To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.
If a matching entry is found for a message, the DHCP snooping device compares the entry with the
•
message information. If they are consistent, the DHCP-REQUEST message is considered a valid
lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is
considered as a forged lease renewal request and discarded.
If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
•
To enable DHCP-REQUEST message check:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable
DHCP-REQUEST
check.
Displaying and maintaining DHCP snooping
Task
Display DHCP snooping entries.
Display Option 82 configuration
information on the DHCP snooping
device.
Display DHCP packet statistics on the
DHCP snooping device.
Display information about trusted ports.
Display the information about DHCP
snooping entry file.
Clear DHCP snooping entries.
Clear DHCP packet statistics on the
DHCP snooping device.
Command
system-view
interface interface-type
interface-number
dhcp-snooping check
request-message
Command
display dhcp-snooping [ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ]
display dhcp-snooping information { all |
interface interface-type
interface-number } [ | { begin | exclude |
include } regular-expression ]
display dhcp-snooping packet statistics
[ slot slot-number ] [ | { begin | exclude |
include } regular-expression ]
display dhcp-snooping trust [ | { begin |
exclude | include } regular-expression ]
display dhcp-snooping binding database
[ | { begin | exclude | include }
regular-expression ]
reset dhcp-snooping { all | ip ip-address }
reset dhcp-snooping packet statistics
[ slot slot-number ]
59
Remarks
N/A
N/A
Disabled by default.
You can enable DHCP-REQUEST check
only on Layer 2 Ethernet interfaces and
Layer 2 aggregate interfaces.
Remarks
Available in any view.
Available in any view.
Available in any view.
Available in any view.
Available in any view.
Available in user
view.
Available in user
view.