Configuring address check – H3C Technologies H3C S10500 Series Switches User Manual
Page 70
59
Configuring the DHCP relay agent security
functions
Configuring address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients’ IP-to-MAC bindings
after they obtain IP addresses through DHCP. This feature also supports static bindings. You can also
configure static IP-to-MAC bindings on the DHCP relay agent, so users can access external networks
using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry of the host, and will not forward any reply to the host, so the host cannot
access external networks via the DHCP relay agent.
Follow these steps to create a static binding and enable address check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a static binding
dhcp relay security static ip-address
mac-address [ interface interface-type
interface-number ]
Optional
No static binding is created by
default.
Enter interface view
interface interface-type interface-number —
Enable address check
dhcp relay address-check enable
Required
Disabled by default.
NOTE:
•
The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet ports
(including sub-interfaces) and VLAN interfaces.
•
Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the address check configuration is ineffective.
•
The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.
•
When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.
Configuring periodic refresh of dynamic client entries
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The
DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC
entry of the client.
When this feature is enabled, the DHCP relay agent uses the IP address of a client and the MAC address
of the DHCP relay interface to send a DHCP-REQUEST message to the DHCP server at specified intervals.