4 dhcp packet rate limit configuration, Introduction to dhcp packet rate limit, Dhcp packet rate limit configuration – H3C Technologies H3C S3100 Series Switches User Manual

4-1

4

DHCP Packet Rate Limit Configuration

The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches.

Introduction to DHCP Packet Rate Limit

To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP packets

will be processed by the switch CPU for validity checking. But, if attackers generate a large number of

ARP packets or DHCP packets, the switch CPU will be under extremely heavy load. As a result, the

switch cannot work normally and even goes down.

S3100-EI series Ethernet switches support ARP and DHCP packet rate limit on a port and shut down

the port under attack to prevent hazardous impact on the device CPU. For details about ARP packet

rate limit, refer to ARP Operation in this manual. The following describes only the DHCP packet rate

limit function.

After DHCP packet rate limit is enabled on an Ethernet port, the switch counts the number of DHCP

packets received on this port per second. If the number of DHCP packets received per second exceeds

the specified value, packets are passing the port at an over-high rate, which implies an attack to the port.

In this case, the switch shuts down this port so that it cannot receive any packet, thus protect the switch

from attacks.

In addition, the switch supports port state auto-recovery. After a port is shut down due to over-high

packet rate, it resumes automatically after a configurable period of time.

When both port state auto-recovery interval for over-high ARP packet rate and port state auto-recovery

interval for over-high DHCP packet rate are configured on a port, the shorter one will be the

auto-recovery time.