Chapter 3 Dhcp Packet Rate Limit Configuration; Introduction To Dhcp Packet Rate Limit - H3C S3100-52P Operation Manual

Operation Manual – DHCP
H3C S3100-52P Ethernet Switch

Chapter 3 DHCP Packet Rate Limit Configuration

When configuring the DHCP packet rate limit function, go to these sections for
information you are interested in:

Introduction to DHCP Packet Rate Limit

Configuring DHCP Packet Rate Limit
Rate Limit Configuration Example
3.1 Introduction to DHCP Packet Rate Limit
To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets
and DHCP packets will be processed by the switch CPU for validity checking. But, if
attackers generate a large number of ARP packets or DHCP packets, the switch CPU
will be under extremely heavy load. As a result, the switch cannot work normally and
even goes down.
An S3100-52P Ethernet switch supports ARP and DHCP packet rate limit on a port
and shut down the port under attack to prevent hazardous impact on the device CPU.
For details about ARP packet rate limit, refer to ARP Operation in this manual. The
following describes only the DHCP packet rate limit function.
After DHCP packet rate limit is enabled on an Ethernet port, the switch counts the
number of DHCP packets received on this port per second. If the number of DHCP
packets received per second exceeds the specified value, packets are passing the
port at an over-high rate, which implies an attack to the port. In this case, the switch
shuts down this port so that it cannot receive any packet, thus protect the switch from
attacks.
In addition, the switch supports port state auto-recovery. After a port is shut down due
to over-high packet rate, it resumes automatically after a configurable period of time.
Note:
When both port state auto-recovery interval for over-high ARP packet rate and port
state auto-recovery interval for over-high DHCP packet rate are configured on a port,
the shorter one will be the auto-recovery time.
Chapter 3 DHCP Packet Rate Limit Configuration
3-1