Home » HP Manuals » Servers » HP 6125G » Manual Viewer

HP 6125G HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 64

Enabling DHCP-REQUEST message attack protection, Displaying and maintaining DHCP snooping

Add to My Manuals
Save this manual to your list of manuals

Page 64 highlights

Enabling DHCP-REQUEST message attack protection Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources. To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices. With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the DHCP snooping device compares the entry with the message information. If they are consistent, the DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is considered a forged lease renewal request and discarded. If no corresponding entry is found, the message is considered valid and forwarded to the DHCP server. Enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate interfaces. To enable DHCP-REQUEST message check: Step 1. Enter system view. 2. Enter interface view. 3. Enable DHCP-REQUEST message check. Command system-view interface interface-type interface-number Remarks N/A N/A dhcp-snooping check request-message Disabled by default Displaying and maintaining DHCP snooping Task Display DHCP snooping entries. Display Option 82 configuration information on the DHCP snooping device. Display DHCP packet statistics on the DHCP snooping device. Display information about trusted ports. Display the DHCP snooping entry file information. Clear DHCP snooping entries. Command Remarks display dhcp-snooping [ ip ip-address ] [ | { begin | exclude | include } regular-expression ] Available in any view display dhcp-snooping information { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view display dhcp-snooping packet statistics [ slot slot-number ] [ | { begin | exclude | Available in any view include } regular-expression ] display dhcp-snooping trust [ | { begin | exclude | include } regular-expression ] Available in any view display dhcp-snooping binding database [ | { begin | exclude | include } Available in any view regular-expression ] reset dhcp-snooping { all | ip ip-address } Available in user view 56

Section	Page
Title Page	1
Layer 3 - IP Services Configuration Guide	3
Configuring ARP	9
Overview	9
ARP message format	9
ARP operation	9
ARP table	10
Dynamic ARP entry	11
Static ARP entry	11
Configuring a static ARP entry	11
Configuring the maximum number of dynamic ARP entries for an interface	12
Setting the aging timer for dynamic ARP entries	12
Enabling dynamic ARP entry check	12
Configuring ARP quick update	13
Configuring multicast ARP	13
Displaying and maintaining ARP	14
ARP configuration examples	15
Static ARP entry configuration example	15
Network requirements	15
Configuration procedure	15
Multicast ARP configuration example	16
Network requirements	16
Configuration procedure	17
Verifying the configuration	17
Configuring gratuitous ARP	18
Overview	18
Gratuitous ARP packet learning	18
Periodic sending of gratuitous ARP packets	18
Configuration guidelines	19
Configuration procedure	19
Configuring proxy ARP	20
Overview	20
Common proxy ARP	20
Local proxy ARP	20
Enabling common proxy ARP	21
Enabling local proxy ARP	21
Displaying and maintaining proxy ARP	21
Proxy ARP configuration examples	22
Common proxy ARP configuration example	22
Network requirements	22
Configuration procedure	22
Local proxy ARP configuration example in case of port isolation	23
Network requirements	23
Configuration procedure	23
Local proxy ARP configuration example in isolate-user-VLAN	24
Network requirements	24
Configuration procedure	25
Configuring ARP snooping	26
Overview	26
Configuration procedure	26
Displaying and maintaining ARP snooping	26
Configuring IP addressing	27
Overview	27
IP address classes	27
Special IP addresses	28
Subnetting and masking	28
Assigning an IP address to an interface	29
Configuration guidelines	29
Configuration procedure	29
Configuration example	29
Network requirements	29
Configuration procedure	30
Configuring IP unnumbered	31
Overview	31
Configuration guidelines	31
Configuration prerequisites	31
Configuration procedure	31
Displaying and maintaining IP addressing	32
DHCP overview	33
DHCP address allocation	33
Dynamic IP address allocation process	34
IP address lease extension	34
DHCP message format	35
DHCP options	36
Common DHCP options	36
Custom options	36
Vendor-specific option (Option 43)	36
Relay agent option (Option 82)	38
Option 184	40
Protocols and standards	40
Configuring DHCP relay agent	42
Overview	42
Fundamentals	42
DHCP relay agent support for Option 82	43
DHCP relay agent configuration task list	44
Enabling DHCP	44
Enabling the DHCP relay agent on an interface	44
Correlating a DHCP server group with a relay agent interface	45
Configuration guidelines	45
Configuration procedure	45
Configuring the DHCP relay agent security functions	46
Configuring address check	46
Configuration guidelines	46
Configuration procedure	46
Configuring periodic refresh of dynamic client entries	46
Enabling unauthorized DHCP server detection	47
Enabling DHCP starvation attack protection	47
Enabling offline detection	48
Configuring the DHCP relay agent to release an IP address	48
Configuring the DHCP relay agent to support Option 82	49
Configuration prerequisites	49
Configuration guidelines	49
Configuration procedure	49
Setting the DSCP value for DHCP packets	50
Displaying and maintaining the DHCP relay agent	50
DHCP relay agent configuration examples	51
DHCP relay agent configuration example	51
Network requirements	51
Configuration procedure	52
DHCP relay agent Option 82 support configuration example	52
Network requirements	52
Configuration procedure	53
Troubleshooting DHCP relay agent configuration	53
Symptom	53
Analysis	53
Solution	53
Configuring DHCP client	54
Configuration restrictions	54
Enabling the DHCP client on an interface	54
Setting the DSCP value for DHCP packets	54
Displaying and maintaining the DHCP client	55
DHCP client configuration example	55
Network requirements	55
Configuration procedure	55
Configuring DHCP snooping	56
DHCP snooping functions	56
Ensuring that DHCP clients obtain IP addresses from authorized DHCP servers	56
Recording IP-to-MAC mappings of DHCP clients	56
Application environment of trusted ports	57
Configuring a trusted port connected to a DHCP server	57
Configuring trusted ports in a cascaded network	57
DHCP snooping support for Option 82	58
DHCP snooping configuration task list	59
Configuring DHCP snooping basic functions	60
Configuring DHCP snooping to support Option 82	60
Configuring DHCP snooping entries backup	62
Enabling DHCP starvation attack protection	63
Enabling DHCP-REQUEST message attack protection	64
Displaying and maintaining DHCP snooping	64
DHCP snooping configuration examples	65
DHCP snooping configuration example	65
Network requirements	65
Configuration procedure	65
DHCP snooping Option 82 support configuration example	65
Network requirements	65
Configuration procedure	66
Configuring BOOTP client	67
Overview	67
BOOTP application	67
Obtaining an IP address dynamically	67
Protocols and standards	67
Configuration restrictions	67
Configuring an interface to dynamically obtain an IP address through BOOTP	68
Displaying and maintaining BOOTP client configuration	68
BOOTP client configuration example	68
Network requirements	68
Configuration procedure	68
Configuring IPv4 DNS	69
Overview	69
Static domain name resolution	69
Dynamic domain name resolution	69
DNS suffixes	70
Configuring the IPv4 DNS client	70
Configuring static domain name resolution	70
Configuring dynamic domain name resolution	71
Configuration restrictions and guidelines	71
Configuration procedure	71
Setting the DSCP value for DNS packets	71
Specifying the source interface for DNS packets	72
Displaying and maintaining IPv4 DNS	72
Static domain name resolution configuration example	73
Network requirements	73
Configuration procedure	73
Dynamic domain name resolution configuration example	74
Network requirements	74
Configuration procedure	74
Verifying the configuration	76
Troubleshooting IPv4 DNS configuration	77
Symptom	77
Solution	77
Configuring IP performance optimization	78
Enabling receiving and forwarding of directed broadcasts to a directly connected network	78
Enabling receiving of directed broadcasts to a directly connected network	78
Enabling forwarding of directed broadcasts to a directly connected network	78
Configuration example	79
Network requirements	79
Configuration procedure	79
Configuring TCP attributes	79
Configuring TCP path MTU discovery	79
Configuring the TCP send/receive buffer size	80
Configuring TCP timers	80
Configuring ICMP to send error packets	81
Advantages of sending ICMP error packets	81
Disadvantages of sending ICMP error packets	82
Configuration procedure	82
Displaying and maintaining IP performance optimization	83
Configuring UDP helper	84
Overview	84
Configuration restrictions and guidelines	84
Configuration procedure	84
Displaying and maintaining UDP helper	85
UDP helper configuration example	85
Network requirements	85
Configuration procedure	85
Configuring IPv6 basics	87
Overview	87
IPv6 features	87
Header format simplification	87
Larger address space	87
Hierarchical address structure	87
Address autoconfiguration	87
Built-in security	88
QoS support	88
Enhanced neighbor discovery mechanism	88
Flexible extension headers	88
IPv6 addresses	88
IPv6 address format	88
IPv6 address types	89
Unicast addresses	89
Multicast addresses	90
EUI-64 address-based interface identifiers	90
IPv6 neighbor discovery protocol	91
Address resolution	91
Neighbor reachability detection	92
Duplicate address detection	92
Router/prefix discovery and address autoconfiguration	93
Redirection	93
IPv6 path MTU discovery	93
IPv6 transition technologies	94
Dual stack	94
Tunneling	94
Protocols and standards	94
IPv6 basics configuration task list	95
Configuring basic IPv6 functions	96
Enabling IPv6	96
Configuring an IPv6 global unicast address	96
EUI-64 IPv6 addressing	96
Manual configuration	96
Stateless address autoconfiguration	97
Configuring an IPv6 link-local address	97
Configure an IPv6 anycast address	98
Configuring IPv6 ND	99
Configuring a static neighbor entry	99
Configuring the maximum number of neighbors dynamically learned	99
Setting the age timer for ND entries in stale state	100
Configuring parameters related to RA messages	100
Configuring the maximum number of attempts to send an NS message for DAD	102
Configuring path MTU discovery	103
Configuring a static path MTU for a specified IPv6 address	103
Configuring the aging time for dynamic path MTUs	103
Configuring IPv6 TCP properties	103
Configuring ICMPv6 packet sending	104
Configuring the maximum ICMPv6 error packets sent in an interval	104
Enabling replying to multicast echo requests	105
Enabling sending of ICMPv6 time exceeded messages	105
Enabling sending of ICMPv6 destination unreachable messages	106
Displaying and maintaining IPv6 basics configuration	106
IPv6 basics configuration example	107
Network requirements	107
Configuration procedure	108
Verifying the configuration	109
Troubleshooting IPv6 basics configuration	113
Symptom	113
Solution	113
DHCPv6 overview	114
Introduction to DHCPv6	114
DHCPv6 address/prefix assignment	114
Rapid assignment involving two messages	114
Assignment involving four messages	114
Address/prefix lease renewal	115
Configuring stateless DHCPv6	116
Operation	116
Protocols and standards	117
Configuring DHCPv6 relay agent	118
Overview	118
DHCPv6 relay agent operation	118
Configuring the DHCPv6 relay agent	119
Configuration guidelines	119
Configuration procedure	119
Setting the DSCP value for DHCPv6 packets	120
Displaying and maintaining the DHCPv6 relay agent	120
DHCPv6 relay agent configuration example	120
Network requirements	120
Configuration procedure	121
Verifying the configuration	121
Configuring DHCPv6 client	123
Overview	123
Configuring the DHCPv6 client	123
Configuration prerequisites	123
Configuration guidelines	123
Configuration procedure	123
Setting the DSCP value for DHCPv6 packets	123
Displaying and maintaining the DHCPv6 client	124
Stateless DHCPv6 configuration example	124
Network requirements	124
Configuration procedure	124
Verifying the configuration	125
Configuring tunneling	127
Overview	127
IPv6 over IPv4 tunneling	127
Implementation	127
Tunnel types	128
IPv4 over IPv4 tunneling	129
IPv4 over IPv6 tunneling	130
IPv6 over IPv6 tunneling	131
Protocols and standards	132
Tunneling configuration task list	132
Configuring a tunnel interface	133
Configuration guidelines	133
Configuration procedure	133
Configuring an IPv6 manual tunnel	134
Configuration prerequisites	134
Configuration guidelines	134
Configuration procedure	134
Configuration example	135
Network requirements	135
Configuration procedure	136
Verifying the configuration	137
Configuring a 6to4 tunnel	138
Configuration prerequisites	138
Configuration guidelines	138
Configuration procedure	139
Configuration example	140
Network requirements	140
Configuration consideration	140
Configuration procedure	140
Verifying the configuration	142
Configuring an ISATAP tunnel	142
Configuration prerequisites	142
Configuration guidelines	142
Configuration procedure	143
Configuration example	143
Network requirements	143
Configuration procedure	144
Verifying the configuration	146
Configuring an IPv4 over IPv4 tunnel	146
Configuration prerequisites	146
Configuration guidelines	146
Configuration procedure	147
Configuration example	147
Network requirements	147
Configuration procedure	147
Verifying the configuration	149
Configuring an IPv4 over IPv6 tunnel	150
Configuration prerequisites	150
Configuration guidelines	150
Configuration procedure	151
Configuration example	151
Network requirements	151
Configuration procedure	151
Verifying the configuration	153
Configuring an IPv6 over IPv6 tunnel	154
Configuration prerequisites	154
Configuration guidelines	154
Configuration procedure	155
Configuration example	156
Network requirements	156
Configuration procedure	156
Verifying the configuration	158
Displaying and maintaining tunneling configuration	159
Troubleshooting tunneling configuration	160
Symptom	160
Solution	160
Support and other resources	161
Contacting HP	161
Subscription service	161
Related information	161
Documents	161
Websites	161
Conventions	162
Command conventions	162
GUI conventions	162
Symbols	162
Network topology icons	163
Port numbering in examples	163

Match case Limit results 1 per page

Enabling DHCP-REQUEST message attack

protection

Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP

clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing

the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources.

To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices.

With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks

up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the

DHCP snooping device compares the entry with the message information. If they are consistent, the

DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server.

If they are not consistent, the message is considered a forged lease renewal request and discarded. If no

corresponding entry is found, the message is considered valid and forwarded to the DHCP server.

Enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate

interfaces.

To enable DHCP-REQUEST message check:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter interface view.

interface

interface-type interface-number

N/A

Enable DHCP-REQUEST message

check.

dhcp-snooping check request-message

Disabled by default

Displaying and maintaining DHCP snooping

Task

Command

Remarks

Display DHCP snooping entries.

display dhcp-snooping

[

ip-address

]

[

{

begin

exclude

include

}

regular-expression

]

Available in any view

Display Option 82 configuration

information on the DHCP snooping

device.

display dhcp-snooping information

{

all

interface

interface-type

interface-number

} [

{

begin

exclude

include

}

regular-expression

]

Available in any view

Display DHCP packet statistics on the

DHCP snooping device.

display dhcp-snooping packet statistics

[

slot

slot-number

] [

{

begin

exclude

include

}

regular-expression

]

Available in any view

Display information about trusted ports.

display dhcp-snooping trust

[

{

begin

exclude

include

}

regular-expression

]

Available in any view

Display the DHCP snooping entry file

information.

display dhcp-snooping binding database

[

{

begin

exclude

include

}

regular-expression

]

Available in any view

Clear DHCP snooping entries.

reset dhcp-snooping

{

all

ip-address

}

Available in user view

HP 6125G HP 6125G &amp; 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 64

Enabling DHCP-REQUEST message attack protection, Displaying and maintaining DHCP snooping

Page 64 highlights

HP 6125G HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 64