Configuration procedure, Enabling unauthorized dhcp server detection, Enabling dhcp starvation attack protection – H3C Technologies H3C S12500 Series Switches User Manual

62

•

Authorized ARP can only be configured on Layer 3 Ethernet interfaces.

•

Disabling the DHCP relay agent to support authorized ARP will delete the corresponding
authorized ARP entries.

•

The DHCP relay agent does not notify the authorized ARP module of the static bindings. You must

configure the corresponding static ARP entries for authorized ARP.

•

For more information about authorized ARP, see Security Configuration Guide. For more
information about the arp authorized enable command, see Security Command Reference.

Configuration procedure

To configure the DHCP relay agent to support authorized ARP:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Configure the DHCP relay agent
to support authorized ARP.

dhcp update arp

Not supported by default.

4.

Enable authorized ARP.

arp authorized enable

Not enabled by default.

Enabling unauthorized DHCP server detection

Unauthorized DHCP servers might assign wrong IP addresses to DHCP clients.
With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a request

contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records the IP address in the
option, which is the IP address of the DHCP server that assigned an IP address to the DHCP client, and

records the receiving interface. The administrator can use this information to check for unauthorized

DHCP servers.
To enable unauthorized DHCP server detection:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable unauthorized DHCP
server detection.

dhcp relay server-detect

Disabled by default.

NOTE:

With unauthorized DHCP server detection enabled, the switch logs each detected DHCP server once and
logs each again if an entry is cleared. The administrator can use the log information to find unauthorized

DHCP servers.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so that legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also

fail to work because of exhaustion of system resources.