H3C Technologies H3C SecPath F1000-E User Manual

196

NOTE:
•

You can specify up to twenty DHCP server groups on the relay agent.

•

By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP
server addresses for each DHCP server group.

•

The IP addresses of DHCP servers and those of relay agent's interfaces that connect DHCP clients cannot
be on the same subnet. Otherwise, the client cannot obtain an IP address.

•

A DHCP server group can correlate with one or multiple DHCP relay agent interfaces, while a relay
agent interface can only correlate with one DHCP server group. Using the dhcp relay server-select

command repeatedly overwrites the previous configuration. However, if the specified DHCP server
group does not exist, the interface still uses the previous correlation.

•

The

group-id argument in the dhcp relay server-select command is configured by using the dhcp relay

server-group command.

Configuring the DHCP relay agent security functions

1.

Configure address check

Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings

after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in

the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent

does not learn the ARP entry of the host, and will not forward any reply to the host, which thus cannot
access external networks via the DHCP relay agent.

To create a static binding and enable address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a static binding.

dhcp relay security static ip-address
mac-address [ interface interface-type
interface-number ]

Optional.
No static binding is created by
default.

3.

Enter interface view.

interface interface-type interface-number N/A

4.

Enable address check.

dhcp relay address-check enable Disabled

by

default.

NOTE:
•

The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces
(including sub-interfaces).

•

Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the address check configuration is ineffective.

•

The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.

•

When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.

•

When a synchronous/asynchronous serial interface requests an IP address through DHCP, the DHCP
relay agent does not record the corresponding IP-to-MAC binding.