Prohibit DHCP broadcast packets on S series switch

15

ACL rules can be configured on S series switches (except S1700 switches) to deny DHCP broadcast packets on specified interfaces. For example, you can deny DHCP broadcast packets on GE0/0/1 as follows:
1. Create advanced ACL 3001 and configure a rule to deny DHCP broadcast packets.
[Huawei] acl 3001
[Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to deny DHCP broadcast packets.
[Huawei-acl-adv-3001] quit
2. Configure the traffic classifier tc1 to classify packets that match ACL 3001.
[Huawei] traffic classifier tc1
[Huawei-classifier-tc1] if-match acl 3001
[Huawei-classifier-tc1] quit
3. Configure the traffic behavior tb1 to deny packets.
[Huawei] traffic behavior tb1
[Huawei-behavior-tb1] deny
[Huawei-behavior-tb1] quit
4. Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Huawei] traffic policy tp1
[Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1
[Huawei-trafficpolicy-tp1] quit
5. Apply the traffic policy to GE0/0/1.
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound
[Huawei-GigabitEthernet0/0/1] quit

Other related questions:
DHCP option 60 support
S series switches (except S1700 switches) support the Option 60 field of DHCP Request packets only when they function as DHCP clients.

DHCP packet checksum check on S series switch
After the dhcp enable command is executed in the system view of S series switches, the switch checks the checksum of all passing DHCP packets as well as IP and UDP checksums.

Function of DHCP Request packets on S series switch
For S series switches, DHCP Request messages are sent in the following conditions: - Respond to the DHCP Offer message sent by DHCP servers. - Notify the selected DHCP server using the server identifier option. - Check the allocated network addresses. - Apply for the valid period of addresses. - Extend the existing lease and prolong the lease period.

How to prevent DHCP messages from being broadcast on S series switches
For S series switches excluding the S1700, the switch can be configured with ACL rules to prevent broadcast DHCP messages on some interfaces. Assume that DHCP messages are not allowed on GE0/0/1. The configuration procedure is follows: 1. Create advanced ACL 3001 and configure an ACL rule to prevent broadcast DHCP messages. [Huawei] acl 3001 [Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to prevent broadcast DHCP messages. [Huawei-acl-adv-3001] quit 2. Configure a traffic classifier named tc1 to classify the packets that match ACL 3001. [Huawei] traffic classifier tc1 [Huawei-classifier-tc1] if-match acl 3001 [Huawei-classifier-tc1] quit 3. Configure a traffic behavior named tb1 to prevent broadcast DHCP messages. [Huawei] traffic behavior tb1 [Huawei-behavior-tb1] deny [Huawei-behavior-tb1] quit 4. Define a traffic policy and associate the traffic classifier with the traffic behavior. [Huawei] traffic policy tp1 [Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1 [Huawei-trafficpolicy-tp1] quit 5. Apply the traffic policy to GE0/0/1. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Huawei-GigabitEthernet0/0/1] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top