DES-7200 Configuration Guide Chapter 5 DHCP Relay Configuration
5-6
Command Function
DES-7200(config)# ip dhcp relay
information option dot1x
Enable the DHCP option dot1x function.
DES-7200(config)# no ip dhcp relay
information option dot1x
Disable the DHCP option dot1x
function.
5.2.4 Configuring DHCP
option dot1x
access-group
In the option dot1x application scheme, the device needs to restrict the
unauthorized IP address or the IP address with low privilege to access certain
IP addresses, and restrict the access between users with low privileges. To do
so, configure the command ip dhcp relay information option dot1x
access-group acl-name. Here the ACL defined by acl-name must be
configured in advance. It is used to filter some contents and prohibit
unauthorized users from accessing each other. In addition, ACL associated
here is applied to all the ports on the device. This ACL has not default ACE and
is not conflicted with ACLs associated with other interfaces. For example:
Assign a type of IP addresses for all the unauthorized users, namely
192.168.3.2-192.168.3.254, 192.168.4.2-192.168.4.254, and
192.168.5.2-192.168.5.254. 192.168.3.1, 192.168.4.1, and 192.168.5.1 are
gateway addresses that are not assigned to users. In this way, an unauthorized
user uses one of the 192.168.3.x-5.x addresses to access the Web portal for
downloading client software. Therefore, the device should be configured as
follows:
DES-7200# config
DES-7200(config)# ip access-list extended DenyAccessEachOtherOfUnauthrize
DES-7200(config-ext-nacl)# permit ip any host 192.168.3.1 //Packet that
can be sent to the gateway
DES-7200(config-ext-nacl)# permit ip any host 192.168.4.1
DES-7200(config-ext-nacl)# permit ip any host 192.168.5.1
DES-7200(config-ext-nacl)# permit ip host 192.168.3.1 any
//Permit the packets whose source IP address is the gateway.
DES-7200(config-ext-nacl)# permit ip host 192.168.4.1 any
DES-7200(config-ext-nacl)# permit ip host 192.168.5.1 any
DES-7200(config-ext-nacl)# deny ip 192.168.3.0 0.0.0.255 192.168.3.0
0.0.0.255
//Prohibit unauthorized users from accessing each other
DES-7200(config-ext-nacl)# deny ip 192.168.3.0 0.0.0.255 192.168.4.0
0.0.0.255