49
Enabling handling of Option 82
About handling of Option 82
Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request
that contains Option 82, the DHCP server adds Option 82 into the DHCP response.
If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message.
You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to
ensure correct processing for Option 82. For information about enabling handling of Option 82 on the
DHCP relay agent, see "Configuring DHCP relay agent support for Option 82
."
Procedure
1. Enter system view.
system-view
2. Enable the server to handle Option 82.
dhcp server relay information enable
By default, handling of Option 82 is enabled.
Configuring the DHCP server security features
Restrictions and guidelines
The DHCP server security features are not applicable if a DHCP relay agent exists in the network.
This is because the MAC address of the DHCP relay agent is encapsulated as the source MAC
address in the DHCP request received by the DHCP server. In this case, you must configure the
DHCP relay agent security features. For more information, see "Configuring the DHCP relay agent
se
curity features."
Configuring DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address
resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP
server might also fail to work because of exhaustion of system resources. For information about the
fields in the DHCP messages, see "DHCP message format."
The followi
ng methods are available to relieve or prevent such attacks.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different
source MAC addresses, perform the following configuration on an interface:
{ Execute the mac-address max-mac-count command to set the MAC learning limit. For
more information about this command, see Layer 2—LAN Switching Command Reference.
{ Disable unknown frame forwarding when the MAC learning limit is reached.
• To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same
source MAC address, you can enable MAC address check on the DHCP server. The DHCP
server compares the chaddr field of a received DHCP request with the source MAC address in
the frame header. If they are the same, the DHCP server verifies this request as legal and
processes it. If they are not the same, the server discards the DHCP request.
To Next Page
Loading...
Need help?
General