Configuring address check, Configuration guidelines, Configuration procedure – H3C Technologies H3C S12500 Series Switches User Manual

Page 74

Advertising
background image

60

Step Command

Remarks

3.

Enter interface view.

interface interface-type
interface-number

N/A

4.

Correlate the DHCP server
group with the current

interface.

dhcp relay server-select group-id

By default, no interface is
correlated with any DHCP server

group.

Configuring the DHCP relay agent security
functions

Configuring address check

Address check can block illegal hosts from access external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings

after the clients obtain IP addresses through DHCP. You can configure static IP-to-MAC bindings on the

DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving an ARP packet, the DHCP relay agent checks the sender's IP and MAC addresses in the

packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent

does not learn the ARP entry and prohibits the requesting client from accessing external networks through

the DHCP relay agent.

Configuration guidelines

Follow these guidelines when you configure the address check:

The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet
interfaces (including subinterfaces), VLAN interfaces and Layer 3 aggregate interfaces.

Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface. Otherwise, the address check configuration is ineffective.

The dhcp relay address-check enable command only checks IP and MAC addresses of clients.

When using the dhcp relay security static command to bind an interface to a static binding entry,
make sure the interface is configured as a DHCP relay agent. Otherwise, address entry conflicts

might occur.

When a synchronous/asynchronous serial interface requests an IP address through DHCP, the

DHCP relay agent does not record the corresponding IP-to-MAC binding.

Configuration procedure

To create a static binding and enable address check:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Create a static binding.

dhcp relay security static ip-address
mac-address [ interface interface-type

interface-number ]

Optional.
No static binding is
created by default.

Advertising
This manual is related to the following products:

H3C S9500E Series Switches, H3C MSR 5600, H3C MSR 50, H3C MSR 3600, H3C MSR 30, H3C MSR 2600, H3C MSR 20-2X[40], H3C MSR 20-1X, H3C MSR 930, H3C MSR 900, H3C SecPath F5020, H3C SecPath F5040, H3C VMSG VFW1000

Popular Brands
Popular manuals