Manualshelf

R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6804 Router Chassis
61626364656667686970
57
Configuring the DHCP relay agent security
functions
Configuring address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings
after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the
DHCP relay agent so that users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in
the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent
does not learn the ARP entry of the host, and does not forward any reply to the host, which therefore
cannot access external networks through the DHCP relay agent.
Configuration guidelines
Follow these guidelines when you configure address check:
The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet
interfaces (including subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.
Before enabling address check on an interface, you must enable the DHCP service, and enable the
DHCP relay agent on the interface. Otherwise, the address check configuration is ineffective.
The dhcp relay address-check enable command only checks IP and MAC addresses but not
interfaces.
When using the dhcp relay security static command to bind an interface to a static binding entry,
make sure the interface is configured as a DHCP relay agent. Otherwise, address entry conflicts
might occur.
When a synchronous/asynchronous serial interface requests an IP address through DHCP, the
DHCP relay agent does not record the corresponding IP-to-MAC binding.
Configuration procedure
To create a static binding and enable address check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Create a static binding.
dhcp relay security static ip-address
mac-address [ interface
interface-type interface-number ]
Optional.
No static binding is created by
default.
3. Enter interface view.
interface interface-type
interface-number
N/A
4. Enable address check.
dhcp relay address-check enable Disabled by default.