R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide
76
Configuring DHCP snooping entries backup
DHCP snooping entries cannot survive a reboot. If the DHCP snooping device is rebooted, security
modules (such as IP source guard) that use DHCP snooping entries to authenticate users reject requests
from clients until new entries are learned.
The DHCP snooping entries backup feature enables you to store DHCP snooping entries in a file. When
the DHCP snooping device reboots, it reads DHCP snooping entries from this file.
To configure DHCP snooping entries backup:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Specify the name of the file for
storing DHCP snooping entries.
dhcp-snooping binding
database filename
filename
Not specified by default.
DHCP snooping entries are stored
immediately after this command is
used and then updated at the
interval set by the dhcp-snooping
binding database update interval
command.
3. Back up DHCP snooping entries to
the file.
dhcp-snooping binding
database update now
Optional.
DHCP snooping entries are stored to
the file each time this command is
used.
4. Set the interval at which the DHCP
snooping entry file is refreshed.
dhcp-snooping binding
database update interval
minutes
Optional.
By default, the file is not refreshed
periodically.
After DHCP snooping is disabled with the undo dhcp-snooping command, the device deletes all DHCP
snooping entries, including those stored in the file.
If you specify a subdirectory in the name of the file that stores DHCP snooping entries, make sure the
subdirectory is available on each MPU. Otherwise, the system fails to create the file on MPUs without the
specified subdirectory. To solve this problem, cancel the current configuration, create the subdirectory,
and specify the file name.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of
the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail
to work because of exhaustion of system resources. You can protect against starvation attacks in the
following ways:
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source
MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.
• To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source
MAC address, you can enable MAC address check on the DHCP snooping device. With this