3Com MSR 50 Series Configuration Manual page 594

594 C 34: DHCP R
HAPTER
A C
ELAY GENT ONFIGURATION
When using the dhcp relay security static command to bind an interface to a
■
static binding entry, make sure that the interface is configured as a DHCP relay
agent; otherwise, address entry conflicts may occur.
Configuring dynamic binding update interval
Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message
to the DHCP server to relinquish its IP address. In this case the DHCP relay agent
simply conveys the message to the DHCP server, thus it does not remove the IP
address from its bindings. To solve this, the DHCP relay agent can update dynamic
bindings at a specified interval.
The DHCP relay agent uses the IP address of a client and the MAC address of the
DHCP relay interface to regularly send a DHCP-REQUEST message to the DHCP
server.
If the server returns a DHCP-ACK message or does not return any message
■
within a specified interval, which means the IP address is assignable now, the
DHCP relay agent will update its bindings by aging out the binding entry of the
IP address.
If the server returns a DHCP-NAK message, which means the IP address is still
■
in use, the relay agent will not age it out.
To configure dynamic binding update interval, use the following commands:
To do...
Enter system view
Configure binding
update interval
Configuring the DHCP relay agent to support authorized ARP
A DHCP relay agent can work in cooperation with authorized ARP to block illegal
clients, to avoid learning incorrect ARP entries and to guard against attacks such
as MAC address spoofing. Only the clients whose IP-to-MAC binding are recorded
on the DHCP relay agent are considered legal clients.
When authorized ARP is enabled on the DHCP relay agent, the ARP automatic
learning function is disabled. ARP entries can only be added by the authentication
module, the DHCP relay agent, which notifies authorized ARP to
add/delete/change authorized ARP entries when adding/deleting/changing
dynamic IP-to-MAC bindings. Thus, only the clients that have passed the
authentication of the DHCP relay agent can access the network normally, while
other clients are considered illegal clients and unable to access the network.
Follow these steps to configure the DHCP relay agent to support authorized ARP:
To do...
Enter system view
Enter interface view
Use the command...
system-view
dhcp relay security tracker
{ interval | auto }
Use the command...
system-view
interface interface-type
interface-number
Remarks
-
Optional
auto by default (auto interval is
calculated by the relay agent
according to the number of bindings)
Remarks
-
-