DHCP lease period configuration on USG firewalls

33

You can configure (or modify) the DHCP lease period on the USG2000, USG5000, and USG6000 as follows:
1. Configuration on the web UI:
a. Choose Network > DHCP Server > Service.
b. Complete basic DHCP configurations.
c. Click Advanced. Configure the domain name, address lease period, and WINS server.

d. Click Apply.
2. Configuring on the CLI:
a. Configure the lease period in address pool mode.
[USG] dhcp server ip-pool 2
[USG-dhcp-2] network 10.1.1.128 mask 255.255.255.128
[USG-dhcp-2] gateway-list 10.1.1.129
[USG-dhcp-2] expired day 5
[USG-dhcp-2] quit
b. Configure the lease period in interface mode.
[USG]interface Vlanif10
[USG-interface-VLANif10] ip address 10.1.1.1 255.255.255.0
[USG-interface-VLANif10] dhcp server expired day 10 hour 12

Other related questions:
Commands used to release the IP lease of DHCP on USG firewalls
You can run the following commands to release the IP lease of DHCP on USG firewalls: The specific lease duration is configurable. To release the lease, you can configure the lease period to limitless. The configuration is as follows: [sysname] interface GigabitEthernet0/0/1 [sysname-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0 [sysname-GigabitEthernet0/0/1] dhcp server expired unlimited

DHCP snooping configuration on USG firewalls
You can configure the DHCP snooping on USG firewalls as follows: The DHCP snooping is a DHCP security feature. It can protect devices against DHCP DoS attack, DHCP server spoofing, ARP man-in-the-middle attack, and IP/MAC spoofing attack when using the DHCP. The most commonly used function of the DHCP server snooping is to protect devices against the DHCP DoS attack. It can prevent users from obtaining IP addresses from other DHCP servers (such as private routers) except for the firewall. However, the firewall does not restrict private routers. The key configuration is as follows: 1. Enable the global and interface DHCP snooping. [USG] dhcp snooping enable [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] dhcp snooping enable [USG-GigabitEthernet0/0/1] quit [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping enable [USG-GigabitEthernet0/0/2] quit 2. Configure the Trusted interface to prevent DHCP server spoofing. Set the interface connected to the DHCP server to the Trusted mode and the interface connected to the DHCP client to the Untrusted mode (after the DHCP snooping is enabled for the interfaces, the interfaces are in Untrusted mode by default). [USG] interface GigabitEthernet 0/0/2 [USG-GigabitEthernet0/0/2] dhcp snooping trusted [USG-GigabitEthernet0/0/2] quit Note: The DHCP snooping takes effect only when the firewall serves as the DHCP server or the upper-level device of the firewall is the DHCP server. If the lower-level switch interconnected to the USG firewall serves as the DHCP server, DHCP packets do not pass through the firewall. This configuration is invalid. Therefore, the DHCP snooping must be configured on the switch. For specific configurations, click DHCP Snooping Configuration on USG Firewalls.

Method used to configure DHCP lease on the AR
Except for the static addresses that are assigned to clients, the IP addresses dynamically assigned by the DHCP server to clients have the lease. By default, the lease is one day. The lease can be configured as needed. You can specify the lease for the global or interface address pool. For example, the address lease in the address pool p1 is 10 days. The configuration method is as follows: - Global address pool [Huawei] ip pool p1 [Huawei-ip-pool-p1] lease day 10 Interface address pool[Huawei] interface vlanif 10 [Huawei-Vlanif10] dhcp select interface [Huawei-Vlanif10] dhcp server lease day 10 Different address pools on a DHCP server can be configured with different IP address leases, but IP addresses in one address pool must be configured with the same lease.

Whether USG firewalls support DHCP
The USG2000, USG5000, and USG6000 can be configured as DHCP servers.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top