Configuring Dhcp Relay Security - H3C S3600 Series Operation Manual

Operation Manual – DHCP
H3C S3600 Series Ethernet Switches-Release 1510
Note:
You can configure up to eight external DHCP server IP addresses in a DHCP server
group.
You can map multiple VLAN interfaces to one DHCP server group. But one VLAN
interface can be mapped to only one DHCP server group.
If you execute the dhcp-server groupNo command repeatedly, the new
configuration overwrites the previous one.
You need to configure the group number specified in the dhcp-server groupNo
command in VLAN interface view by using the command dhcp-server groupNo ip
ip-address&<1-8> in advance.

3.2.4 Configuring DHCP Relay Security

I. Configuring address checking
When a DHCP client obtain an IP address from a DHCP server with the help of a DHCP
relay, the DHCP relay creates an entry (dynamic entry) in the user address table to
track the IP-MAC address binding information about the DHCP client. You can also
configure user address entries manually (static entries) to bind an IP address and a
MAC address statically.
The purpose of the address checking function on DHCP relay is to prevent
unauthorized users from statically configuring IP addresses to access external
networks. With this function enabled, a DHCP relay inhibits a user from accessing
external networks if the IP address configured on the user end and the MAC address of
the user end do not match any entries (including the entries dynamically tracked by the
DHCP relay and the manually configured static entries) in the user address table on the
DHCP relay.
Table 3-4 Configure address checking
Operation
Enter system view
Create a DHCP user
address
manually
Enter interface view
Command
system-view
dhcp-security
entry
ip-address mac-address
interface interface-type
interface-number
3-6
Chapter 3 DHCP Relay Configuration
Description
—
Optional
By default, no DHCP user
address entry is configured.
static
(Only S3600-EI
switches among S3600 series
switches
configuration.)
—
series
support this