Home » HP Manuals » Servers » HP 6125G » Manual Viewer

HP 6125G HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 63

Enabling DHCP starvation attack protection

Add to My Manuals
Save this manual to your list of manuals

Page 63 highlights

To configure DHCP snooping entries backup: Step 1. Enter system view. Command system-view 2. Specify the name of the file for storing DHCP snooping dhcp-snooping binding entries. database filename filename 3. Back up DHCP snooping entries to the file. dhcp-snooping binding database update now 4. Set the interval at which the DHCP snooping entry file is refreshed. dhcp-snooping binding database update interval minutes Remarks N/A Not specified by default. DHCP snooping entries are stored immediately after this command is used and then updated at the interval set by the dhcp-snooping binding database update interval command. Optional. DHCP snooping entries will be stored to the file each time this command is used. Optional. By default, the file is not refreshed periodically. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail to work because of exhaustion of system resources. You can protect against starvation attacks in the following ways: • To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn. • To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source MAC address, enable MAC address check on the DHCP snooping device. With this function enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with the source MAC address field of the frame. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded. Enable MAC address check only on Layer 2 Ethernet ports and Layer 2 aggregate interfaces. To enable MAC address check: Step 1. Enter system view. 2. Enter interface view. 3. Enable MAC address check. Command system-view interface interface-type interface-number dhcp-snooping check mac-address Remarks N/A N/A Disabled by default 55

Section	Page
Title Page	1
Layer 3 - IP Services Configuration Guide	3
Configuring ARP	9
Overview	9
ARP message format	9
ARP operation	9
ARP table	10
Dynamic ARP entry	11
Static ARP entry	11
Configuring a static ARP entry	11
Configuring the maximum number of dynamic ARP entries for an interface	12
Setting the aging timer for dynamic ARP entries	12
Enabling dynamic ARP entry check	12
Configuring ARP quick update	13
Configuring multicast ARP	13
Displaying and maintaining ARP	14
ARP configuration examples	15
Static ARP entry configuration example	15
Network requirements	15
Configuration procedure	15
Multicast ARP configuration example	16
Network requirements	16
Configuration procedure	17
Verifying the configuration	17
Configuring gratuitous ARP	18
Overview	18
Gratuitous ARP packet learning	18
Periodic sending of gratuitous ARP packets	18
Configuration guidelines	19
Configuration procedure	19
Configuring proxy ARP	20
Overview	20
Common proxy ARP	20
Local proxy ARP	20
Enabling common proxy ARP	21
Enabling local proxy ARP	21
Displaying and maintaining proxy ARP	21
Proxy ARP configuration examples	22
Common proxy ARP configuration example	22
Network requirements	22
Configuration procedure	22
Local proxy ARP configuration example in case of port isolation	23
Network requirements	23
Configuration procedure	23
Local proxy ARP configuration example in isolate-user-VLAN	24
Network requirements	24
Configuration procedure	25
Configuring ARP snooping	26
Overview	26
Configuration procedure	26
Displaying and maintaining ARP snooping	26
Configuring IP addressing	27
Overview	27
IP address classes	27
Special IP addresses	28
Subnetting and masking	28
Assigning an IP address to an interface	29
Configuration guidelines	29
Configuration procedure	29
Configuration example	29
Network requirements	29
Configuration procedure	30
Configuring IP unnumbered	31
Overview	31
Configuration guidelines	31
Configuration prerequisites	31
Configuration procedure	31
Displaying and maintaining IP addressing	32
DHCP overview	33
DHCP address allocation	33
Dynamic IP address allocation process	34
IP address lease extension	34
DHCP message format	35
DHCP options	36
Common DHCP options	36
Custom options	36
Vendor-specific option (Option 43)	36
Relay agent option (Option 82)	38
Option 184	40
Protocols and standards	40
Configuring DHCP relay agent	42
Overview	42
Fundamentals	42
DHCP relay agent support for Option 82	43
DHCP relay agent configuration task list	44
Enabling DHCP	44
Enabling the DHCP relay agent on an interface	44
Correlating a DHCP server group with a relay agent interface	45
Configuration guidelines	45
Configuration procedure	45
Configuring the DHCP relay agent security functions	46
Configuring address check	46
Configuration guidelines	46
Configuration procedure	46
Configuring periodic refresh of dynamic client entries	46
Enabling unauthorized DHCP server detection	47
Enabling DHCP starvation attack protection	47
Enabling offline detection	48
Configuring the DHCP relay agent to release an IP address	48
Configuring the DHCP relay agent to support Option 82	49
Configuration prerequisites	49
Configuration guidelines	49
Configuration procedure	49
Setting the DSCP value for DHCP packets	50
Displaying and maintaining the DHCP relay agent	50
DHCP relay agent configuration examples	51
DHCP relay agent configuration example	51
Network requirements	51
Configuration procedure	52
DHCP relay agent Option 82 support configuration example	52
Network requirements	52
Configuration procedure	53
Troubleshooting DHCP relay agent configuration	53
Symptom	53
Analysis	53
Solution	53
Configuring DHCP client	54
Configuration restrictions	54
Enabling the DHCP client on an interface	54
Setting the DSCP value for DHCP packets	54
Displaying and maintaining the DHCP client	55
DHCP client configuration example	55
Network requirements	55
Configuration procedure	55
Configuring DHCP snooping	56
DHCP snooping functions	56
Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers	56
Recording IP-to-MAC mappings of DHCP clients	56
Application environment of trusted ports	57
Configuring a trusted port connected to a DHCP server	57
Configuring trusted ports in a cascaded network	57
DHCP snooping support for Option 82	58
DHCP snooping configuration task list	59
Configuring DHCP snooping basic functions	60
Configuring DHCP snooping to support Option 82	60
Configuring DHCP snooping entries backup	62
Enabling DHCP starvation attack protection	63
Enabling DHCP-REQUEST message attack protection	64
Displaying and maintaining DHCP snooping	64
DHCP snooping configuration examples	65
DHCP snooping configuration example	65
Network requirements	65
Configuration procedure	65
DHCP snooping Option 82 support configuration example	65
Network requirements	65
Configuration procedure	66
Configuring BOOTP client	67
Overview	67
BOOTP application	67
Obtaining an IP address dynamically	67
Protocols and standards	67
Configuration restrictions	67
Configuring an interface to dynamically obtain an IP address through BOOTP	68
Displaying and maintaining BOOTP client configuration	68
BOOTP client configuration example	68
Network requirements	68
Configuration procedure	68
Configuring IPv4 DNS	69
Overview	69
Static domain name resolution	69
Dynamic domain name resolution	69
DNS suffixes	70
Configuring the IPv4 DNS client	70
Configuring static domain name resolution	70
Configuring dynamic domain name resolution	71
Configuration restrictions and guidelines	71
Configuration procedure	71
Setting the DSCP value for DNS packets	71
Specifying the source interface for DNS packets	72
Displaying and maintaining IPv4 DNS	72
Static domain name resolution configuration example	73
Network requirements	73
Configuration procedure	73
Dynamic domain name resolution configuration example	74
Network requirements	74
Configuration procedure	74
Verifying the configuration	76
Troubleshooting IPv4 DNS configuration	77
Symptom	77
Solution	77
Configuring IP performance optimization	78
Enabling receiving and forwarding of directed broadcasts to a directly connected network	78
Enabling receiving of directed broadcasts to a directly connected network	78
Enabling forwarding of directed broadcasts to a directly connected network	78
Configuration example	79
Network requirements	79
Configuration procedure	79
Configuring TCP attributes	79
Configuring TCP path MTU discovery	79
Configuring the TCP send/receive buffer size	80
Configuring TCP timers	80
Configuring ICMP to send error packets	81
Advantages of sending ICMP error packets	81
Disadvantages of sending ICMP error packets	82
Configuration procedure	82
Displaying and maintaining IP performance optimization	83
Configuring UDP helper	84
Overview	84
Configuration restrictions and guidelines	84
Configuration procedure	84
Displaying and maintaining UDP helper	85
UDP helper configuration example	85
Network requirements	85
Configuration procedure	85
Configuring IPv6 basics	87
Overview	87
IPv6 features	87
Header format simplification	87
Larger address space	87
Hierarchical address structure	87
Address autoconfiguration	87
Built-in security	88
QoS support	88
Enhanced neighbor discovery mechanism	88
Flexible extension headers	88
IPv6 addresses	88
IPv6 address format	88
IPv6 address types	89
Unicast addresses	89
Multicast addresses	90
EUI-64 address-based interface identifiers	90
IPv6 neighbor discovery protocol	91
Address resolution	91
Neighbor reachability detection	92
Duplicate address detection	92
Router/prefix discovery and address autoconfiguration	93
Redirection	93
IPv6 path MTU discovery	93
IPv6 transition technologies	94
Dual stack	94
Tunneling	94
Protocols and standards	94
IPv6 basics configuration task list	95
Configuring basic IPv6 functions	96
Enabling IPv6	96
Configuring an IPv6 global unicast address	96
EUI-64 IPv6 addressing	96
Manual configuration	96
Stateless address autoconfiguration	97
Configuring an IPv6 link-local address	97
Configure an IPv6 anycast address	98
Configuring IPv6 ND	99
Configuring a static neighbor entry	99
Configuring the maximum number of neighbors dynamically learned	99
Setting the age timer for ND entries in stale state	100
Configuring parameters related to RA messages	100
Configuring the maximum number of attempts to send an NS message for DAD	102
Configuring path MTU discovery	103
Configuring a static path MTU for a specified IPv6 address	103
Configuring the aging time for dynamic path MTUs	103
Configuring IPv6 TCP properties	103
Configuring ICMPv6 packet sending	104
Configuring the maximum ICMPv6 error packets sent in an interval	104
Enabling replying to multicast echo requests	105
Enabling sending of ICMPv6 time exceeded messages	105
Enabling sending of ICMPv6 destination unreachable messages	106
Displaying and maintaining IPv6 basics configuration	106
IPv6 basics configuration example	107
Network requirements	107
Configuration procedure	108
Verifying the configuration	109
Troubleshooting IPv6 basics configuration	113
Symptom	113
Solution	113
DHCPv6 overview	114
Introduction to DHCPv6	114
DHCPv6 address/prefix assignment	114
Rapid assignment involving two messages	114
Assignment involving four messages	114
Address/prefix lease renewal	115
Configuring stateless DHCPv6	116
Operation	116
Protocols and standards	117
Configuring DHCPv6 relay agent	118
Overview	118
DHCPv6 relay agent operation	118
Configuring the DHCPv6 relay agent	119
Configuration guidelines	119
Configuration procedure	119
Setting the DSCP value for DHCPv6 packets	120
Displaying and maintaining the DHCPv6 relay agent	120
DHCPv6 relay agent configuration example	120
Network requirements	120
Configuration procedure	121
Verifying the configuration	121
Configuring DHCPv6 client	123
Overview	123
Configuring the DHCPv6 client	123
Configuration prerequisites	123
Configuration guidelines	123
Configuration procedure	123
Setting the DSCP value for DHCPv6 packets	123
Displaying and maintaining the DHCPv6 client	124
Stateless DHCPv6 configuration example	124
Network requirements	124
Configuration procedure	124
Verifying the configuration	125
Configuring tunneling	127
Overview	127
IPv6 over IPv4 tunneling	127
Implementation	127
Tunnel types	128
IPv4 over IPv4 tunneling	129
IPv4 over IPv6 tunneling	130
IPv6 over IPv6 tunneling	131
Protocols and standards	132
Tunneling configuration task list	132
Configuring a tunnel interface	133
Configuration guidelines	133
Configuration procedure	133
Configuring an IPv6 manual tunnel	134
Configuration prerequisites	134
Configuration guidelines	134
Configuration procedure	134
Configuration example	135
Network requirements	135
Configuration procedure	136
Verifying the configuration	137
Configuring a 6to4 tunnel	138
Configuration prerequisites	138
Configuration guidelines	138
Configuration procedure	139
Configuration example	140
Network requirements	140
Configuration consideration	140
Configuration procedure	140
Verifying the configuration	142
Configuring an ISATAP tunnel	142
Configuration prerequisites	142
Configuration guidelines	142
Configuration procedure	143
Configuration example	143
Network requirements	143
Configuration procedure	144
Verifying the configuration	146
Configuring an IPv4 over IPv4 tunnel	146
Configuration prerequisites	146
Configuration guidelines	146
Configuration procedure	147
Configuration example	147
Network requirements	147
Configuration procedure	147
Verifying the configuration	149
Configuring an IPv4 over IPv6 tunnel	150
Configuration prerequisites	150
Configuration guidelines	150
Configuration procedure	151
Configuration example	151
Network requirements	151
Configuration procedure	151
Verifying the configuration	153
Configuring an IPv6 over IPv6 tunnel	154
Configuration prerequisites	154
Configuration guidelines	154
Configuration procedure	155
Configuration example	156
Network requirements	156
Configuration procedure	156
Verifying the configuration	158
Displaying and maintaining tunneling configuration	159
Troubleshooting tunneling configuration	160
Symptom	160
Solution	160
Support and other resources	161
Contacting HP	161
Subscription service	161
Related information	161
Documents	161
Websites	161
Conventions	162
Command conventions	162
GUI conventions	162
Symbols	162
Network topology icons	163
Port numbering in examples	163

Match case Limit results 1 per page

To configure DHCP snooping entries backup:

Step

Command

Remarks

Enter system view.

system-view

N/A

Specify the name of the file for

storing DHCP snooping

entries.

dhcp-snooping binding

database filename

filename

Not specified by default.

DHCP snooping entries are stored

immediately after this command is

used and then updated at the

interval set by the

dhcp-snooping

binding database update interval

command.

Back up DHCP snooping

entries to the file.

dhcp-snooping binding

database update now

Optional.

DHCP snooping entries will be

stored to the file each time this

command is used.

Set the interval at which the

DHCP snooping entry file is

refreshed.

dhcp-snooping binding

database update interval

minutes

Optional.

By default, the file is not refreshed

periodically.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using

different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address resources of

the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server may also fail

to work because of exhaustion of system resources. You can protect against starvation attacks in the

following ways:

•

To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source

MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn.

•

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same source

MAC address, enable MAC address check on the DHCP snooping device. With this function

enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with

the source MAC address field of the frame. If they are the same, the request is considered valid and

forwarded to the DHCP server. If not, the request is discarded.

Enable MAC address check only on Layer 2 Ethernet ports and Layer 2 aggregate interfaces.

To enable MAC address check:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter interface view.

interface

interface-type

interface-number

N/A

Enable MAC address check.

dhcp-snooping check mac-address

Disabled by default

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 63

Enabling DHCP starvation attack protection

Page 63 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 63