Enabling Dhcp-Request Message Attack Protection; Displaying And Maintaining Dhcp Snooping - HP 6125G Configuration Manual

Layer 3 - ip services configuration guide

Hide thumbs Also See for 6125G:

Command reference manual (426 pages)

Configuration manual (379 pages)

Release note (60 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

Table of Contents

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing

the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.

To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.

With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks

up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the

DHCP snooping device compares the entry with the message information. If they are consistent, the

DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server.

If they are not consistent, the message is considered a forged lease renewal request and discarded. If no

corresponding entry is found, the message is considered valid and forwarded to the DHCP server.

Enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate

interfaces.

To enable DHCP-REQUEST message check:

Step

Enter system view.

Enter interface view.

Enable DHCP-REQUEST message

check.

Displaying and maintaining DHCP snooping

Task

Display DHCP snooping entries.

Display Option 82 configuration

information on the DHCP snooping

device.

Display DHCP packet statistics on the

DHCP snooping device.

Display information about trusted ports.

Display the DHCP snooping entry file

information.

Clear DHCP snooping entries.

Command

system-view

interface interface-type interface-number

dhcp-snooping check request-message

Command

display dhcp-snooping [ ip ip-address ]

[ | { begin | exclude | include }

regular-expression ]

display dhcp-snooping information { all |

interface interface-type

interface-number } [ | { begin | exclude |

include } regular-expression ]

display dhcp-snooping packet statistics

[ slot slot-number ] [ | { begin | exclude |

include } regular-expression ]

display dhcp-snooping trust [ | { begin |

exclude | include } regular-expression ]

display dhcp-snooping binding database

[ | { begin | exclude | include }

regular-expression ]

reset dhcp-snooping { all | ip ip-address }

Remarks

N/A

Disabled by default

Remarks

Available in any view

Available in user view

Table of Contents

Troubleshooting

This manual is also suitable for:

6125 blade switch series

Enabling Dhcp-Request Message Attack Protection; Displaying And Maintaining Dhcp Snooping - HP 6125G Configuration Manual

Displaying and maintaining DHCP snooping

Troubleshooting

Related Manuals for HP 6125G

Related Content for HP 6125G

This manual is also suitable for:

Table of Contents