Method to lock a DHCP address on an S series switch

3

For S series switches excluding the S1700, when the DHCP server is deployed again, you need to migrate the address pool on the DHCP server to another DHCP server on the live network. To retain the addresses that have been assigned to clients from a global address pool, run the lock command to lock the global address pool. After the lock command is run, the specified IP address pool is locked and IP addresses in this address pool cannot be assigned to clients. When new users get online after the address pool is migrated, they apply for IP addresses from a new address pool.
The configuration is as follows:
[HUAWEI] ip pool global1
[HUAWEI-ip-pool-global1] lock

Other related questions:
DHCP address lock on S series switch
For S series switches (S1700 switches), when a DHCP server needs to be redeployed, you need to migrate address pools on the DHCP server to another DHCP server on the live network. To retain the addresses that have been assigned to clients from a global address pool, run the lock command to lock the global address pool. After the lock command is run, the specified IP address pool is locked and IP addresses in this address pool cannot be assigned to clients. When new users go online after the address pool migration, they apply for IP addresses from a new address pool. The configuration is as follows: [HUAWEI] ip pool global1 [HUAWEI-ip-pool-global1] lock

Reasons why the DHCP address pool is exhausted on S series switches
If the allocated address pool resources far exceed the number of clients connected to a switch, the following causes may result in address pool exhaustion: - An attacker sends a large number of DHCP Discover messages by continuously changing the CHADDR field. As a result, the address pool resources are exhausted. In this case, DHCP snooping can be deployed. - DHCP server is configured with the DHCP server ping function. With this function, the switch attempts to ping the allocated address before sending the DHCP Offer message. If clients respond to ping packets on the network, the DHCP server may incorrectly determine address conflicts. As a result, the address pool resources are exhausted. There are two solutions: Obtain the packet header through port mirroring on the DHCP server and check whether the determination is correct. If so, the client can be disabled. 2. Disable the DHCP server ping function by using the undo dhcp server ping packet command.

Method used to lock a DHCP address pool on the AR
When a DHCP server needs to be redeployed, you need to migrate address pools on the DHCP server to another DHCP server on the live network. To retain the addresses that have been assigned to clients from a global address pool, run the lock command to lock the global address pool. After the lock command is run, the specified IP address pool is locked and IP addresses in this address pool cannot be assigned to clients. When new users get online, they apply for IP addresses from a new address pool. Perform the following configuration: [Huawei] ip pool global1 [Huawei-ip-pool-global1] lock

Method to configure DHCP on S series switches
For S series switches excluding the S1700, the switch can both function as the DHCP server to assign IP addresses to clients and function as a DHCP client to dynamically obtain an IP address from the DHCP server. When the DHCP client and DHCP server are located on different network segments, the switch can also function as the DHCP relay agent to assist DHCP server in allocating IP addresses to clients. In addition, the switch can be configured with DHCP snooping to defend against DHCP attacks.

DHCP excluded addresses on S series switch
On an S series switch except an S1700 switch, you can use either of the following methods to configure the range of IP addresses that cannot be assigned to DHCP clients from the IP address pool: - Run the excluded-ip-address start-ip-address [ end-ip-address ] command in the IP address pool view. - Run the dhcp server excluded-ip-address start-ip-address [ end-ip-address ] command in the interface view. The excluded IP addresses are reserved as static IP addresses of DHCP clients.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top