Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch Layer 3 - IP Services Configuration G - Page 78

Enabling DHCP starvation attack protection, Enabling DHCP-REQUEST attack protection

Add to My Manuals
Save this manual to your list of manuals

Page 78 highlights

Step 4. (Optional.) Set the amount of time to wait after a DHCP snooping entry changes before updating the database file. Command dhcp snooping binding database update interval seconds Remarks The default interval is 300 seconds. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format." Protect against starvation attacks in the following ways: • To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using the mac-address max-mac-count command. For more information about the command, see Layer 2-LAN Switching Command Reference. • To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender MAC address, perform this task to enable MAC address check for DHCP snooping. This function compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded. To enable MAC address check: Step 1. Enter system view. 2. Enter interface view. 3. Enable MAC address check. Command system-view interface interface-type interface-number dhcp snooping check mac-address Remarks N/A N/A By default, MAC address check is disabled. Enabling DHCP-REQUEST attack protection DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST messages from attacking the DHCP server. Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the IP addresses. Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses. To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages. If a matching entry is found for a message, this feature 69

Section	Page
Title Page	1
Contents	3
Configuring ARP	10
Overview	10
ARP message format	10
ARP operating mechanism	10
ARP table	11
Dynamic ARP entry	11
Static ARP entry	12
Configuring a static ARP entry	12
Configuring a multiport ARP entry	13
Configuring the maximum number of dynamic ARP entries	13
Setting the aging timer for dynamic ARP entries	14
Enabling dynamic ARP entry check	14
Configuring ARP fast update	15
Displaying and maintaining ARP	15
Static ARP configuration example	16
Network requirements	16
Configuration procedure	16
Multiport ARP entry configuration example	17
Network requirements	17
Configuration procedure	17
Configuring gratuitous ARP	19
Overview	19
Gratuitous ARP packet learning	19
Periodic sending of gratuitous ARP packets	19
Configuration procedure	20
Configuring proxy ARP	21
Enabling common proxy ARP	21
Enabling local proxy ARP	21
Displaying proxy ARP	21
Common proxy ARP configuration example	22
Network requirements	22
Configuration procedure	22
Configuring ARP snooping	24
Configuration procedure	24
Displaying and maintaining ARP snooping	24
Configuring IP addressing	25
Overview	25
IP address classes	25
Special IP addresses	26
Subnetting and masking	26
Assigning an IP address to an interface	27
Configuration guidelines	27
Configuration procedure	27
Configuring IP unnumbered	27
Configuration guidelines	28
Configuration prerequisites	28
Configuration procedure	28
Displaying and maintaining IP addressing	28
IP address configuration example	29
Network requirements	29
Configuration procedure	29
Verifying the configuration	29
DHCP overview	31
DHCP address allocation	31
Allocation mechanisms	31
Dynamic IP address allocation process	32
IP address lease extension	32
DHCP message format	33
DHCP options	34
Common DHCP options	34
Custom DHCP options	34
Vendor-specific option (Option 43)	34
Relay agent option (Option 82)	36
Option 184	36
Protocols and standards	36
Configuring the DHCP server	38
Overview	38
DHCP address pool	38
Address assignment mechanisms	38
Principles for selecting an address pool	39
IP address allocation sequence	40
DHCP server configuration task list	40
Configuring an address pool on the DHCP server	40
Configuration task list	40
Creating a DHCP address pool	41
Specifying IP address ranges for a DHCP address pool	41
Specifying a primary subnet and multiple address ranges for a DHCP address pool	41
Specifying a primary subnet and multiple secondary subnets for a DHCP address pool	42
Configuring a static binding in a DHCP address pool	44
Specifying gateways for the client	44
Specifying a domain name suffix for the client	45
Specifying DNS servers for the client	45
Specifying WINS servers and NetBIOS node type for the client	46
Specifying BIMS server information for the client	46
Specifying the TFTP server and boot file name for the client	47
Specifying a server for the DHCP client	47
Configuring Option 184 parameters for the client	48
Configuring self-defined DHCP options	48
Enabling DHCP	49
Enabling the DHCP server on an interface	49
Applying an address pool on an interface	50
Configuring IP address conflict detection	50
Enabling handling of Option 82	51
Configuring DHCP server compatibility	51
Configuring the DHCP server to broadcast all responses	51
Configure the DHCP server to ignore BOOTP requests	51
Configuring the DHCP server to send BOOTP responses in RFC 1048 format	52
Displaying and maintaining the DHCP server	52
DHCP server configuration examples	53
Static IP address assignment configuration example	53
Network requirements	53
Configuration procedure	53
Verifying the configuration	54
Dynamic IP address assignment configuration example	54
Network requirements	54
Configuration procedure	55
Verifying the configuration	56
DHCP user class configuration example	56
Network requirement	56
Configuration procedure	56
Verifying the configuration	57
Self-defined option configuration example	57
Network requirements	57
Configuration procedure	57
Verifying the configuration	58
Troubleshooting DHCP server configuration	58
Symptom	58
Analysis	58
Solution	58
Configuring the DHCP relay agent	59
Overview	59
Operation	59
DHCP relay agent support for Option 82	60
DHCP relay agent configuration task list	60
Enabling DHCP	61
Enabling the DHCP relay agent on an interface	61
Specifying DHCP servers on a relay agent	61
Configuring the DHCP relay agent security functions	62
Enabling the DHCP relay agent to record relay entries	62
Enabling periodic refresh of dynamic relay entries	62
Enabling DHCP starvation attack protection	63
Configuring the DHCP relay agent to release an IP address	64
Configuring Option 82	64
Displaying and maintaining the DHCP relay agent	65
DHCP relay agent configuration examples	65
DHCP relay agent configuration example	65
Network requirements	65
Configuration procedure	66
Option 82 configuration example	66
Network requirements	66
Configuration procedure	66
Troubleshooting DHCP relay agent configuration	67
Symptom	67
Analysis	67
Solution	67
Configuring the DHCP client	68
Enabling the DHCP client on an interface	68
Configuring a DHCP client ID for an interface	69
Enabling duplicated address detection	69
Displaying and maintaining the DHCP client	70
DHCP client configuration example	70
Network requirements	70
Configuration procedure	70
Verifying the configuration	71
Configuring DHCP snooping	73
Overview	73
Application of trusted and untrusted ports	73
DHCP snooping support for Option 82	74
DHCP snooping configuration task list	75
Configuring basic DHCP snooping	75
Configuring Option 82	76
Saving DHCP snooping entries	77
Enabling DHCP starvation attack protection	78
Enabling DHCP-REQUEST attack protection	78
Configuring DHCP packet rate limit	79
Displaying and maintaining DHCP snooping	79
DHCP snooping configuration examples	80
Basic DHCP snooping configuration example	80
Network requirements	80
Configuration procedure	80
Verifying the configuration	81
Option 82 configuration example	81
Network requirements	81
Configuration procedure	81
Verifying the configuration	82
Configuring the BOOTP client	83
BOOTP application	83
Obtaining an IP address dynamically	83
Protocols and standards	83
Configuring an interface to use BOOTP for IP address acquisition	84
Displaying and maintaining BOOTP client	84
BOOTP client configuration example	84
Network requirements	84
Configuration procedure	84
Configuring DNS	85
Overview	85
Static domain name resolution	85
Dynamic domain name resolution	85
Resolution process	85
DNS suffixes	86
DNS proxy	86
DNS spoofing	87
DNS configuration task list	88
Configuring the IPv4 DNS client	89
Configuring static domain name resolution	89
Configuring dynamic domain name resolution	89
Configuration guidelines	89
Configuration procedure	90
Configuring the IPv6 DNS client	90
Configuring static domain name resolution	90
Configuring dynamic domain name resolution	91
Configuration guidelines	91
Configuration procedure	91
Configuring the DNS proxy	91
Configuring DNS spoofing	92
Specifying the source interface for DNS packets	92
Configuring the DNS trusted interface	93
Displaying and maintaining IPv4 DNS	93
IPv4 DNS configuration examples	94
Static domain name resolution configuration example	94
Network requirements	94
Configuration procedure	94
Dynamic domain name resolution configuration example	95
Network requirements	95
Configuration procedure	95
Verifying the configuration	97
DNS proxy configuration example	97
Network requirements	97
Configuration procedure	98
Verifying the configuration	98
IPv6 DNS configuration examples	99
Static domain name resolution configuration example	99
Network requirements	99
Configuration procedure	99
Dynamic domain name resolution configuration example	100
Network requirements	100
Configuration procedure	100
Verifying the configuration	103
DNS proxy configuration example	104
Network requirements	104
Configuration procedure	104
Verifying the configuration	105
Troubleshooting IPv4 DNS configuration	105
Symptom	105
Solution	105
Troubleshooting IPv6 DNS configuration	105
Symptom	105
Solution	105
Configuring DDNS	106
Overview	106
DDNS application	106
DDNS client configuration task list	107
Configuring a DDNS policy	107
Configuration prerequisites	108
Configuration procedure	108
Applying the DDNS policy to an interface	109
Displaying DDNS	110
DDNS configuration examples	110
DDNS configuration example with www.3322.org	110
Network requirements	110
Configuration procedure	110
DDNS configuration example with PeanutHull server	111
Network requirements	111
Configuration procedure	111
Basic IP forwarding on the device	113
FIB table	113
Displaying FIB table entries	113
Optimizing IP performance	115
Enabling an interface to receive and forward directed broadcasts destined for the directly connected network	115
Configuration procedure	115
Configuration example	115
Network requirements	115
Configuration procedure	116
Configuring MTU for an interface	116
Configuring TCP MSS for an interface	116
Configuring TCP path MTU discovery	117
Enabling TCP SYN Cookie	118
Configuring the TCP buffer size	118
Configuring TCP timers	119
Enabling sending ICMP error packets	119
Disabling forwarding ICMP fragments	120
Displaying and maintaining IP performance optimization	121
Configuring UDP helper	122
Overview	122
Configuration guidelines	122
Configuration procedure	122
Displaying and maintaining UDP helper	123
UDP helper configuration example	123
Network requirements	123
Configuration procedure	123
Verifying the configuration	124
Configuring basic IPv6 settings	125
Overview	125
IPv6 features	125
Simplified header format	125
Larger address space	125
Hierarchical address structure	125
Address autoconfiguration	125
Built-in security	126
QoS support	126
Enhanced neighbor discovery mechanism	126
Flexible extension headers	126
IPv6 addresses	126
IPv6 address formats	126
IPv6 address types	127
Unicast addresses	127
Multicast addresses	128
EUI-64 address-based interface identifiers	128
IPv6 ND protocol	129
Address resolution	129
Neighbor reachability detection	130
Duplicate address detection	130
Redirection	130
IPv6 path MTU discovery	130
IPv6 transition technologies	131
Dual stack	131
Tunneling	131
Protocols and standards	131
IPv6 basics configuration task list	132
Assigning IPv6 addresses to interfaces	132
Configuring an IPv6 global unicast address	133
EUI-64 IPv6 address	133
Manual configuration	133
Configuring an IPv6 link-local address	133
Configuring automatic generation of an IPv6 link-local address for an interface	134
Manually specifying an IPv6 link-local address for an interface	134
Configuring an IPv6 anycast address	134
Configuring IPv6 ND	135
Configuring a static neighbor entry	135
Setting the maximum number of dynamic neighbor entries	135
Setting the aging timer for ND entries in stale state	136
Minimizing link-local ND entries	136
Setting the hop limit	136
Configuring parameters for RA messages	137
Enabling sending of RA messages	137
Configuring parameters for RA messages	138
Configuring the maximum number of attempts to send an NS message for DAD	139
Configuring path MTU discovery	139
Configuring the interface MTU	139
Configuring a static path MTU for a specific IPv6 address	140
Configuring the aging time for dynamic path MTUs	140
Controlling sending ICMPv6 packets	140
Enabling replying to multicast echo requests	141
Enabling sending ICMPv6 destination unreachable messages	141
Enabling sending ICMPv6 time exceeded messages	141
Enabling sending ICMPv6 redirect messages	142
Displaying and maintaining IPv6 basics	142
IPv6 basics configuration example	144
Network requirements	144
Configuration procedure	144
Verifying the configuration	145
Troubleshooting IPv6 basics configuration	148
Symptom	148
Solution	148
DHCPv6 overview	149
DHCPv6 address/prefix assignment	149
Rapid assignment involving two messages	149
Assignment involving four messages	149
Address/prefix lease renewal	150
Stateless DHCPv6	151
Protocols and standards	151
Configuring the DHCPv6 server	152
Overview	152
IPv6 address assignment	152
IPv6 prefix assignment	152
Concepts	153
Multicast addresses used by DHCPv6	153
DUID	153
IA	153
IAID	153
PD	154
DHCPv6 address pool	154
Address allocation mechanisms	154
Prefix allocation mechanisms	154
Address pool selection	154
IPv6 address/prefix allocation sequence	155
Configuration task list	155
Configuring IPv6 prefix assignment	155
Configuration guidelines	156
Configuration procedure	156
Configuring IPv6 address assignment	157
Configuration guidelines	157
Configuration procedure	157
Configuring network parameters assignment	158
Configuring the DHCPv6 server on an interface	159
Configuration guidelines	159
Configuration procedure	159
Displaying and maintaining the DHCPv6 server	160
DHCPv6 server configuration examples	161
Dynamic IPv6 prefix assignment configuration example	161
Network requirements	161
Configuration procedure	161
Verifying the configuration	162
Dynamic IPv6 address assignment configuration example	163
Network requirements	163
Configuration procedure	163
Verifying the configuration	164
Configuring tunneling	165
Overview	165
IPv6 over IPv4 tunneling	165
Implementation	165
Tunnel modes	166
IPv4 over IPv4 tunneling	167
IPv4 over IPv6 tunneling	168
IPv6 over IPv6 tunneling	169
Protocols and standards	170
Tunneling configuration task list	170
Configuring a tunnel interface	170
Configuring an IPv6 over IPv4 manual tunnel	171
Configuration example	172
Network requirements	172
Configuration procedure	173
Verifying the configuration	174
Configuring a 6to4 tunnel	174
6to4 tunnel configuration example	175
Network requirements	175
Configuration considerations	176
Configuration procedure	176
Verifying the configuration	177
Configuring an ISATAP tunnel	178
Configuration example	178
Network requirements	178
Configuration procedure	179
Verifying the configuration	180
Configuring an IPv4 over IPv4 tunnel	181
Configuration example	182
Network requirements	182
Configuration procedure	182
Verifying the configuration	183
Configuring an IPv4 over IPv6 tunnel	184
Configuration example	185
Network requirements	185
Configuration procedure	185
Verifying the configuration	186
Configuring an IPv6 over IPv6 tunnel	187
Configuration example	188
Network requirements	188
Configuration procedure	188
Verifying the configuration	190
Displaying and maintaining tunneling configuration	190
Troubleshooting tunneling configuration	190
Symptom	190
Analysis	190
Solution	190
Configuring GRE	192
Overview	192
GRE encapsulation format	192
GRE encapsulation and de-encapsulation	193
Encapsulation process	193
De-encapsulation process	193
Protocols and standards	193
Configuring a GRE over IPv4 tunnel	193
Configuration prerequisites	194
Configuration procedure	194
Configuring a GRE over IPv6 tunnel	196
Configuration prerequisites	196
Configuration procedure	196
Displaying and maintaining GRE	197
GRE configuration examples	198
GRE over IPv4 configuration example	198
Network requirements	198
Configuration procedure	198
GRE over IPv6 configuration example	201
Network requirements	201
Configuration procedure	201
Troubleshooting GRE	204
Symptom	204
Analysis	204
Solution	204
Support and other resources	205
Contacting HP	205
Subscription service	205
Related information	205
Documents	205
Websites	205
Conventions	206
Command conventions	206
GUI conventions	206
Symbols	206
Network topology icons	207
Port numbering in examples	207

Match case Limit results 1 per page

Step

Command

Remarks

(Optional.) Set the amount of

time to wait after a DHCP

snooping entry changes

before updating the database

file.

dhcp snooping binding database

update interval

seconds

The default interval is 300 seconds.

Enabling DHCP starvation attack protection

A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain

identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts

the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The

DHCP server might also fail to work because of exhaustion of system resources. For information about the

fields of DHCP packet, see "

DHCP message format

Protect against starvation attacks in the following ways:

•

To relieve a DHCP starvation attack that uses DHCP requests encapsulated with different sender

MAC addresses, you can limit the number of MAC addresses that a Layer 2 port can learn by using

the

mac-address max-mac-count

command. For more information about the command, see

Layer

2—LAN Switching Command Reference

•

To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same sender

MAC address, perform this task to enable MAC address check for DHCP snooping. This function

compares the chaddr field of a received DHCP request with the source MAC address field in the

frame header. If they are the same, the request is considered valid and forwarded to the DHCP

server. If not, the request is discarded.

To enable MAC address check:

Step

Command

Remarks

Enter system view.

system-view

N/A

Enter interface view.

interface

interface-type interface-number

N/A

Enable MAC address check.

dhcp snooping check mac-address

By default, MAC address

check is disabled.

Enabling DHCP-REQUEST attack protection

DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and

DHCP-RELEASE packets. This function prevents the unauthorized clients that forge the DHCP-REQUEST

messages from attacking the DHCP server.

Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that no

longer need the IP addresses. These forged messages disable the victim DHCP server from releasing the

IP addresses.

Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate

DHCP clients that still need the IP addresses.

To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries

to check incoming DHCP-REQUEST messages. If a matching entry is found for a message, this feature