Configuration Guide NFPP Configuration
1 Gi0/1 1.1.1.1 110
2 Gi0/2 1.1.2.1 61
Total:2 hosts
Ruijie# show nfpp icmp-guard hosts vlan 1 interface G 0/1 1.1.1.1
If column 1 shows '*', it means "hardware do not isolate user".
VLAN interface IP address remain-time(s)
---- -------- --------- -------------
1 Gi0/1 1.1.1.1 80
Total:1 host
Showing the trusted host configuration
For example,
Ruijie#show nfpp icmp-guard trusted-host
IP address mask
--------- ------
1.1.1.0 255.255.255.0
1.1.2.0 255.255.255.0
Total:2 record(s)
DHCP-guard
DHCP-guard Overview
The DHCP protocol is widely used to dynamically allocate the IP address in the
LAN, and plays an important role in the network security. The “DHCP
exhaustion” attack occurs in the way of broadcasting the DHCP request packets
through faking the MAC address. If there are too many DHCP request packets,
the attacker may use up the addresses provided in the DHCP server. To this
end, a legal host fails to request for a DHCP IP address and access to the
network. The workaround for the “DHCP exhaustion” attack: one one hand, you
may configure the DHCP packet rate-limit; on the other hand, you may detect
and isolate the attack source.
The DHCP attack detection could be host-based or port-based. Host-based
ARP attack detection adopts the combination of source IP
address/VID/port-based. For each attack detection, you can configure the
rate-limit threshold and warning threshold. The DHCP packet will be dropped
when the packet rate exceeds the rate-limit threshold. When the DHCP packet
To Next Page
Loading...
