HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

221

222

223

224

225

226

227

228

229

230

199

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable periodic refresh of

dynamic client entries.

dhcp relay security refresh

enable

Optional.

Enabled by default.

3. Configure the refresh interval.

dhcp relay security tracker

{ interval | auto }

Optional.

The default setting is auto. The auto

interval is calculated by the relay

agent according to the number of

client entries.

• Enabling unauthorized DHCP server detection.

Unauthorized DHCP servers might assign wrong IP addresses to DHCP clients.

With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a

request contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records in the

option the IP address of the DHCP server that assigned an IP address to a requesting DHCP client,

and records the receiving interface. The administrator can use this information to check for

unauthorized DHCP servers.

The relay agent logs a DHCP server only once.

To enable unauthorized DHCP server detection:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable unauthorized DHCP server detection.

dhcp relay server-detect

Disabled by

default.

• Enabling DHCP starvation attack protection.

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address

resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP

server might also fail to work because of exhaustion of system resources. The following methods

are available to relieve or prevent such attacks.

{ To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source

MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or

MAC addresses that a Layer 2 port can learn. You can also configure an interface that has

learned the maximum MAC addresses to discard packets whose source MAC addresses are not

in the MAC address table.

{ To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same

source MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP

relay agent compares the chaddr field of a received DHCP request with the source MAC

address in the frame header. If they are the same, the DHCP relay agent decides this request as

valid and forwards it to the DHCP server. If not, it discards the DHCP request.

To enable MAC address check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A