Configuring The Dhcp Relay Agent Security Functions; Configuring Address Check; Configuring Periodic Refresh Of Dynamic Client Entries - HP 10500 Series Configuration Manual

Layer 3 - ip services

Hide thumbs Also See for 10500 Series:

Security configuration manual (596 pages)

Configuration manual (512 pages)

Specifications (42 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

Table of Contents

Configuring the DHCP relay agent security

functions

Configuring address check

Address check can block illegal hosts from accessing external networks.

With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings

after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the

DHCP relay agent so that users can access external networks by using fixed IP addresses.

Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in

the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent

does not learn the ARP entry of the host, and does not forward any reply to the host, which therefore

cannot access external networks through the DHCP relay agent.

Configuration guidelines

Follow these guidelines when you configure address check:

The dhcp relay address-check enable command can only be executed on Layer 3 Ethernet

•

interfaces (including subinterfaces) and VLAN interfaces.

•

Before enabling address check on an interface, enable the DHCP service, and enable the DHCP

relay agent on the interface.

The dhcp relay address-check enable command only checks IP and MAC addresses. It does not

•

check interfaces.

When using the dhcp relay security static command to bind an interface to a static binding entry,

•

make sure the interface is configured as a DHCP relay agent. If you do not, address entry conflicts

may occur.

Configuration procedure

To create a static binding and enable address check:

Step

Enter system view.

Create a static binding.

Enter interface view.

Enable address check.

Configuring periodic refresh of dynamic client entries

A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The

DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC

entry of the client.

Command

system-view

dhcp relay security static ip-address

mac-address [ interface

interface-type interface-number ]

interface interface-type

interface-number

dhcp relay address-check enable

Remarks

N/A

Optional.

No static binding is created by

default.

N/A

Disabled by default.

Table of Contents

Configuring The Dhcp Relay Agent Security Functions; Configuring Address Check; Configuring Periodic Refresh Of Dynamic Client Entries - HP 10500 Series Configuration Manual

Configuring address check

Configuring periodic refresh of dynamic client entries

Troubleshooting

Related Manuals for HP 10500 Series

Related Content for HP 10500 Series

Table of Contents