Enabling dhcp-request attack protection – H3C Technologies H3C S12500-X Series Switches User Manual

Page 82

Advertising
background image

71

Step Command

Remarks

2.

Enter interface view of a layer 2

Ethernet interface or a layer 2
aggregate interface.

interface interface-type interface-number

N/A

3.

Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address
check is disabled.

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and

DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST
messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no

longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the

IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate
DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries

to check incoming DHCP-REQUEST messages. If a matching entry is found for a message, this feature

compares the entry with the message information. If they are consistent, the message is considered as
valid and forwarded to the DHCP server. If they are different, the message is considered as a forged

message and is discarded. If no matching entry is found, the message is considered valid and forwarded

to the DHCP server.
To enable DHCP-REQUEST check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view of a layer

2 Ethernet interface or a layer

2 aggregate interface.

interface interface-type
interface-number

N/A

3.

Enable DHCP-REQUEST check. dhcp snooping check

request-message

By default, DHCP-REQUEST
check is disabled.
You can enable DHCP-REQUEST
check only on Layer 2 Ethernet

interfaces and Layer 2 aggregate

interfaces.

Setting the maximum number of DHCP snooping
entries

Perform this task to prevent the system resources from being overused.
To set the maximum number of DHCP snooping entries:

Advertising
This manual is related to the following products:

H3C S9800 Series Switches, H3C S6800 Series Switches, H3C S3100V2 Series Switches

Popular Brands
Popular manuals