R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide
77
function enabled, the DHCP snooping device compares the chaddr field of a received DHCP
request with the source MAC address field of the frame. If they are the same, the request is
considered valid and forwarded to the DHCP server. If not, the request is discarded.
To enable MAC address check:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable MAC address check.
dhcp-snooping check
mac-address
Disabled by default.
You can enable MAC address check
only on Layer 2 Ethernet interfaces
and Layer 2 aggregate interfaces.
Enabling DHCP-REQUEST message attack
protection
Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP
clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing
the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.
• If a matching entry is found for a message, the DHCP snooping device compares the entry with the
message information. If they are consistent, the DHCP-REQUEST message is considered a valid
lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is
considered as a forged lease renewal request and discarded.
• If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
To enable DHCP-REQUEST message check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable
DHCP-REQUEST
check.
dhcp-snooping check
request-message
Disabled by default.
You can enable DHCP-REQUEST check
only on Layer 2 Ethernet interfaces and
Layer 2 aggregate interfaces.