To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
•
MAC address, enable MAC address check on the DHCP relay agent. With this function enabled,
the DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC
address field of the frame. If they are the same, the DHCP relay agent decides this request as valid
and forwards it to the DHCP server. If not, it discards the DHCP request.
To enable MAC address check:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable MAC address
check.
NOTE:
DHCP relay agents change the source MAC addresses when forwarding DHCP packets. Therefore, you
can enable MAC address check only on a DHCP relay agent directly connected to DHCP clients.
Otherwise, valid DHCP packets may be discarded and clients cannot obtain IP addresses.
Enabling offline detection
The DHCP relay agent checks whether a user is online by learning the ARP entry. When an ARP entry is
aged out, the corresponding client is considered to be offline.
With this function enabled on an interface, the DHCP relay agent removes a client's IP-to-MAC entry
when it is aged out, and sends a DHCP-RELEASE message to the DHCP server to release the IP address
of the client. Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC
binding. When the client goes offline, use the undo dhcp relay security command to remove the
IP-to-MAC binding manually.
To enable offline detection:
Step
1.
Enter system view.
2.
Enter interface view.
3.
Enable offline detection.
Configuring the DHCP relay agent to release an IP
address
You can configure the relay agent to release a client's IP address. The relay agent sends a
DHCP-RELEASE message that contains the IP address. Upon receiving the DHCP-RELEASE message, the
DHCP server releases the IP address. Meanwhile, the client entry is removed from the DHCP relay agent.
Dynamic client entries can be generated after you enable address check or IP source guard on the DHCP
relay agent. For more information about IP source guard, see Security Configuration Guide.
Command
system-view
interface interface-type
interface-number
dhcp relay check mac-address
Command
system-view
interface interface-type
interface-number
dhcp relay client-detect enable
64
Remarks
N/A
N/A
Disabled by default
Remarks
N/A
N/A
Disabled by default
Need help?
Do you have a question about the 3600 v2 Series and is the answer not in the manual?