Manualshelf

R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis
71727374757677787980
59
Configuration guidelines
Authorized ARP can only be configured on Layer 3 Ethernet interfaces.
Disabling the DHCP relay agent to support authorized ARP deletes the corresponding authorized
ARP entries.
Because the DHCP relay agent does not notify the authorized ARP module of the static bindings,
you need to configure the corresponding static ARP entries for authorized users that have statically
specified IP addresses.
For more information about authorized ARP, see Security Configuration Guide. For more
information about the arp authorized enable command, see Security Command Reference.
Configuration procedure
To configure the DHCP relay agent to work with authorized ARP:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable the DHCP relay agent to
work with authorized ARP.
dhcp update arp Not enabled by default.
4. Enable authorized ARP.
arp authorized enable Not enabled by default.
Enabling unauthorized DHCP server detection
Unauthorized DHCP servers might assign wrong IP addresses to DHCP clients.
With unauthorized DHCP servers detection enabled, the DHCP relay agent checks whether a request
contains Option 54 (Server Identifier Option). If yes, the DHCP relay agent records in the option the IP
address of the DHCP server that assigned an IP address to a requesting DHCP client, and records the
receiving interface. The administrator can use this information to check for unauthorized DHCP servers.
The relay agent logs a DHCP server only once.
To enable unauthorized DHCP server detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable unauthorized DHCP
server detection.
dhcp relay server-detect Disabled by default.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources. The following methods are available to relieve or
prevent such attacks.