beautypg.com

Configuring dhcp relay agent security functions, Configuring address checking – H3C Technologies H3C S3600 Series Switches User Manual

Page 677

background image

3-6

z

You can configure up to eight DHCP server IP addresses in a DHCP server group.

z

You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be

mapped to only one DHCP server group.

z

If you execute the dhcp-server groupNo command repeatedly, the new configuration overwrites

the previous one.

z

You need to configure the group number specified in the dhcp-server groupNo command in VLAN

interface view by using the command dhcp-server groupNo ip ip-address&<1-8> in advance.

Configuring DHCP Relay Agent Security Functions

Configuring address checking

Among S3600 series switches, only S3600-EI series switches support the DHCP relay agent address

checking function.

After relaying an IP address from the DHCP server to a DHCP client, the DHCP relay agent can

automatically record the client’s IP-to-MAC binding and generate a dynamic address entry. It also

supports static bindings, which means you can manually configure IP-to-MAC bindings on the DHCP

relay agent, so that users can access external network using fixed IP addresses.

The purpose of the address checking function on DHCP relay agent is to prevent unauthorized users

from statically configuring IP addresses to access external networks. With this function enabled, a

DHCP relay agent inhibits a user from accessing external networks if the IP address configured on the

user end and the MAC address of the user end do not match any entries (including the entries

dynamically tracked by the DHCP relay agent and the manually configured static entries) in the user

address table on the DHCP relay agent.

Follow these steps to configure address checking:

To do…

Use the command…

Remarks

Enter system view

system-view

Create a static IP-to-MAC
binding

dhcp-security static
ip-address mac-address

Optional

Not created by default.

(Only S3600-EI series switches
among S3600 series switches
support this configuration.)

Enter interface view

interface interface-type
interface-number

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: