To do...
Specify the name of the file for
storing DHCP snooping entries
Back up DHCP snooping entries to
the file
Set the interval at which the DHCP
snooping entry file is refreshed
NOTE:
After DHCP snooping is disabled with the undo dhcp-snooping command, the switch will delete all
DHCP snooping entries, including those stored in the file.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different
MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP
server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail to work
because of exhaustion of system resources. You can protect against starvation attacks in the following
ways:
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC
addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, enable MAC address check on the DHCP snooping switch. With this function
enabled, the DHCP snooping switch compares the chaddr field of a received DHCP request with the
source MAC address field of the frame. If they are the same, the request is considered valid and
forwarded to the DHCP server; if not, the request is discarded.
Follow these steps to enable MAC address check:
To do...
Enter system view
Enter interface view
Enable MAC address check
Use the command...
dhcp-snooping binding
database filename filename
dhcp-snooping binding
database update now
dhcp-snooping binding
database update interval
minutes
Use the command...
system-view
interface interface-type interface-
number
dhcp-snooping check mac-address
71
Remarks
Required
Not specified by default.
DHCP snooping entries are stored
immediately after this command is
used and then updated at the
interval set by the dhcp-snooping
binding database update interval
command.
Optional
DHCP snooping entries will be
stored to the file each time this
command is used.
Optional
By default, the file is not refreshed
periodically.
Remarks
—
—
Required
Disabled by default.