DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-43
Command Function
DES-7200# show nfpp icmp-guard
trusted-host
Show the trusted hosts.
For example,
DES-7200#show nfpp icmp-guard trusted-host
IP address mask
--------- ------
1.1.1.0 255.255.255.0
1.1.2.0 255.255.255.0
Total:2 record(s)
12.6 DHCP-guard
12.6.1 DHCP-guard
Overview
The DHCP protocol is widely used to dynamically allocate the IP address in the LAN, and
plays an important role in the network security. The “DHCP exhaustion” attack occurs in the
way of broadcasting the DHCP request packets through faking the MAC address. If there are
too many DHCP request packets, the attacker may use up the addresses provided in the
DHCP server. To this end, a legal host fails to request for a DHCP IP address and access to
the network. The workaround for the “DHCP exhaustion” attack: one one hand, you may
configure the DHCP packet rate-limit; on the other hand, you may detect and isolate the attack
source.
The DHCP attack detection could be host-based or port-based. Host-based ARP attack
detection adopts the combination of source IP address/VID/port-based. For each attack
detection, you can configure the rate-limit threshold and warning threshold. The DHCP packet
will be dropped when the packet rate exceeds the rate-limit threshold. When the DHCP packet
rate exceeds the warning threshold, it will prompt the warning messages and send the TRAP
message. The host-based attack detection can isolate the attack source.
DHCP-guard configuration commands include:
Enabling dhcp-guard
Configuring the isolated time
Configuring the monitored time
Configuring the monitored host limit
Host-based rate-limit and attack detection
Port-based rate-limit and attack detection