However, after the network boots up and stabilizes, an attacker might come in and using the rate of 50-100 DHCP messages per second, he can exhaust your DHCP pool within seconds or minutes without the DHCP rate limiting ever kicking in. So you would configure the rate limit to, say, 400. If all 200 clients boot up at the same time, you can expected several hundreds of DHCP messages to be validly carried by this port without meaning that this is an attack. Consider a port towards a DHCP server in a network with 200 clients. Would it be wise to configure Trusted ports for DHCP rate limit as these can be connected to DHCP Servers where lot of DHCP traffic comes through.Ĭonfiguring trusted DHCP ports with DHCP rate limiting is a hard task in my opinion, because these ports aggregate multiple DHCP conversations and thus the number of observed messages can be very high, depending on the circumstances. There is no way a well-behaved DHCP client would send 10 or more DHCP messages in a single second. Clients retransmit their DHCP requests infrequently - in orders of seconds or tens of seconds. Similar problems can ensue with, say, dns-server command or similar setting.Ĭan it be due to connectivity issues to DHCP Server and the clients are constantly trying to find the DHCP Server using Discover ? Multiple arguments in the default-router command are treated as multiple IP gateway addresses, and obviously, 255.255.255.0 is not a valid IP gateway address. Notice the "255.255.255.0" argument in the default-router command - it is superfluous (gateways are never specified using their netmask) but it often escapes your attention. I have sometimes seen that a typo somewhere in the configuration of the DHCP server has caused the DHCP client to acquire settings, then find out these settings are invalid, and immediately restart the entire sequence - generating quite significant amount of DHCP traffic. What can be the sudden reason of receiveing DHCP packets from every Access port ?
The rate is set at 10 on every switch interface.
There have been conitnous DHCP Rate Limit Err- Disabled alerts from ports on the Switches in the infrastructure, from most of the access switches in the infrastructure. Ports that aggregate more flows can be substantially harder to estimate.ģ.
So on a port towards a single station, I do not see a need to allow for more than 10 DHCP messages.
A single DHCP station has no need to generate more than roughly 10 DHCP messages within a second. What is default rate after which the port go to Err-Disbaled if no custom dhcp rate limit is set on the interface ? The DHCP Snooping rate limiting is disabled by default, and has to be enabled explicitly. Does DHCP Rate Limit Err-Disabled detection gets enabled automatically when IP DHCP Snooping is enabled globally ?
0 kommentar(er)
