Enabling client offline detection – H3C Technologies H3C SecPath F1000-E User Manual
Page 223
198
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the
maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC
address table.
•
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP relay agent. With this function enabled,
the DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC
address field of the frame. If they are the same, the DHCP relay agent decides this request as valid
and forwards it to the DHCP server; if not, it discards the DHCP request.
To enable MAC address check:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type
interface-number
N/A
3.
Enable MAC address check.
dhcp relay check mac-address
Disabled by default
NOTE:
DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you
can enable MAC address check only on a DHCP relay agent directly connected to DHCP clients.
Otherwise, valid DHCP packets may be discarded and clients cannot obtain IP addresses.
Enabling client offline detection
The DHCP relay agent checks whether a use is online by learning the ARP entry. When an ARP entry is
aged out, the corresponding client is considered to be offline.
With this function enabled on an interface, the DHCP relay agent removes a client's IP-to-MAC entry
when it is aged out, and sends a DHCP-RELEASE message to the DHCP server to release the IP address
of the client.
To enable offline detection:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter interface view.
interface interface-type
interface-number
N/A
3.
Enable offline detection.
dhcp relay client-detect enable
Disabled by default
NOTE:
Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer