R0106-HP MSR Router Series Layer 3 - IP Services Configuration Guide(V7)
73
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate
DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries
to check incoming DHCP-REQUEST messages.
• If a matching entry is found for a message, this feature compares the entry with the message
information.
{ If they are consistent, the message is considered as valid and forwarded to the DHCP server.
{ If they are different, the message is considered as a forged message and is discarded.
• If no matching entry is found, the message is considered valid and forwarded to the DHCP server.
To enable DHCP-REQUEST check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Enable DHCP-REQUEST check.
dhcp snooping check
request-message
By default, DHCP-REQUEST
check is disabled.
You can enable DHCP-REQUEST
check only on Layer 2 Ethernet
interfaces.
Setting the maximum number of DHCP snooping
entries
Perform this task to prevent the system resources from being overused.
To set the maximum number of DHCP snooping entries:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Set the maximum number of
DHCP snooping entries for the
interface to learn.
dhcp snooping max-learning-num
number
By default, the number of DHCP
snooping entries for an interface to
learn is unlimited.
Displaying and maintaining DHCP snooping
Execute display commands in any view, and reset commands in user view.
Task Command Remarks
Display DHCP snooping entries.
display dhcp snooping binding [ ip
ip-address [ vlan vlan-id ] ]
Available in any
view.