90
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum number of DHCP snooping entries for the interface to learn.
dhcp snooping max-learning-num max-number
By default, the number of DHCP snooping entries for an interface to learn is unlimited.
Configuring DHCP packet rate limit
About DHCP packet rate limit
Perform this task to set the maximum rate at which an interface can receive DHCP packets. This
feature discards exceeding DHCP packets to prevent attacks that send large number of DHCP
packets.
Restrictions and guidelines
The rate set on the Layer 2 aggregate interface applies to all members of the aggregate interface. If
a member interface leaves the aggregation group, it uses the rate set in its Ethernet interface view.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP snooping packet rate limit on an interface and set the limit value.
dhcp snooping rate-limit rate
By default, the DHCP snooping packet rate limit is disabled on an interface.
Configuring DHCP snooping security features
Enabling DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that
contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This
attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot
obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system
resources. For information about the fields of DHCP packet, see "DHCP message format."
Y
ou can prevent DHCP starvation attacks in the following ways:
• If the forged DHCP requests contain different sender MAC addresses, use the
mac-address
max-mac-count
command to set the MAC learning limit on a Layer 2 port. For more
information about the command, see Layer 2—LAN Switching Command Reference.
• If the forged DHCP requests contain the same sender MAC address, perform this task to
enable MAC address check for DHCP snooping. This feature compares the chaddr field of a
received DHCP request with the source MAC address field in the frame header. If they are the
To Next Page
Loading...
Need help?
General