3-5Configuring the DHCP Relay Agent Security FunctionsCreating static bindings and enabling IP address checkThe DHCP relay agent can dynamically record clients’ IP-to-MAC bindings after clients get IPaddresses. It also supports static bindings, that is, you can manually configure IP-to-MAC bindings onthe DHCP relay agent, so that users can access external network using fixed IP addresses.For avoidance of invalid IP address configuration, you can configure the DHCP relay agent to checkwhether a requesting client’s IP and MAC addresses match a binding (dynamic or static) on the DHCPrelay agent. If not, the client cannot access outside networks via the DHCP relay agent.Follow these steps to create a static binding and enable IP address check:To do… Use the command… RemarksEnter system view system-view —Create a static bindingdhcp relay security staticip-address mac-address[ interface interface-typeinterface-number ]OptionalNo static binding is createdby default.Enter interface view interface interface-typeinterface-number —Enable invalid IP address check dhcp relay address-check{ disable | enable }RequiredDisabled by default.z The dhcp relay address-check enable command is independent of other commands of theDHCP relay agent. That is, the invalid address check takes effect when this command is executed,regardless of whether other commands are used.z The dhcp relay address-check enable command only checks IP and MAC addresses of clients.z You are recommended to configure IP address check on the interface enabled with the DHCP relayagent; otherwise, valid DHCP clients may be denied from accessing networks.z When using the dhcp relay security static command to bind an interface to a static binding entry,make sure that the interface is configured as a DHCP relay agent; otherwise, address entryconflicts may occur.Configuring periodic refresh of dynamic client entriesVia the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCPserver to relinquish its IP address. In this case the DHCP relay agent simply conveys the message tothe DHCP server, thus it does not remove the IP address from dynamic client entries. To solve thisproblem, the periodic refresh of dynamic client entries feature is introduced.With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of theDHCP relay interface to periodically send a DHCP-REQUEST message to the DHCP server.