Can a router provide DHCP snooping function without using a LAN card

1

No, DHCP snooping function can only be provided by the LAN card.

To restrict source MAC addresses without a LAN card installed, the router can use Layer 2 ACL. However, Layer 2 ACL is not a replacement for DHCP snooping.

Other related questions:
Can the DHCP snooping function be implemented if a router does not have a LAN card
The DHCP snooping function can be implemented on the LAN card only. To set limits to source MAC address, create a Layer 2 ACL which cannot substitute the DHCP snooping function.

Can DHCP snooping be implemented on an AR with no LAN card
DHCP snooping can only be provided by the LAN card. To limit source MAC addresses without a LAN card installed, the AR can use a Layer 2 ACL. However, Layer 2 ACL is not a replacement for DHCP snooping.

Configure DHCP snooping on S series switch
S series switches (except S1700 switches) support DHCP Snooping. DHCP Snooping provides the trust function and DHCP Snooping binding table checking functions. DHCP Snooping trust function ensures that clients obtain IP addresses from authorized DHCP servers. The DHCP Snooping binding table checking function prevents DHCP attacks, such as DHCP flood attacks, bogus DHCP server attacks, and DHCP server DoS attacks. As shown in the networking diagram on the right, the DHCP Client and Server are connected through the Switch. The configuration procedure is as follows: 1. Enable global DHCP Snooping. [Huawei] dhcp enable [Huawei] dhcp snooping enable 2. Enable DHCP Snooping on the user-side interface GE0/0/2. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping enable 3. Configure the interface (GE0/0/1) connected to the DHCP Server as the trusted interface to prevent bogus DHCP server attacks. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] dhcp snooping trusted 4. Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit, and enable the alarm function for discarding packets to prevent DHCP flood attacks. # Set the maximum rate at which DHCP messages are sent to the DHCP message processing unit to 90 pps. [Huawei] dhcp snooping check dhcp-rate enable [Huawei] dhcp snooping check dhcp-rate 90 # Enable the alarm function for discarding packets and set the alarm threshold for packet rate limiting. [Huawei] dhcp snooping alarm dhcp-rate enable [Huawei] dhcp snooping alarm dhcp-rate threshold 500 5. Configure the switch to check DHCP messages against the binding table, and enable the switch to generate an alarm when the number of packets discarded in binding table checking reaches the alarm threshold. This configuration prevents bogus DHCP server attacks. [Huawei] interface gigabitethernet 0/0/2 [Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-request enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-request threshold 120 6. Set the maximum number of access users on an interface, enable the switch to check whether the MAC address in a DHCP Request frame header is the same as the CHADDR value in the data field, and enable the switch to generate an alarm when the number of packets discarded in CHADDR field check reaches the alarm threshold. This configuration prevents DHCP Server DoS attacks. [Huawei-GigabitEthernet0/0/2] dhcp snooping max-user-number 20 [Huawei-GigabitEthernet0/0/2] dhcp snooping check dhcp-chaddr enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr enable [Huawei-GigabitEthernet0/0/2] dhcp snooping alarm dhcp-chaddr threshold 120

Does an AR router support an interface being switched over between Layer 2 and Layer 3
The following AR routers support an interface being switched over between Layer 2 and Layer 3. By default, Ethernet interfaces are Layer 2 interfaces. Run the undo portswitch command to switch the interfaces from Layer 2 mode to Layer 3 mode, and run the portswitch command to switch the interfaces back to Layer 2 mode. V200R006C00 and earlier versions: - AR150 and AR200 series: Eth0/0/0 - AR120-S series: Eth0/0/0~Eth0/0/3 - AR150-S, AR160-S, and AR200-S series (except for AR151-S2): Eth0/0/0 - AR151-S2: GE0/0/0 - AR160 series: GE0/0/0 - AR1220F: Eth0/0/0~Eth0/0/7 - AR2201-48FE, AR2202-48FE, and AR2201-48FE-S: Eth0/0/0 and Eth0/0/47 V200R007C00: - AR120 and AR150 series, AR120-S series, AR151-S, AR151W-P-S, and AR151G-U-S: Eth0/0/0~Eth0/0/3 - AR160 series, AR509G-L-D-H, AR110-S series, AR151-S2 and AR160-S series: GE0/0/0~GE0/0/3 - AR200 series, AR1220, AR1220V, AR1220W, AR1220VW, AR1220F, AR200-S series, AR1220-S, AR1220W-S, and AR1220F-S: Eth0/0/0~Eth0/0/7 - AR1220C, AR1220E, AR1220EV, AR1220EVW, and AR1220E-S: GE0/0/0~GE0/0/7 - AR2201-48FE and AR2202-48FE: Eth0/0/0~Eth0/0/47 - AR2204-51GE-P: GE0/0/3~GE0/0/50 - AR2204-27GE-P, AR2204-27GE, and AR2201-48FE-S: GE0/0/3~GE0/0/26 V200R008C00: - AR120 (except for AR129CGVW-L) and AR150 series, AR120-S series, AR151-S, AR151W-P-S, and AR151G-U-S: Eth0/0/0~Eth0/0/3 -AR100 series, AR160 series, AR129CGVW-L, AR503EW, AR503EDGW-Lc, AR509CG-Lt, AR509CG-Lc, AR509G-Lc, AR515GW-LM9-D and AR509G-L-D-H, AR100-S series, AR110-S series, AR151-S2 and AR160-S series: GE0/0/0~GE0/0/3 - AR200 series, AR1220, AR1220V, AR1220W, AR1220VW, and AR1220F, AR200-S series, AR1220-S, AR1220W-S, and AR1220F-S series: Eth0/0/0~Eth0/0/7 - AR1220C, AR1220E, AR1220EV and AR1220EVW, and AR1220E-S: GE0/0/0~GE0/0/7 - AR2201-48FE, AR2202-48FE, and AR2201-48FE-S: Eth0/0/0 and Eth0/0/47 - AR2204-51GE-P, AR2204-51GE-R, and AR2204-51GE: GE0/0/3~GE0/0/50 - AR2204-27GE-P and AR2204-27GE: GE0/0/3~GE0/0/26 At present, the interfaces of all cards do not support Layer 2 and Layer 3 interface switchover.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top