Configure address check – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

45

Configuring the DHCP relay agent security

functions

Configure address check

Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients’ IP-to-MAC bindings

after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the

DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent

does not learn the ARP entry of the host, and will not forward any reply to the host, which thus cannot

access external networks via the DHCP relay agent.
Follow these steps to create a static binding and enable address check:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Create a static binding

dhcp relay security static ip-address
mac-address [ interface interface-type

interface-number ]

Optional
No static binding is created by

default.

Enter interface view

interface interface-type interface-number —

Enable or disable address
check

dhcp relay address-check { disable |
enable }

Required
Disabled by default.

NOTE:
•

The dhcp relay address-check command can be executed only on VLAN interfaces.

•

Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the address check configuration is ineffective.

•

The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.

•

When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.

Configuring periodic refresh of dynamic client entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The

DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC

entry of the client.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP

relay interface to periodically send a DHCP-REQUEST message to the DHCP server.

•

If the server returns a DHCP-ACK message or does not return any message within a specified
interval, the DHCP relay agent ages out the entry.