Setting The Maximum Number Of Dhcp Snooping Entries; Configuring A Dhcp Packet Blocking Port - H3C SR8800-F Configuration Manual

Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for
legitimate DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP
snooping entries to check incoming DHCP-REQUEST messages.
•
If a matching entry is found for a message, this feature compares the entry with the message
information.
If they are consistent, the message is considered as valid and forwarded to the DHCP
server.
If they are different, the message is considered as a forged message and is discarded.
•
If no matching entry is found, the message is considered valid and forwarded to the DHCP
server.
Procedure
To enable DHCP-REQUEST check:
Step
1. Enter system view.
2. Enter interface view.
3. Enable DHCP-REQUEST
check.
Setting the maximum number of DHCP snooping
entries
Perform this task to prevent the system resources from being overused.
To set the maximum number of DHCP snooping entries:
Step
1. Enter system view.
2. Enter interface view.
3. Set the maximum number of
DHCP snooping entries for
the interface to learn.

Configuring a DHCP packet blocking port

Perform this task to configure a port as a DHCP packet blocking port. This blocking port drops all
incoming DHCP requests.
To configure a DHCP packet blocking port:
Step
1. Enter system view.
2. Enter interface view.
Command
system-view
interface interface-type
interface-number
dhcp snooping check
request-message
Command
system-view
interface interface-type
interface-number
dhcp snooping
max-learning-num max-number
Command
system-view
interface interface-type
interface-number
163
Remarks
N/A
N/A
By default, DHCP-REQUEST
check is disabled.
Remarks
N/A
N/A
By default, the number of DHCP
snooping entries for an interface
to learn is unlimited.
Remarks
N/A
N/A