R2511-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V5)
70
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable MAC address check.
dhcp-snooping check
mac-address
Disabled by default.
You can enable MAC address check
only on Layer 2 Ethernet interfaces,
Layer 2 aggregate interfaces, and
WLAN-BSS interfaces.
Enabling DHCP-REQUEST message attack
protection
Attackers can forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients
that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the
leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.
To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.
This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages.
• If a matching entry is found for a message, the DHCP snooping device compares the entry with the
message information. If they are consistent, the DHCP-REQUEST message is considered a valid
lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is
considered as a forged lease renewal request and discarded.
• If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
To enable DHCP-REQUEST message check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable
DHCP-REQUEST
check.
dhcp-snooping check
request-message
Disabled by default.
You can enable DHCP-REQUEST check
only on Layer 2 Ethernet interfaces, Layer 2
aggregate interfaces, and WLAN-BSS
interfaces.
Displaying and maintaining DHCP snooping
Task Command Remarks
Display DHCP snooping entries.
display dhcp-snooping [ ip ip-address ]
[ | { begin | exclude | include }
regular-expression ]
Available in any view.