R3303-HP HSR6800 Routers Layer 3 - IP Services Configuration Guide
58
Configuring periodic refresh of dynamic client entries
A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The
DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC
entry of the client.
With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP
relay interface to periodically send a DHCP-REQUEST message to the DHCP server.
• If the server returns a DHCP-ACK message or does not return any message within a specific interval,
the DHCP relay agent ages out the entry.
• If the server returns a DHCP-NAK message, the relay agent keeps the entry.
To configure periodic refresh of dynamic client entries:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable periodic refresh of
dynamic client entries.
dhcp relay security refresh
enable
Optional.
Enabled by default.
3. Configure the refresh interval.
dhcp relay security tracker
{ interval | auto }
Optional.
The default setting is auto. The auto
interval is calculated by the relay agent
according to the number of client entries.
Configuring the DHCP relay agent to work with authorized ARP
Only clients that obtain an IP address from the DHCP server are considered as authorized clients. If the
DHCP relay agent serves as the gateway, it can work with authorized ARP to block unauthorized clients
and prevent ARP spoofing attacks.
To enable the DHCP relay agent to work with authorized ARP:
• Configure the DHCP relay agent to support authorized ARP—With this function enabled, the DHCP
relay agent automatically records DHCP clients' IP-to-MAC bindings (called client entries), and
notifies authorized ARP to add/delete/change authorized ARP entries when
adding/deleting/changing client entries.
• Enable authorized ARP—The ARP automatic learning function is disabled after you enable
authorized ARP. ARP entries are added according to the client entries recorded by the DHCP relay
agent to avoid learning incorrect ARP entries.
The DHCP relay agent works with authorized ARP for the following purposes:
• Only the clients that have obtained IP addresses from the DHCP server and have their IP-to-MAC
bindings recorded on the DHCP relay agent are authorized clients. Only authorized clients can
access the network.
• Clients that have not obtained IP addresses from the DHCP server are considered unauthorized
clients and are unable to access the network.
• Disabling ARP automatic learning prevents network attacks such as IP/MAC address spoofing
attacks, and only authorized users can access the network, enhancing network security.