The mac-authen trigger dhcp-binding command enables the device to automatically generate the DHCP snooping binding table after static IP users pass MAC address authentication or when the users are at the pre-connection phase.
The undo mac-authen trigger dhcp-binding command restores the default configuration.
By default, the device does not automatically generate the DHCP snooping binding table after static IP users pass MAC address authentication or when the users are at the pre-authentication phase.
Usage Scenario
There are unauthorized users who modify their MAC addresses to those of authorized users. After authorized users are connected through MAC address authentication, the unauthorized users can obtain the same identities as the authorized users. This results in security risks of authentication and accounting. After accessing the network, unauthorized users can also initiate ARP spoofing attacks by sending bogus ARP packets. In this case, the device records incorrect ARP entries, greatly affecting normal communication between authorized users. To prevent the previous attacks, configure IPSG. This function is implemented based on binding tables. For static IP users, you can run the user-bind static command to configure the static binding table. However, if there are many static IP users, it takes more time to configure static binding entries one by one.
To reduce the workload, you can configure the device to automatically generate the DHCP snooping binding table for static IP users. After this function is enabled, the device automatically generates the DHCP snooping binding table based on the MAC address, IP address, and interface information of static IP users who pass MAC address authentication or are at the pre-authentication phase.
You can run the display dhcp snooping user-bind command to check the DHCP snooping binding table that is generated by the device for static IP users who pass MAC address authentication or are at the pre-authentication phase. The DHCP snooping binding table generated using this function will be deleted after the users are disconnected.
Follow-up Procedure
In the interface view, run the ip source check user-bind enable command to enable IPSG.
Precautions
To make this function take effect, you must run the dhcp snooping enable command on the interface to which the mac access profile is bound to enable the DHCP snooping function on the interface and globally.
For users who are assigned IP addresses using DHCP, you do not need to run the mac-authen trigger dhcp-binding command on the device. The DHCP snooping binding table is generated through the DHCP snooping function.
The IP address in the DHCP snooping binding table is extracted from the ARP request packet (the first ARP request packet sent by the user after the user is authenticated or in the pre-connection state that has the same MAC address in the user information table).
# In the MAC access profile m1, enable the device to automatically generate the DHCP snooping binding table after static IP users pass MAC address authentication or when the users are at the pre-authentication phase.
<HUAWEI> system-view [HUAWEI] mac-access-profile name m1 [HUAWEI-mac-access-profile-m1] mac-authen trigger dhcp-binding