H3C Technologies H3C SecPath F1000-E User Manual
Page 221
196
NOTE:
•
You can specify up to twenty DHCP server groups on the relay agent.
•
By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP
server addresses for each DHCP server group.
•
The IP addresses of DHCP servers and those of relay agent's interfaces that connect DHCP clients cannot
be on the same subnet. Otherwise, the client cannot obtain an IP address.
•
A DHCP server group can correlate with one or multiple DHCP relay agent interfaces, while a relay
agent interface can only correlate with one DHCP server group. Using the dhcp relay server-select
command repeatedly overwrites the previous configuration. However, if the specified DHCP server
group does not exist, the interface still uses the previous correlation.
•
The
group-id argument in the dhcp relay server-select command is configured by using the dhcp relay
server-group command.
Configuring the DHCP relay agent security functions
1.
Configure address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings
after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry of the host, and will not forward any reply to the host, which thus cannot
access external networks via the DHCP relay agent.
To create a static binding and enable address check:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create a static binding.
dhcp relay security static ip-address
mac-address [ interface interface-type
interface-number ]
Optional.
No static binding is created by
default.
3.
Enter interface view.
interface interface-type interface-number N/A
4.
Enable address check.
dhcp relay address-check enable Disabled
by
default.
NOTE:
•
The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces
(including sub-interfaces).
•
Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface; otherwise, the address check configuration is ineffective.
•
The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.
•
When using the dhcp relay security static command to bind an interface to a static binding entry, make
sure that the interface is configured as a DHCP relay agent; otherwise, address entry conflicts may
occur.
•
When a synchronous/asynchronous serial interface requests an IP address through DHCP, the DHCP
relay agent does not record the corresponding IP-to-MAC binding.