DHCP Configuration 287
Configuring the User Address Entry for the DHCP Server Group
To ensure that a valid user with a fixed IP address in a VLAN configured with DHCP
Relay passes the address validity check of the DHCP security feature, you must add a
static address entry which indicates the correspondence between an IP address and a
MAC address.
If an illegal user configures a static IP address which is in conflict with the fixed IP
address of a valid user, the Switch with DHCP Relay function enabled can identify the
valid user and reject the illegal user's request to bind the IP address with the MAC
address.
Perform the following configuration in System View..
Configuring DHCP Relay
Security
Configuring address checking
When a DHCP client obtain an IP address from a DHCP server with the help of a DHCP
relay, the DHCP relay creates an entry (dynamic entry) in the user address table to
track the IP-MAC address binding information about the DHCP client. You can also
configure user address entries manually (static entries) to bind an IP address and a
MAC address statically.
The purpose of the address checking function on DHCP relay is to prevent
unauthorized users from statically configuring IP addresses to access external
networks. With this function enabled, a DHCP relay inhibits a user from accessing
external networks if the IP address configured on the user end and the MAC address
of the user end do not match any entries (including the entries dynamically tracked by
the DHCP relay and the manually configured static entries) in the user address table
on the DHCP relay.
Configuring the dynamic user address entry updating function
When a DHCP client obtains an IP address from a DHCP server with the help of a
DHCP relay, the DHCP relay creates an entry (dynamic entry) in the user address table
to track the binding information about the IP address and MAC address of the DHCP
client. But as a DHCP relay does not process DHCP-RELEASE packets, which are sent
Table283 Configuring the User Address Entry for the DHCP Server Group
Operation Command
Configure user address entry
for DHCP server group
dhcp-security static ip_address mac_address
Delete the user address entry
in the DHCP server group
undo dhcp-security { ip_address | all | dynamic |
static }
Table284 Configure address checking
Operation Command Description
Enter system view system-view -
Create a DHCP user
address entry manually
dhcp-security static
ip-address mac-address
Optional
By default, there is no manually configured
DHCP user address entry.
Only S5500-EI series switches among S5500
series switches support this configuration.
Enter interface view interface interface-type
interface-number
-
Enable the address
checking function
address-check enable Required
By default, the address checking function is
disabled.