Enabling Dhcp-Request Message Attack Protection; Configuring Dhcp Packet Rate Limit - HP A7500 Series Configuration Manual

Layer 3 - ip services

Hide thumbs Also See for A7500 Series:

Command reference manual (222 pages)

Configuration manual (182 pages)

Compliance and safety manual (44 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

Table of Contents

To do...

Enter interface view

Enable MAC address check

NOTE:

You can enable MAC address check only on Layer 2 Ethernet ports and Layer 2 aggregate interfaces.

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing

the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.

To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.

With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks

up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the

DHCP snooping device compares the entry with the message information. If they are consistent, the

DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server.

If they are not consistent, the message is considered a forged lease renewal request and discarded. If no

corresponding entry is found, the message is considered valid and forwarded to the DHCP server.

Follow these steps to enable DHCP-REQUEST message check:

To do...

Enter system view

Enter interface view

Enable DHCP-REQUEST

message check

NOTE:

You can enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate

interfaces.

Configuring DHCP packet rate limit

Configuration guidelines

You can configure DHCP packet rate limit only on Layer 2 Ethernet ports and Layer 2 aggregate

•

interfaces.

•

If a Layer 2 Ethernet port belongs to an aggregation group, it uses the DHCP packet maximum rate

configured on the corresponding Layer 2 aggregate interface.

Use the command...

interface interface-type

interface-number

dhcp-snooping check mac-address

Use the command...

system-view

interface interface-type

interface-number

dhcp-snooping check

request-message

Remarks

—

Required

Disabled by default.

Remarks

—

Required

Disabled by default.

Table of Contents

Enabling Dhcp-Request Message Attack Protection; Configuring Dhcp Packet Rate Limit - HP A7500 Series Configuration Manual

Configuring DHCP packet rate limit

Troubleshooting

Related Manuals for HP A7500 Series

Related Content for HP A7500 Series

Table of Contents