Manualshelf

R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis
71727374757677787980
60
To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC
addresses that a Layer 2 port can learn. You can also configure an interface that has learned the
maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC
address table.
To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP relay agent. The DHCP relay
agent compares the chaddr field of a received DHCP request with the source MAC address in the
frame header. If they are the same, the DHCP relay agent decides this request as valid and
forwards it to the DHCP server. If not, it discards the DHCP request.
To enable MAC address check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable MAC address
check.
dhcp relay check mac-address The default setting is disabled.
A DHCP relay agent changes the source MAC addresses of DHCP packets before forwarding them out.
Therefore, enable MAC address check only on the DHCP relay agent directly connected to the DHCP
clients. If you enable this feature on an intermediate relay agent, it might discard valid DHCP packets
and the sending clients do not obtain IP addresses.
Enabling client offline detection
With this feature enabled, the DHCP relay agent considers that a DHCP client goes offline when the ARP
entry for the client ages out. In addition, it removes the client entry and sends a DHCP-RELEASE message
to the DHCP server to release the IP address of the client.
To enable offline detection:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable offline detection.
dhcp relay client-detect enable Disabled by default.
Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC binding. When
the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding
manually.