Configuring address check
Address check can block illegal hosts from accessing external networks.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. This feature also supports static bindings. You can also configure static IP-to-MAC bindings on the DHCP relay agent, so users can access external networks using fixed IP addresses.
Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in the packet against the recorded dynamic and static bindings. If no match is found, the DHCP relay agent does not learn the ARP entry of the host, and will not forward any reply to the host, so the host cannot access external networks via the DHCP relay agent.
Configuration guidelines
Follow these guidelines when you create a static binding and enable address check:
The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces and VLAN interfaces.
Before enabling address check on an interface, you must enable the DHCP service, and enable the DHCP relay agent on the interface. Otherwise, the address check configuration is ineffective.
The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.
When using the dhcp relay security static command to bind an interface to a static binding entry, make sure that the interface is configured as a DHCP relay agent. Otherwise, address entry conflicts may occur.
Configuration procedure
To create a static binding and enable address check:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create a static binding. | dhcp relay security static ip-address mac-address [ interface interface-type interface-number ] | Optional. No static binding is created by default. |
3. Enter interface view. | interface interface-type interface-number | N/A |
4. Enable address check. | dhcp relay address-check enable | Disabled by default. |