HP VPN Firewall Appliances Network Management Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

221

222

223

224

225

226

227

228

229

230

198

Address check can block illegal hosts from accessing external networks.

With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC

bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC

bindings on the DHCP relay agent so that users can access external networks by using fixed IP

addresses.

Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC

addresses in the packet against the recorded dynamic and static bindings. If no match is found, the

DHCP relay agent does not learn the ARP entry of the host, and does not forward any reply to the

host, which therefore cannot access external networks through the DHCP relay agent.

a. Configuration guidelines.

Follow these guidelines when you configure address check:

− The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet

interfaces (including subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.

− Before enabling address check on an interface, you must enable the DHCP service, and

enable the DHCP relay agent on the interface; otherwise, the address check configuration

is ineffective.

− The dhcp relay address-check enable command only checks IP and MAC addresses but not

interfaces.

− When using the dhcp relay security static command to bind an interface to a static binding

entry, make sure that the interface is configured as a DHCP relay agent. Otherwise, address

entry conflicts might occur.

− When a synchronous/asynchronous serial interface requests an IP address through DHCP,

the DHCP relay agent does not record the corresponding IP-to-MAC binding.

b. Configuration procedure.

To create a static binding and enable address check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create a static binding.

dhcp relay security static ip-address

mac-address [ interface interface-type

interface-number ]

Optional.

No static binding is created

by default.

3. Enter interface view.

interface interface-type interface-number N/A

4. Enable address check.

dhcp relay address-check enable Disabled by default.

• Configuring periodic refresh of dynamic client entries.

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The

DHCP relay agent simply conveys the message to the DHCP server and does not remove the

IP-to-MAC entry of the client.

With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the

DHCP relay interface to periodically send a DHCP-REQUEST message to the DHCP server.

{ If the server returns a DHCP-ACK message or does not return any message within a specific

interval, the DHCP relay agent ages out the entry.

{ If the server returns a DHCP-NAK message, the relay agent keeps the entry.

To configure periodic refresh of dynamic client entries: