Configuring Dhcp Relay Security - Huawei Quidway S3900 Series Operation Manual

Operation Manual - DHCP
Quidway S3900 Series Ethernet Switches-Release 1510
Note:
You can configure up to eight external DHCP IP addresses in a DHCP server
group.
You can map multiple VLAN interfaces to one DHCP server group. But one VLAN
interface can be mapped to only one DHCP server group. If you execute the
dhcp-server groupNo command repeatedly, the new configuration overwrites the
previous one.
You need to configure the group number specified in the dhcp-server groupNo
command in VLAN interface view by using the command dhcp-server groupNo ip
ipaddress-address&<1-8> in advance.

3.2.4 Configuring DHCP Relay Security

I. Configuring address checking
When a DHCP client obtain an IP address from a DHCP server with the help of a
DHCP relay, the DHCP relay creates an entry (dynamic entry) in the user address
table to track the IP-MAC address binding information about the DHCP client. You can
also configure user address entries manually (static entries) to bind an IP address and
a MAC address statically.
The purpose of the address checking function on DHCP relay is to prevent
unauthorized users from statically configuring IP addresses to access external
networks. With this function enabled, a DHCP relay inhibits a user from accessing
external networks if the IP address configured on the user end and the MAC address
of the user end do not match any entries (including the entries dynamically tracked by
the DHCP relay and the manually configured static entries) in the user address table
on the DHCP relay.
Table 3-4 Configure address checking
Operation
Enter system view
Create a DHCP user
address
manually
Command
system-view
dhcp-security
entry
ip-address mac-address
Huawei Technologies Proprietary
3-6
Chapter 3 DHCP Relay Configuration
Description
—
Optional
By default, no DHCP user
address entry is configured
static
Only S3900-EI
switches among S3900 series
switches
configuration
series
support this