Enabling Dhcp-Request Message Attack Protection; Configuring Dhcp Packet Rate Limit - HP A5120 EI Series Configuration Manual

Hide thumbs Also See for A5120 EI Series:

Command reference manual (225 pages)

Configuration manual (197 pages)

Installation manual (91 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

Table of Contents

NOTE:

You can enable MAC address check only on Layer 2 Ethernet interfaces and Layer 2 aggregate

interfaces.

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients

that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the

leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.

To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.

With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping switch looks up

local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the DHCP

snooping switch compares the entry with the message information. If they are consistent, the DHCP-

REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server. If they

are not consistent, the message is considered a forged lease renewal request and discarded. If no

corresponding entry is found locally, the message is considered valid and forwarded to the DHCP server.

Follow these steps to enable DHCP-REQUEST message check:

To do...

Enter system view

Enter interface view

Enable DHCP-REQUEST

message check

NOTE:

You can enable DHCP-REQUEST message check only on Layer 2 Ethernet interfaces and Layer 2

aggregate interfaces.

Configuring DHCP packet rate limit

To identify DHCP packets from unauthorized DHCP servers, DHCP snooping delivers all incoming DHCP

packets to the CPU. If a malicious user sends a large number of DHCP requests to the DHCP snooping

switch, the CPU of the device will be overloaded, and the device may even crash. To solve this problem,

you can configure DHCP packet rate limit on relevant interfaces.

Follow these steps to configure DHCP packet rate limit:

To do...

Enter system view

Enter interface view

Use the command...

system-view

interface interface-type interface-

number

dhcp-snooping check request-

message

Use the command...

system-view

interface interface-type interface-

number

Remarks

—

Required

Disabled by default.

Remarks

—

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

Enabling Dhcp-Request Message Attack Protection; Configuring Dhcp Packet Rate Limit - HP A5120 EI Series Configuration Manual

Configuring DHCP packet rate limit

Hide quick links:

Troubleshooting

Related Manuals for HP A5120 EI Series

Related Content for HP A5120 EI Series

Table of Contents