HP VPN Firewall Appliances Network Management Configuration Guide
179
Configuring the DHCP server security functions
Configuration prerequisites
Before you perform this configuration, complete the following configurations on the DHCP server:
1. Enable DHCP.
2. Configure the DHCP address pool.
Enabling unauthorized DHCP server detection
Unauthorized DHCP servers on a network might assign wrong IP addresses to DHCP clients.
With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request
contains Option 54 (Server Identifier Option). If yes, the DHCP server records in the option the IP address
of the DHCP server that assigned an IP address to a requesting DHCP client and records the receiving
interface. The administrator can use this information to check for unauthorized DHCP servers.
To enable unauthorized DHCP server detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable unauthorized DHCP server detection.
dhcp server detect Disabled by default.
With the unauthorized DHCP server detection enabled, the device logs each detected DHCP server once.
The administrator can use the log information to find unauthorized DHCP servers.
Configuring IP address conflict detection
Before assigning an IP address, the DHCP server pings that IP address.
• If the server receives a response within the specified period, it selects and pings another IP address.
• If it receives no response, the server continues to ping the IP address until a specific number of ping
packets are sent. If still no response is received, the server assigns the IP address to the requesting
client. (The DHCP client probes the IP address by sending gratuitous ARP packets.)
To configure IP address conflict detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the maximum
number of ping packets to
be sent for conflict
detection.
dhcp server ping
packets number
Optional.
The default setting is one.
The value 0 disables IP address conflict detection.
3. Configure the ping timeout
time.
dhcp server ping
timeout
milliseconds
Optional.
The default setting is 500 ms.
The value 0 disables IP address conflict detection.
Enabling client offline detection
With this feature enabled, the DHCP server considers that a DHCP client goes offline when the ARP entry
for the client ages out. In addition, it removes the client's IP-to-MAC binding entry and releases the IP