76
To enable the DHCP relay agent to record relay entries:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable the relay agent to
record relay entries.
dhcp relay client-information record
By default, the relay agent
does not record relay entries.
NOTE:
The DHCP relay agent does not record IP-to-MAC bindings for DHCP clients running on
synchronous/asynchronous serial interfaces.
Enabling periodic refresh of dynamic relay entries
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address.
The DHCP relay agent conveys the message to the DHCP server and does not remove the
IP-to-MAC entry of the client.
With this feature, the DHCP relay agent uses the following information to periodically send a
DHCP-REQUEST message to the DHCP server:
• The IP address of a relay entry.
• The MAC address of the DHCP relay interface.
The relay agent maintains the relay entries depending on what it receives from the DHCP server:
• If the server returns a DHCP-ACK message or does not return any message within an interval,
the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK
message, the relay agent sends a DHCP-RELEASE message to release the IP address.
• If the server returns a DHCP-NAK message, the relay agent keeps the relay entry.
To enable periodic refresh of dynamic relay entries:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable periodic refresh of
dynamic relay entries.
dhcp relay client-information refresh
enable
By default, periodic refresh
of dynamic relay entries is
enabled.
3. Set the refresh interval.
dhcp relay client-information refresh
[
auto
|
interval
interval ]
By default, the refresh
interval is
auto
, which is
calculated based on the
number of total relay entries.
Enabling DHCP starvation attack protection
A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using
different MAC addresses in the chaddr field to a DHCP server. This exhausts the IP address
resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP
server might also fail to work because of exhaustion of system resources. The following methods are
available to relieve or prevent such attacks.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different
source MAC addresses, you can use one of the following methods:
{ Limit the number of ARP entries that a Layer 3 interface can learn.
{ Limit the number of MAC addresses that a Layer 2 port can learn.
To Next Page
Loading...
Need help?
General
