70
Procedure
1. Enter system view.
system-view
2. Enable periodic refresh of dynamic relay entries.
dhcp relay client-information refresh enable
By default, periodic refresh of dynamic relay entries is enabled.
3. (Optional.) Set the refresh interval.
dhcp relay client-information refresh [ auto | interval interval ]
By default, the refresh interval is auto, which is calculated based on the number of total relay
entries.
Enabling DHCP starvation attack protection
About DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address
resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP
server might also fail to work because of exhaustion of system resources. The following methods are
available to relieve or prevent such attacks.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different
source MAC addresses, you can use one of the following methods:
{ Limit the number of ARP entries that a Layer 3 interface can learn.
{ Set the MAC learning limit for a Layer 2 port, and disable unknown frame forwarding when
the MAC learning limit is reached.
• To prevent a DHCP starvation attack that uses DHCP requests encapsulated with the same
source MAC address, you can enable MAC address check on the DHCP relay agent. The
DHCP relay agent compares the chaddr field of a received DHCP request with the source MAC
address in the frame header. If they are the same, the DHCP relay agent forwards the request
to the DHCP server. If not, the relay agent discards the request.
Enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. A
DHCP relay agent changes the source MAC address of DHCP packets before sending them.
A MAC address check entry has an aging time. When the aging time expires, both of the following
occur:
• The entry ages out.
• The DHCP relay agent rechecks the validity of DHCP requests sent from the MAC address in
the entry.
Procedure
1. Enter system view.
system-view
2. Set the aging time for MAC address check entries.
dhcp relay check mac-address aging-time time
The default aging time is 30 seconds.
This command takes effect only after you execute the
dhcp relay check mac-address
command.
3. Enter the interface view.
interface interface-type interface-number
4. Enable MAC address check.
To Next Page
Loading...
Need help?
General