2-6
To do…
Use the command…
Remarks
Create a static
IP-to-MAC binding
dhcp-security static
ip-address
mac
-
address
Optional
Not created by default.
Enter interface view
interface
interface-type
interface-number
—
Enable the address
checking function
address-check enable
Required
Disabled by default.
z
The
address-check enable
command is independent of other commands of the DHCP relay
agent. That is, the invalid address check takes effect when this command is executed, regardless
of whether other commands (such as the command to enable DHCP) are used.
z
Before executing the
address-check enable
command on the interface connected to the DHCP
server, you need to configure the static binding of the IP address to the MAC address of the DHCP
server. Otherwise, the DHCP client will fail to obtain an IP address.
Configuring the dynamic client address entry updating function
After relaying an IP address from the DHCP server to the DHCP client, the DHCP relay agent can
automatically record the client’s IP-to-MAC binding and generate a dynamic address entry. But as a
DHCP relay agent does not process DHCP-RELEASE packets, which are sent to DHCP servers by
DHCP clients through unicast when the DHCP clients release IP addresses, the user address entries
maintained by the DHCP cannot be updated in time. You can solve this problem by enabling the DHCP
relay agent handshake function and configuring the dynamic client address entry updating interval.
After the handshake function is enabled, the DHCP relay agent sends the handshake packet (the
DHCP-REQUEST packet) periodically to the DHCP server using a client’s IP address and its own MAC
address.
z
If the DHCP relay agent receives the DHCP-ACK packet from the DHCP server, or receives no
response from the server within a specified period, the IP address can be assigned. The DHCP
relay agent ages out the corresponding entry in the client address table.
z
If the DHCP relay agent receives the DHCP-NAK packet from the DHCP server, the lease of the IP
address does not expire. The DHCP relay agent does not age out the corresponding entry.
Follow these steps to configure the dynamic user address entry updating function:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the DHCP relay
agent handshake
function
dhcp relay hand enable
Optional
Enabled by default.
Set the interval at which
the DHCP relay agent
dynamically updates the
client address entries
dhcp-security tracker
{
interval
|
auto
}
Optional
By default,
auto
is adopted, that is, the
interval is automatically calculated.