beautypg.com

Enabling dhcp-request message attack protection, Configuring dhcp packet rate limit, Configuration guidelines – H3C Technologies H3C S10500 Series Switches User Manual

Page 88

background image

77

To do…

Use the command…

Remarks

Enter interface view

interface interface-type
interface-number

Enable MAC address check

dhcp-snooping check mac-address

Required
Disabled by default.

NOTE:

You can enable MAC address check only on Layer 2 Ethernet ports and Layer 2 aggregate interfaces.

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing
the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.

With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks

up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the

DHCP snooping device compares the entry with the message information. If they are consistent, the

DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server.

If they are not consistent, the message is considered a forged lease renewal request and discarded. If no
corresponding entry is found, the message is considered valid and forwarded to the DHCP server.
Follow these steps to enable DHCP-REQUEST message check:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter interface view

interface interface-type
interface-number

Enable DHCP-REQUEST
message check

dhcp-snooping check
request-message

Required
Disabled by default.

NOTE:

You can enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate
interfaces.

Configuring DHCP packet rate limit

Configuration guidelines

You can configure DHCP packet rate limit only on Layer 2 Ethernet ports and Layer 2 aggregate

interfaces.

If a Layer 2 Ethernet port belongs to an aggregation group, it uses the DHCP packet maximum rate
configured on the corresponding Layer 2 aggregate interface.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: