username username password password
The device is configured to obtain and restore DHCP snooping binding entries from the remote SFTP server.
Run:
dhcp snooping user-bind tftp load remotefilename filename host-ip ip-address
The device is configured to obtain and restore DHCP snooping binding entries from the remote TFTP server.
NOTE:
FTP and TFTP will bring risk to device security. The SFTP mode is recommended.

< Previous topic
< Home
1.12 Configuration Examples

Example for Configuring DHCP Snooping Attack Defense
Example for Configuring DHCP Snooping on a VPLS Network
Example for Configuring the LDRA to Detect Client Locations

< Home
1.12.1 Example for Configuring DHCP Snooping Attack Defense

Networking Requirements
As shown in Figure 1, SwitchA and SwitchB are Layer 2 switches, and SwitchC is the gateway that functions as the DHCP relay agent to forward DHCP
messages to the DHCP server, so that DHCP clients can obtain IP addresses and related configurations from the DHCP server.
A network may encounter the following DHCP-based attacks:
Bogus DHCP server attack: An attacker deploys a DHCP server on the network to allocate IP addresses and network parameters to clients. If the
allocated IP addresses and network parameters are incorrect, network services may be interrupted.
DHCP flood attack: An attacker sends a large number of DHCP messages to a device in a short period to generate a huge impact on the device
performance. As a result, the device may fail to work.
Bogus DHCP message attack: An attacker pretends to be an authorized user to continuously send DHCP Request messages to the DHCP server
to renew the IP address; therefore, the IP address cannot be reclaimed and other authorized users cannot obtain IP addresses. If the attacker
pretends to be an authorized user to send a DHCP Release message to the DHCP server, the authorized user will be disconnected.
DHCP server DoS attack: When many attackers apply IP addresses or an attacker applies many IP addresses by changing the CHADDR fields in
DHCP messages, the IP addresses on the DHCP server are exhausted and authorized users cannot obtain IP addresses.
To prevent DHCP-based attacks and provide high-quality service for DHCP users, configure the DHCP snooping function.
Figure 1 Networking diagram for configuring DHCP snooping attack defense
Configuration Roadmap
Perform the following operations on the DHCP relay agent. The configuration roadmap is as follows:
1. Configure the DHCP function so that SwitchC can forward the DHCP messages from different network segments to the DHCP server.
2. Configure the basic functions of DHCP snooping to prevent bogus DHCP server attacks. Enable association between ARP and DHCP snooping
to implement real-time binding table update when DHCP users go offline unexpectedly. Configure the device to discard the DHCP messages
with non-0 GIADDR fields to prevent attacks initiated by unauthorized users.
3. Set the maximum rate of DHCP messages sent to the DHCP message processing unit to prevent DHCP flood attacks. Enable the packet
discarding alarm. When the number of discarded DHCP messages reaches the maximum value, an alarm is generated.
4. Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks. Configure the device to
generate an alarm when the number of DHCP messages discarded in binding table checking reaches the threshold.
5. Set the maximum number of access users and enable the device to check whether the MAC address in a DHCP Request frame header is the
same as the CHADDR value in the data field to prevent DHCP server DoS attacks. Configure the device to generate an alarm when the number
of packets discarded in CHADDR field check reaches the alarm threshold.
The configurations involved in this example are performed on SwitchC. This example does not provide detailed configurations for the DHCP server.
Procedure
1. Configure the DHCP function.

# Configure the DHCP function on the DHCP relay agent.
<HUAWEI> system-view
[HUAWEI] sysname SwitchC
[SwitchC] dhcp server group dhcpgroup1
[SwitchC-dhcp-server-group-dhcpgroup1] dhcp-server 10.2.1.2
[SwitchC-dhcp-server-group-dhcpgroup1] quit
[SwitchC] vlan batch 10 100
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC] dhcp enable
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 192.168.1.1 255.255.255.0
[SwitchC-Vlanif10] dhcp select relay
[SwitchC-Vlanif10] dhcp relay server-select dhcpgroup1
[SwitchC-Vlanif10] quit
[SwitchC] interface vlanif 100
[SwitchC-Vlanif100] ip address 10.1.1.2 255.255.255.0
[SwitchC-Vlanif100] quit
[SwitchC] ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
# Assign IP address 10.2.1.2/24 to the DHCP server, configure the address pool 192.168.1.0/24, and set the gateway address of the address pool
to 192.168.1.1.
2. Enable DHCP snooping.
# Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
[SwitchC] dhcp snooping enable ipv4
# Enable DHCP snooping on the user-side interface. GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as the
configuration on GE0/0/1 and is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping enable
# Enable association between ARP and DHCP snooping.
[SwitchC] arp dhcp-snooping-detect enable
# Enable the device to check whether the GIADDR field in a DHCP Request message is 0. GE0/0/1 is used as an example. The configuration
on GE0/0/2 is the same as the configuration on GE0/0/1 and is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable
3. Set the maximum rate of DHCP messages sent to the DHCP message processing unit and enable the packet discarding alarm.
# Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.
[SwitchC] dhcp snooping check dhcp-rate enable
[SwitchC] dhcp snooping check dhcp-rate 90
# Enable the trap function for the rate limit and set the alarm threshold.
[SwitchC] dhcp snooping alarm dhcp-rate enable
[SwitchC] dhcp snooping alarm dhcp-rate threshold 500
4. Configure the device to check DHCP messages against the binding table and enable the device to generate an alarm when the number of
packets discarded in binding table checking reaches the alarm threshold.
# Configure the user-side interface. GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as the configuration on GE0/0/1
and is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 120
5. Set the maximum number of access users on an interface, enable the device to check whether the MAC address in a DHCP Request frame
header is the same as the CHADDR value in the data field, and enable the device to generate an alarm when the number of packets discarded in
CHADDR field check reaches the alarm threshold.
# Configure the user-side interface. GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as the configuration on GE0/0/1
and is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping max-user-number 20
[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120
6. Verify the configuration.
# Run the display dhcp snooping configuration command to view the DHCP snooping configuration.
[SwitchC] display dhcp snooping configuration
#
dhcp snooping enable ipv4
dhcp snooping check dhcp-rate 90
dhcp snooping alarm dhcp-rate threshold 500
#
interface GigabitEthernet0/0/1
dhcp snooping alarm dhcp-request threshold 120
dhcp snooping alarm dhcp-chaddr threshold 120
dhcp snooping max-user-number 20
#
#
# Run the display dhcp snooping interface command to view DHCP snooping information on an interface. The values of Check dhcp-
giaddr, Check dhcp-chaddr, and Check dhcp-request fields are Enable. Take the display on GE0/0/1 as an example:
[SwitchC] display dhcp snooping interface gigabitethernet 0/0/1
DHCP snooping running information for interface GigabitEthernet0/0/1 :
DHCP snooping : Enable
Trusted interface : No
Dhcp user max number : 20
Current dhcp and nd user number : 0
Check dhcp-giaddr : Enable
Check dhcp-chaddr : Enable
Alarm dhcp-chaddr : Enable
Alarm dhcp-chaddr threshold : 120
Discarded dhcp packets for check chaddr : 0
Check dhcp-request : Enable
Alarm dhcp-request : Enable
Alarm dhcp-request threshold : 120
Discarded dhcp packets for check request : 0
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 500
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)
Configuration Files
SwitchC configuration file
#
sysname SwitchC
#
vlan batch 10 100
#
dhcp enable
#
#
dhcp server group dhcpgroup1
dhcp-server 10.2.1.2 0
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
port link-type access
port default vlan 10
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
return
Parent Topic: Configuration Examples

Next topic >
< Home
1.12.2 Example for Configuring DHCP Snooping on a VPLS Network

In Figure 1, PE1 and PE2 are connected over a VPLS network. The DHCP client uses DHCP to obtain an IPv4 address. Attacks from unauthorized users
prevent authorized users from obtaining IP addresses. The administrator needs to enable the device to defend against DHCP attacks on the network and
provide better service to DHCP clients.
Figure 1 Networking diagram for configuring DHCP snooping on a VPLS network
NOTE:
Only the S5720HI supports support this example.
The configuration roadmap is as follows:
1. Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
2. Enable DHCP snooping on the device on a VPLS network, ensuring that DHCP snooping configurations take effect on the VPLS network.
3. Enable DHCP snooping on the interface.
4. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP addresses from the authorized server.
5. Enable the device to check DHCP messages against the binding table to prevent bogus DHCP message attacks.
6. Set the maximum rate of sending DHCP messages to the processing unit to prevent DHCP flood attacks.
7. Enable the device to check whether the GIADDR field in the DHCP Request message is 0 and defend against DHCP Request messages with
non-0 GIADDR field.
8. Set the maximum number of access DHCP clients and enable the device to check whether the MAC address in the Ethernet frame header
matches the CHADDR field in the DHCP message to prevent DHCP server DoS attacks.
Procedure

# Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
[HUAWEI] sysname PE1
[PE1] dhcp enable
[PE1] dhcp snooping enable ipv4
2. Enable DHCP snooping on the device on a VPLS network.
[PE1] dhcp snooping over-vpls enable
3. Enable DHCP snooping on the interface.
# Enable DHCP snooping on the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as the
configuration on GE0/0/1 and is not mentioned here.
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] dhcp snooping enable
[PE1-GigabitEthernet0/0/1] quit
4. Configure the interface connected to the DHCP server as the trusted interface.
[PE1-GigabitEthernet0/0/3] dhcp snooping trusted
5. Enable the device to check DHCP messages against the DHCP snooping binding table.
# Configure the user-side interface. The GE0/0/1 is used as an example. The configuration on GE0/0/2 is the same as the configuration on
GE0/0/1 and is not mentioned here.
[PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable
6. Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.
[PE1] dhcp snooping check dhcp-rate enable
[PE1] dhcp snooping check dhcp-rate 90
7. Enable the device to check whether the GIADDR field in a DHCP Request message is 0.
[PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable
8. Set the maximum number of access users allowed on the interface and enable the device to check the CHADDR field.
[PE1-GigabitEthernet0/0/1] dhcp snooping max-user-number 20
[PE1-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
9. Configure the trap function for the number of discarded messages and the rate limit.
# Enable the trap function for discarding messages and set the alarm threshold. The GE0/0/1 is used as an example. The configuration on
GE0/0/2 is the same as the configuration on GE0/0/1 and is not mentioned here.
[PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable
[PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable
[PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable
[PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120
[PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 120
[PE1-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 120
# Enable the trap function for the rate limit and set the alarm threshold.
[PE1] dhcp snooping alarm dhcp-rate enable
[PE1] dhcp snooping alarm dhcp-rate threshold 80
# Run the display dhcp snooping configuration command to view the DHCP snooping configuration.
[PE1] display dhcp snooping configuration
#
#
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 120
#
#
#
# Run the display dhcp snooping interface command to view DHCP snooping information on an interface.
[PE1] display dhcp snooping interface gigabitethernet 0/0/1
DHCP snooping : Enable
Trusted interface : No
Dhcp user max number : 20
Check dhcp-giaddr : Enable
Check dhcp-chaddr : Enable
Alarm dhcp-chaddr : Enable
Alarm dhcp-chaddr threshold : 120
Discarded dhcp packets for check chaddr : 0
Check dhcp-request : Enable
Alarm dhcp-request : Enable
Alarm dhcp-request threshold : 120
Discarded dhcp packets for check request : 0
Alarm dhcp-reply : Enable
Alarm dhcp-reply threshold : 120
Discarded dhcp packets for check reply : 0
[PE1] display dhcp snooping interface gigabitethernet 0/0/3
DHCP snooping : Disable (default)
Trusted interface : Yes
Dhcp user max number : 1024 (default)
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Alarm dhcp-reply : Disable (default)
Configuration Files
# Configuration file of the PE1
#
sysname PE1
#
dhcp enable
#
#
#
#
#
return

< Home
1.12.3 Example for Configuring the LDRA to Detect Client Locations

As shown in Figure 1, the R&D department and marketing department of a company connect to the Internet through the Switch and obtain IPv6 addresses
through DHCPv6. The company requires that the DHCPv6 server assigns different IP addresses, access control policies, and QoS policies to the clients in
different departments.
Figure 1 LDRA networking diagram
The configuration roadmap is as follows:

2. Enable the LDRA. After the LDRA is enabled on the Switch, the Switch can forward the client location information to the DHCPv6 server, and
the DHCPv6 server can assign corresponding policies to the clients.
Procedure
1. Create a VLAN and configure interfaces.

# Create VLAN 10 on the Switch.
[HUAWEI] sysname Switch
[Switch] vlan batch 10
# Add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 10.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 10
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 10

# Enable DHCP snooping globally.
[Switch] dhcp enable
[Switch] dhcp snooping enable
# Enable DHCP snooping on the user-side interfaces.
[Switch-GigabitEthernet0/0/1] dhcp snooping enable
[Switch-GigabitEthernet0/0/2] dhcp snooping enable
# Set the status of the interface connecting to the DHCPv6 server to Trusted.
[Switch-GigabitEthernet0/0/3] dhcp snooping trusted
3. Enable the LDRA.

# Enable the LDRA in VLAN 10.
[Switch] vlan 10
[Switch-vlan10] dhcpv6 snooping relay-information enable
# Disable the interfaces in VLAN 10 from generating DHCP snooping binding entries. After DHCP snooping is enabled, the interfaces will not
restrict the number of online users.
[Switch-vlan10] dhcp snooping enable no-user-binding
Warning: To execute no-user-binding will delete all dynamic binding table with the same vlan. Continue? [Y/N]y
[Switch-vlan10] quit

# Run the display dhcp snooping configuration command to check the LDRA configurations.
[Switch] display dhcp snooping configuration
#
#
vlan 10
dhcp snooping enable no-user-binding
dhcpv6 snooping relay-information enable
#
#
#
#
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
dhcp enable
#
#
vlan 10
dhcp snooping enable no-user-binding
dhcpv6 snooping relay-information enable
#
#
#
port link-type trunk
port trunk allow-pass vlan 10
#
return

< Previous topic
< Home
1.13 Common Misconfigurations

Some Users Cannot Obtain IP Addresses after DHCP Snooping Is Enabled
Users Cannot Obtain IP Address after DHCP Snooping Is Enabled

< Home
1.13.1 Some Users Cannot Obtain IP Addresses after DHCP Snooping Is

Enabled
Fault Description
The possible causes are as follows:
The number of DHCP clients connected to the user-side interface has reached the maximum value.
The transmission rate of DHCP messages has exceeded the upper rate limit, and the DHCP messages from new DHCP clients are being
discarded.
Procedure
1. Check whether the number of access DHCP users has reached the threshold.
a. Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to check whether "Dhcp user max
number: XX" is displayed globally, in the VLAN or on the user-side interface.
b. Run the display dhcp snooping user-bind all command to view the number of dynamic DHCP snooping entries on the DHCP snooping-
enabled interface. If the number of entries on the interface has reached the maximum value, new DHCP clients cannot access the
network.
To increase the maximum value of DHCP access users, run the dhcp snooping max-user-number max-number command.
2. If the number of access DHCP users has not reached the limit, check whether the transmission rate of DHCP messages has exceeded the limit.
a. Run the display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ] command to check whether "Dhcp-rate
limit(pps): xx" is displayed globally, in the VLAN or on the user-side interface.
If "Dhcp-rate limit(pps): xx" is not displayed, the default rate limit is 100 pps. The configured value takes preference.
b. If DHCP users cannot access the network because the DHCP snooping rate limit is low, run the dhcp snooping check dhcp-rate rate
command in the system view, interface view, and VLAN view to increase the rate limit values.
Parent Topic: Common Misconfigurations

Next topic >
< Home
1.13.2 Users Cannot Obtain IP Address after DHCP Snooping Is

Enabled
Fault Description
The possible causes are as follows:
The interface connected to the DHCP server is not configured as the trusted interface.
After DHCP snooping is enabled globally, DHCP snooping is not enabled on the interface connecting to users or in the VLAN to which the
interface belongs.
Procedure
1. Check whether the interface connected to the DHCP server is in a correct state.
a. Run the display dhcp snooping configuration and display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ]
commands to check in which VLANs and on which interfaces DHCP snooping is enabled and whether "Trusted interface: Yes" is
displayed for the interface connected to the DHCP server.
By default, an interface is in the untrusted state. When receiving messages from the network-side interfaces, the device processes
only the DHCP Reply messages received on the trusted interface and discards those on untrusted interfaces. When receiving
messages from user-side interfaces, the device forwards the messages only to the trusted interface.
b. Check whether the interface connected to the DHCP server is a trusted interface. If it is not a trusted interface, run the dhcp snooping
trusted command in the VLAN or interface view to configure the interface as a trusted interface.
When DHCP snooping is enabled on a DHCP relay agent, a trusted interface does not need to be configured on the DHCP relay
agent. After receiving DHCP Request messages from users, the DHCP relay agent converts the source/destination IP addresses and
MAC addresses, and forwards the messages to the valid DHCP server in unicast mode. Therefore, the DHCP ACK messages
received by the DHCP relay agent are valid, and the DHCP snooping binding entries generated by the DHCP relay agent are correct.
2. If the interface status is correct, check whether DHCP snooping is enabled on the interface connected to users or the VLAN to which the
interface belongs.
a. Run the display dhcp snooping configuration and display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ]
commands to check whether DHCP snooping is enabled on the interface connected to users or the VLAN to which the interface
belongs.
b. DHCP snooping should be enabled on the interface connected to users or VLAN to which the interface belongs. If it is not enabled,
run the dhcp snooping enable command in the VLAN or interface view to enable it.
Parent Topic: Common Misconfigurations

< Previous topic
< Home
1.14 FAQ
Which Devices Support DHCP Snooping?
Why Can't Users Obtain IP Addresses after DHCP Snooping Is Configured?
Why Can't a PC Access the Internet after Obtaining an IP Address Through DHCP

< Home
1.14.1 Which Devices Support DHCP Snooping?

All models except S2700SI support DHCP snooping.
Parent Topic: FAQ
Next topic >
< Home
1.14.2 Why Can't Users Obtain IP Addresses after DHCP Snooping Is

Configured?
After DHCP Snooping is enabled globally and in a VLAN (or on an interface), all the interfaces on the device are untrusted interfaces by default. In this
case, you need to use dhcp snooping trusted command to set the status of the interfaces connected to the DHCP server to trusted. Otherwise, the DHCP
Reply messages sent from the DHCP server are discarded and users connected to the device cannot obtain IP addresses from the DHCP server.
Parent Topic: FAQ
< Home
1.14.3 Why Can't a PC Access the Internet after Obtaining an IP

Address Through DHCP
In normal situations, a PC can access the Internet after obtaining an IP address through DHCP. However, if the IP address is assigned by a bogus DHCP
server, the PC cannot access the Internet with the bogus IP address. If this problem occurs, you are advised to configure DHCP snooping on the Layer 2
access device or first DHCP relay agent from the device, to ensure that PCs can obtain correct IP addresses.
When you configure DHCP snooping on a Layer 2 access device, steps 1, 2, and 3 are mandatory and must be performed in sequence.
When you configure DHCP snooping on a DHCP relay agent, only steps 1 and 2 are required.
1. Enable DHCP snooping globally.

[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
2. Configure the interfaces connected to DHCP clients. Perform the configuration on all interfaces connected to DHCP clients. GE0/0/1 is used as
an example.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] quit
3. Perform the configuration on interfaces connected to the DHCP server. GE0/0/2 is used as an example.
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] dhcp snooping trusted
[HUAWEI-GigabitEthernet0/0/2] quit
Parent Topic: FAQ

< Previous topic
< Home
1.15 References
For more information about DHCP snooping, see the following documents.
Document No. Description
RFC 3046 DHCP Relay Agent Information Option
RFC 2132 DHCP Options and BOOTP Vendor Extensions

< Previous topic

DHCP Snooping

Uploaded by

Copyright:

Available Formats

DHCP Snooping

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DHCP Snooping

Uploaded by

Copyright:

Available Formats

16/02/2018 HedEx Startpage

S1720&S2700&S5700&S6720 V200R010C00 Product Documentation

For any question, please contact us.

DHCP Snooping Configuration

1 DHCP Snooping Configuration

Configuring Basic Functions of DHCP Snooping

Parent Topic: Security Configuration Guide

Parent Topic: DHCP Snooping Configuration

Option 82 Supported by DHCP Snooping

LDRA Supported by DHCPv6 Snooping

Option 18 and Option 37 Fields Supported by DHCPv6 Snooping

Parent Topic: DHCP Snooping Configuration

1.2.1 DHCP Snooping Basics

DHCP Snooping Trust Function

Trusted interface and untrusted interfaces are used as follows:

DHCP Snooping Binding Table

1. PC functions as a DHCP client to broadcast DHCP Request messages.

Parent Topic: Principles

1.2.2 Option 82 Supported by DHCP Snooping

The DHCP reply packets contain the Option 82 field:

Parent Topic: Principles

1.2.3 LDRA Supported by DHCPv6 Snooping

1. A DHCPv6 client sends a DHCPv6 request message to the LDRA-enabled device.

Parent Topic: Principles

1.2.4 Option 18 and Option 37 Fields Supported by DHCPv6 Snooping

Parent Topic: Principles

Attacks from Non-DHCP Users

Defense Against DHCP Flood Attacks

Defense Against Bogus DHCP Message Attacks

Defense Against DHCP Server DoS Attacks

Typical Application of the Option 82 Field

Detecting Client Locations Through the LDRA

Parent Topic: DHCP Snooping Configuration

1.3.1 Defense Against Bogus DHCP Server Attacks

Figure 3 Trusted interface and untrusted interfaces

Parent Topic: Application

1.3.2 Attacks from Non-DHCP Users

Parent Topic: Application

1.3.3 Defense Against DHCP Flood Attacks

Parent Topic: Application

1.3.4 Defense Against Bogus DHCP Message Attacks

Parent Topic: Application

1.3.5 Defense Against DHCP Server DoS Attacks

Parent Topic: Application

1.3.6 Typical Application of the Option 82 Field

Figure 1 Using the Option 82 field

Parent Topic: Application

1.3.7 Detecting Client Locations Through the LDRA

Figure 1 LDRA application

Parent Topic: Application

1.4 Configuration Notes

Table 1 Products and versions supporting DHCP snooping

S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00

S1720GW and V200R010C00

S1720GW-E and V200R010C00

S2700 S2700SI Not supported

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)

S2720EI V200R006C10, V200R009C00, V200R010C00

S2750EI V200R003C00, V200R005C00SPC300, V200R006C00, V200R007C00, V200R008C00, V200R009C00,

S3700 S3700SI and S3700EI V100R005C01, V100R006(C00&C01&C03&C05)