Enabling client offline detection – H3C Technologies H3C S12500 Series Switches User Manual

Page 77

Advertising
background image

63

To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source

MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the

maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC

address table.

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP relay agent. With this function enabled,
the DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC

address field of the frame. If they are the same, the DHCP relay agent decides this request as valid

and forwards it to the DHCP server. If not, the DHCP request is discarded.

To enable MAC address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Enable MAC address
check.

dhcp relay check mac-address

Disabled by default.

NOTE:

DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you
can enable MAC address check only on a DHCP relay agent directly connected to DHCP clients.
Otherwise, valid DHCP packets might be discarded and clients cannot obtain IP addresses.

Enabling client offline detection

With this feature enabled, the DHCP relay agent considers a DHCP client goes offline when the ARP

entry for the client ages out. In addition, it removes the client entry and sends a DHCP-RELEASE message

to the DHCP server to release the IP address of the client.
To enable offline detection:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Enable offline detection.

dhcp relay client-detect enable

Disabled by default.

NOTE:

Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.

Advertising
This manual is related to the following products:

H3C S9500E Series Switches, H3C MSR 5600, H3C MSR 50, H3C MSR 3600, H3C MSR 30, H3C MSR 2600, H3C MSR 20-2X[40], H3C MSR 20-1X, H3C MSR 930, H3C MSR 900, H3C SecPath F5020, H3C SecPath F5040, H3C VMSG VFW1000

Popular Brands
Popular manuals