HP 6125G HP 6125G & 6125G/XG Blade Switches Layer 3 - IP Services Conf - Page 64
Enabling DHCP-REQUEST message attack protection, Displaying and maintaining DHCP snooping
View all HP 6125G manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 64 highlights
Enabling DHCP-REQUEST message attack protection Attackers may forge DHCP-REQUEST messages to renew the IP address leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages keep a victim DHCP server renewing the leases of IP addresses instead of releasing the IP addresses. This wastes IP address resources. To prevent such attacks, you can enable DHCP-REQUEST message check on DHCP snooping devices. With this feature enabled, upon receiving a DHCP-REQUEST message, a DHCP snooping device looks up local DHCP snooping entries for the corresponding entry of the message. If an entry is found, the DHCP snooping device compares the entry with the message information. If they are consistent, the DHCP-REQUEST message is considered a valid lease renewal request and forwarded to the DHCP server. If they are not consistent, the message is considered a forged lease renewal request and discarded. If no corresponding entry is found, the message is considered valid and forwarded to the DHCP server. Enable DHCP-REQUEST message check only on Layer 2 Ethernet ports, and Layer 2 aggregate interfaces. To enable DHCP-REQUEST message check: Step 1. Enter system view. 2. Enter interface view. 3. Enable DHCP-REQUEST message check. Command system-view interface interface-type interface-number Remarks N/A N/A dhcp-snooping check request-message Disabled by default Displaying and maintaining DHCP snooping Task Display DHCP snooping entries. Display Option 82 configuration information on the DHCP snooping device. Display DHCP packet statistics on the DHCP snooping device. Display information about trusted ports. Display the DHCP snooping entry file information. Clear DHCP snooping entries. Command Remarks display dhcp-snooping [ ip ip-address ] [ | { begin | exclude | include } regular-expression ] Available in any view display dhcp-snooping information { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view display dhcp-snooping packet statistics [ slot slot-number ] [ | { begin | exclude | Available in any view include } regular-expression ] display dhcp-snooping trust [ | { begin | exclude | include } regular-expression ] Available in any view display dhcp-snooping binding database [ | { begin | exclude | include } Available in any view regular-expression ] reset dhcp-snooping { all | ip ip-address } Available in user view 56