How to prevent DHCP messages from being broadcast on S series switches

13

For S series switches excluding the S1700, the switch can be configured with ACL rules to prevent broadcast DHCP messages on some interfaces. Assume that DHCP messages are not allowed on GE0/0/1. The configuration procedure is follows:
1. Create advanced ACL 3001 and configure an ACL rule to prevent broadcast DHCP messages.
[Huawei] acl 3001
[Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to prevent broadcast DHCP messages.
[Huawei-acl-adv-3001] quit
2. Configure a traffic classifier named tc1 to classify the packets that match ACL 3001.
[Huawei] traffic classifier tc1
[Huawei-classifier-tc1] if-match acl 3001
[Huawei-classifier-tc1] quit
3. Configure a traffic behavior named tb1 to prevent broadcast DHCP messages.
[Huawei] traffic behavior tb1
[Huawei-behavior-tb1] deny
[Huawei-behavior-tb1] quit
4. Define a traffic policy and associate the traffic classifier with the traffic behavior.
[Huawei] traffic policy tp1
[Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1
[Huawei-trafficpolicy-tp1] quit
5. Apply the traffic policy to GE0/0/1.
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound
[Huawei-GigabitEthernet0/0/1] quit

Other related questions:
Prohibit DHCP broadcast packets on S series switch
ACL rules can be configured on S series switches (except S1700 switches) to deny DHCP broadcast packets on specified interfaces. For example, you can deny DHCP broadcast packets on GE0/0/1 as follows: 1. Create advanced ACL 3001 and configure a rule to deny DHCP broadcast packets. [Huawei] acl 3001 [Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to deny DHCP broadcast packets. [Huawei-acl-adv-3001] quit 2. Configure the traffic classifier tc1 to classify packets that match ACL 3001. [Huawei] traffic classifier tc1 [Huawei-classifier-tc1] if-match acl 3001 [Huawei-classifier-tc1] quit 3. Configure the traffic behavior tb1 to deny packets. [Huawei] traffic behavior tb1 [Huawei-behavior-tb1] deny [Huawei-behavior-tb1] quit 4. Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy. [Huawei] traffic policy tp1 [Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1 [Huawei-trafficpolicy-tp1] quit 5. Apply the traffic policy to GE0/0/1. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Huawei-GigabitEthernet0/0/1] quit

Attack prevention methods used by DHCP snooping on S series switch
For S series switches (except S1700 switches), DHCP Snooping provides the trust function and binding table checking function to prevent man-in-the-middle attacks. The DHCP Snooping trust function sets the interface connected to an authorized DHCP server as the trusted interface, so that clients can obtain IP addresses from the authorized DHCP server, preventing bogus DHCP server attacks. The DHCP snooping binding table checking function prevents DHCP attacks from unauthorized users, such as DHCP flood attacks, bogus DHCP server attacks, and DHCP server DoS attacks.

Functions of the GIADDR field of DHCP messages on S series switches
Functions of the GIADDR field of DHCP messages on S series switches: he GIADDR field (gateway IP address) in DHCP messages records the IP address of the first DHCP relay agent that DHCP messages pass through. After a client sends a DHCP Request message, the first DHCP relay agent fills its own IP address in this field when forwarding this DHCP Request message to the DHCP server if the server and the client are located on different network segments. The DHCP server uses the field to determine the network segment on which a client resides so that the server can assign an IP address on this network segment to the client.

How to prevent broadcast storms on the AC
WLAN devices support traffic suppression and user isolation to prevent broadcast storms. Traffic suppression limits traffic rate to prevent broadcast storms caused by broadcast, multicast, or unknown unicast packets. User isolation isolates users to reduce users' broadcast packets and the risk of broadcast storms. Example for configuring traffic suppression [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] broadcast-suppression packets 12600 //Set the rate limit in pps for broadcast packets. [Huawei-GigabitEthernet0/0/1] multicast-suppression packets 25200 //Set the rate limit in pps for multicast packets. [Huawei-GigabitEthernet0/0/1] unicast-suppression packets 12600 //Set the rate limit in pps for unknown unicast packets. [Huawei-GigabitEthernet0/0/1] quit Example for configuring user isolation For V200R005: [Huawei-wlan-view] service-set name test [Huawei-wlan-service-set-test] user-isolate //Set user isolation for service set test. [Huawei-wlan-service-set-test] quit [Huawei-wlan-view] quit For V200R006: # Configure user isolation for a traffic profile. system-view [Huawei] wlan [Huawei-wlan-view] traffic-profile name p1 //Create a traffic profile. [Huawei-wlan-traffic-prof-p1] user-isolate l2 //Configure Layer 2 user isolation. # Configure user isolation in an AP wired port profile. system-view [AC6605] wlan [AC6605-wlan-view] wired-port-profile name wired [AC6605-wlan-wired-port-prof-wired] mode endpoint [AC6605-wlan-wired-port-prof-wired] user-isolate l2 [AC6605-wlan-wired-port-prof-wired] quit [AC6605-wlan-view] ap-group name ap-group1 [AC6605-wlan-ap-group-ap-group1] wired-port-profile wired gigabitethernet 0

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top