5-1
5 DHCP Packet Rate Limit Configuration
When configuring the DHCP packet rate limit function, go to these sections for information you are
interested in:
z Introduction to DHCP Packet Rate Limit
z Configuring DHCP Packet Rate Limit
z Rate Limit Configuration Example
Introduction to DHCP Packet Rate Limit
To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP packets
will be processed by the switch CPU for validity checking. But, if attackers generate a large number of
ARP packets or DHCP packets, the switch CPU will be under extremely heavy load. As a result, the
switch cannot work normally and even goes down.
S5500-EI series Ethernet switches support ARP and DHCP packet rate limit on a port and shut down
the port under attack to prevent hazardous impact on the device CPU. For details about ARP packet
rate limit, refer to ARP Operation in this manual. The following describes only the DHCP packet rate
limit function.
After DHCP packet rate limit is enabled on an Ethernet port, the switch counts the number of DHCP
packets received on this port per second. If the number of DHCP packets received per second exceeds
the specified value, packets are passing the port at an over-high rate, which implies an attack to the port.
In this case, the switch shuts down this port so that it cannot receive any packet, thus protect the switch
from attacks.
In addition, the switch supports port state auto-recovery. After a port is shut down due to over-high
packet rate, it resumes automatically after a configurable period of time.
When both port state auto-recovery interval for over-high ARP packet rate and port state auto-recovery
interval for over-high DHCP packet rate are configured on a port, the shorter one will be the
auto-recovery time.
Configuring DHCP Packet Rate Limit
Configuring DHCP Packet Rate Limit
Follow these steps to configure rate limit of DHCP packets:
To do… Use the command… Remarks
Enter system view
system-view
—
To Next Page
Loading...
