Configuring Dhcp Flood Attack Protection - HPE FlexNetwork 10500 Series Configuration Manual
Layer 3-ip services
Hide thumbs
Also See for FlexNetwork 10500 Series:
- Security command reference (881 pages) ,
- Security configuration manual (702 pages) ,
- Network management and monitoring command reference (423 pages)
Table of Contents
Advertisement
•
The MAC address of the DHCP relay interface.
The relay agent maintains the relay entries depending on what it receives from the DHCP server:
•
If the server returns a DHCP-ACK message or does not return any message within an interval,
the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK
message, the relay agent sends a DHCP-RELEASE message to release the IP address.
•
If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.
To enable periodic refresh of dynamic relay entries:
Step
1.
Enter system view.
2.
Enable periodic refresh of
dynamic relay entries.
3.
Set the refresh interval.
Configuring DHCP flood attack protection
The DHCP flood attack protection enables the DHCP relay agent to detect DHCP flood attacks
according to the DHCP packet rate threshold on a per-MAC basis.
When the DHCP relay agent receives a DHCP packet from a client (MAC address), it creates a
DHCP flood attack entry in check state. If the number of DHCP packets from the same MAC address
reaches the upper limit in the detection duration, the relay agent determines that the client is
launching a DHCP flood attack. The DHCP flood attack entry changes to the restrain state, and the
DHCP relay agent discards the DHCP packets from that client. When the aging time of the entry is
reached, the DHCP relay agent deletes the entry. If a DHCP packet from the MAC address arrives
later, the DHCP relay agent will create a flood attack entry and count the number of incoming DHCP
packets for that client again.
Enable DHCP flood attack protection on the VSIs mapped to the Ethernet service instances on the
VXLAN site-facing interfaces. For more information about the site-facing interface module
requirements, see "Configuring VXLAN IP gateways."
To configure DHCP flood attack protection in a VXLAN network:
Step
1.
Enter system view.
2.
(Optional) Set the DHCP
packet rate threshold for
DHCP flood attack detection.
3.
(Optional) Set the DHCP
flood attack entry aging time.
4.
Enter VSI view.
5.
Enable DHCP flood attack
protection.
Command
system-view
dhcp relay client-information refresh
enable
dhcp relay client-information refresh
[ auto | interval interval ]
Command
system-view
dhcp flood-protection
threshold packet-number
milliseconds
dhcp flood-protection
aging-time time
vsi vsi-name
dhcp flood-protection enable
71
Remarks
N/A
By default, periodic refresh
of dynamic relay entries is
enabled.
By default, the refresh
interval is auto, which is
calculated based on the
number of total relay entries.
Remarks
N/A
By default, the device allows a
maximum of 6 DHCP packets per
5000 milliseconds from each
DHCP client.
The default setting is 300
seconds.
N/A
By default, DHCP flood attack
protection is disabled.
Advertisement
Table of Contents
Troubleshooting
