beautypg.com

Enabling offline detection – H3C Technologies H3C SecPath F1000-E User Manual

Page 65

background image

7

relieves DHCP starvation attack that comprises DHCP packets encapsulated with different source MAC

addresses.
To prevent a DHCP starvation attack that comprises DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP relay agent. With this function enabled, the

DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC address

field of the frame. If they are the same, the DHCP relay agent decides this request as valid and forwards

it to the DHCP server; if not, the DHCP request is discarded.
Follow these steps to enable MAC address check:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter interface view

interface interface-type
interface-number

Enable MAC address check

dhcp relay check mac-address

Required
Disabled by default.

NOTE:

DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you
can enable MAC address check only on a DHCP relay agent directly connected to DHCP clients.

Otherwise, valid DHCP packets may be discarded and clients cannot obtain IP addresses.

Enabling Offline Detection

The DHCP relay agent checks whether a use is online by learning the ARP entry. When an ARP entry is

aged out, the corresponding client is considered to be offline.
With this function enabled on an interface, the DHCP relay agent removes a client’s IP-to-MAC binding

entry when it is aged out, and sends a DHCP-RELEASE message to the DHCP server to release the IP
address of the client.
Follow these steps to enable offline detection:

To do…

Use the command…

Remarks

Enter system view

system-view —

Enter interface view

interface interface-type
interface-number

Enable offline detection

dhcp relay client-detect enable

Required
Disabled by default.

NOTE:

Removing an ARP entry manually does not remove the corresponding client’s IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: