[Huawei]dhcp snooping enable---------- Enable DHCP-snooping function
[Huawei-vlan1]dhcp snooping enable----------Enable dhcp-snooping in vlan1
[Huawei-GigabitEthernet0/0/3]dhcp snooping trusted----------Set G0/0/3 as a trusted port (the default is untrust port)
1. DHCP Snooping function:
DHCP has two functions:
① Trust function
② Monitoring function
(1) Trust function: When deploying the network, the administrator generally sets the interface directly or indirectly connected to a legitimate DHCP server as a trusted interface. This ensures that the DHCP client can only obtain an IP address from a legal DHCP server, and a pseudo-DHCP server set up privately cannot assign an IP address to the DHCP client.
(2) Monitoring function: The monitoring function generates DHCP Snooping five-tuple entries by monitoring the DHCP ACK messages of the DHCP Server to prevent some attacks against DHCP.
2. Prevent attacks
After DHCP snooping is enabled, the following attacks can be prevented:
① Prevent the fake DHCP Server attack
② Prevent attacks from non-DHCP users
③ Prevent DHCP message flooding attacks
④ Prevent attacks from fake DHCP messages
⑤ Prevent DHCP Server denial of service attacks
(1) Prevent the fake DHCP Server attack:
Since there is no authentication mechanism between the DHCP Server and the DHCP Client, if a DHCP server is randomly added to the network, it can assign IP addresses and other network parameters to the clients. If the DHCP server assigns the wrong IP address and other network parameters to the user, it will cause great harm to the network.
For this kind of attack, after configuring the DHCP Snooping function, the administrator manually sets the interface connected to the DHCP Server to the Trust port to realize the normal issuing of IP. The default interface type of the DHCP Server counterfeited by the subsequent access attacker is Untrust. The DHCP Server reply message received from Untrust will not be forwarded by the switch but directly discarded, so as to prevent the counterfeit DHCP Server attack.
(2) Prevent attacks from non-DHCP users:
Non-DHCP users can configure the IP address statically. If this address conflicts with the DHCP Server or Client address in the current network, the table entries of the current switch will be refreshed. This is dangerous. You can execute commands under the interface that may have unauthorized user access to disable the ability of the interface to dynamically learn MAC entries, and enable the device to convert the Dynamic type MAC entry dynamically learned from the interface into the Snooping type MAC entry according to the DHCP Snooping binding table and ND Snooping binding table or directly generate the Snooping type MAC entry according to the static binding table. After that, the IP packets received by this interface can pass through the interface only if the source MAC address of the packet matches the static MAC table entry (including the Static type, Snooping type, etc.), otherwise, the packet will be discarded. This can effectively prevent attacks from users with illegal MAC addresses.
[Huawei]port-group group-member g0/0/1 to g0/0/24
[Huawei-port-group]user-bind ip sticky-mac
[Huawei-port-group]mac-address learning disable--------disable the function of dynamically learning MAC entries on all interfaces.
Note: If there are legitimate users with static IP, use static DHCP SNooping command or static MAC table entry configuration to configure static binding table entries:
[Huawei]user-bind static ip-address 192.168.1.10 interface g0/0/2 vlan 1
[Huawei]mac-address static 1111-1111-1111 g0/0/1 vlan 1
(3) Prevent DHCP message flooding attacks:
In the DHCP network environment, if a DHCP user sends a large number of DHCP messages to the device in a short time, it will have a huge impact on the performance of the device and may cause the device to fail to work normally. By enabling the function of detecting the rate at which the DHCP message is sent to the DHCP message processing unit, the DHCP message flooding attack can be effectively prevented.
[Huawei-vlan1]dhcp snooping check dhcp-rate enable---------Enable the function of detecting the rate at which the DHCP message processing unit is sent to the DHCP message
[Huawei-vlan1]dhcp snooping check dhcp-rate 100--------Configure rate size
(4) Prevent attacks of fake DHCP messages:
In the DHCP network environment:
① If an attacker impersonates a legitimate user’s DHCP Request message and sends it to the DHCP Server, the user’s IP address lease will not be released in time after the lease expires, and the legitimate user cannot use the IP address.
② If an attacker impersonates a legitimate user's DHCP Release message and sends it to the DHCP Server, it will cause the user to go offline.
After the DHCP Snooping binding table is generated, the device can perform a matching check on the DHCP Request message or DHCP Release message according to the binding table entries. Only the successfully matched message will be forwarded by the device, otherwise, it will be discarded. This will effectively prevent illegal users from pretending to be legitimate users to renew or release IP addresses by sending fake DHCP Request or DHCP Release messages.
[Huawei]dhcp snooping check dhcp-request enable vlan 1--------match all packets of the current VLAN1 with DHCP Snooping entries.
[Huawei-GigabitEthernet0/0/1]dhcp snooping alarm dhcp-request enable-------enable the alarm information (can only be configured under the interface).
(5) Prevent DHCP Server denial of service attacks:
You can configure the maximum number of DHCP snooping binding entries that the interface allows you to learn to control the number of online users. When the number of users reaches this value, no user will be able to successfully apply for an IP address through this interface. In order to prevent attackers from constantly changing the CHADDR field in the DHCP Request message, you can enable the function of detecting whether the MAC address of the DHCP Request message frame header is the same as the CHADDR field in the DHCP data area. If the same, the message is forwarded, otherwise it is discarded.
① In response to the attacker sending a large number of fake DHCP Discovery messages requesting IP addresses, you can enable the switch to check whether the CHADDR field and the source MAC are the same. If they are not the same, it is a denial-of-service attack message, which is directly discarded.
[Huawei]dhcp snooping check dhcp-chaddr enable vlan 1
② If the source MAC and CHADDR of the fake DHCP Discovery message sent by the attacker are the same, it is impossible to detect whether it is an attack message. You can configure the maximum number of IP addresses to apply for (which can be 1)
[Huawei]dhcp snooping max-user-number 1