91
same, the request is considered valid and forwarded to the DHCP server. If not, the request is
discarded.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable MAC address check.
dhcp snooping check mac-address
By default, MAC address check is disabled.
Enabling DHCP-REQUEST attack protection
About DHCP-REQUEST attack protection
DHCP-REQUEST messages include DHCP lease renewal packets, DHCP-DECLINE packets, and
DHCP-RELEASE packets. This feature prevents the unauthorized clients that forge the
DHCP-REQUEST messages from attacking the DHCP server.
Attackers can forge DHCP lease renewal packets to renew leases for legitimate DHCP clients that
no longer need the IP addresses. These forged messages disable the victim DHCP server from
releasing the IP addresses.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for
legitimate DHCP clients that still need the IP addresses.
To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP
snooping entries to check incoming DHCP-REQUEST messages.
• If a matching entry is found for a message, this feature compares the entry with the message
information.
{ If they are consistent, the message is considered as valid and forwarded to the DHCP
server.
{ If they are different, the message is considered as a forged message and is discarded.
• If no matching entry is found, the message is considered valid and forwarded to the DHCP
server.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable DHCP-REQUEST check.
dhcp snooping check request-message
By default, DHCP-REQUEST check is disabled.
Configuring a DHCP packet blocking port
About DHCP packet blocking port
Perform this task to configure a port as a DHCP packet blocking port. This blocking port drops all
incoming DHCP requests.
To Next Page
Loading...
Need help?
General