H3C Technologies H3C SecPath F1000-E User Manual
Page 63
5
•
The
group-id argument in the dhcp relay server-select command is configured by using the dhcp relay
server-group command.
Configuring the DHCP Relay Agent Security
Functions
Creating Static Bindings and Enabling IP Address Check
To avoid invalid IP address configuration, you can configure IP address check on the DHCP relay agent.
With this feature enabled, the DHCP relay agent can dynamically record clients’ IP-to-MAC bindings
after the clients obtain IP addresses through DHCP. You can configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving an ARP packet, the DHCP relay agent checks the sender’s IP and MAC addresses in the
packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry and thus prohibits the requesting client from accessing external networks via
the DHCP relay agent.
Follow these steps to create a static binding and enable IP address check:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Create a static binding
dhcp relay security static ip-address
mac-address [ interface interface-type
interface-number ]
Optional
No static binding is created by
default.
Enter interface view
interface interface-type interface-number —
Enable IP address check
dhcp relay address-check { disable |
enable }
Required
Disabled by default.
NOTE:
•
The dhcp relay address-check command can be executed only on Layer 3 Ethernet interfaces (including
sub-interfaces) and VLAN interfaces.
•
Before enabling IP address check on an interface, you need to enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the IP address check configuration is ineffective.
•
The dhcp relay address-check enable command only checks IP and MAC addresses of clients.
•
When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.
Configuring Periodic Refresh of Dynamic Client Entries
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server when releasing its dynamically
obtained IP address. The DHCP relay agent simply conveys the message to the DHCP server and does
not remove the IP-to-MAC binding it records according to the message. To solve this problem, the
periodic refresh of dynamic client entries feature is introduced.