Prohibit DHCP broadcast packets on S series switch

24

ACL rules can be configured on S series switches (except S1700 switches) to deny DHCP broadcast packets on specified interfaces. For example, you can deny DHCP broadcast packets on GE0/0/1 as follows:
1. Create advanced ACL 3001 and configure a rule to deny DHCP broadcast packets.
[Huawei] acl 3001
[Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to deny DHCP broadcast packets.
[Huawei-acl-adv-3001] quit
2. Configure the traffic classifier tc1 to classify packets that match ACL 3001.
[Huawei] traffic classifier tc1
[Huawei-classifier-tc1] if-match acl 3001
[Huawei-classifier-tc1] quit
3. Configure the traffic behavior tb1 to deny packets.
[Huawei] traffic behavior tb1
[Huawei-behavior-tb1] deny
[Huawei-behavior-tb1] quit
4. Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy.
[Huawei] traffic policy tp1
[Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1
[Huawei-trafficpolicy-tp1] quit
5. Apply the traffic policy to GE0/0/1.
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound
[Huawei-GigabitEthernet0/0/1] quit

Other related questions:
How to prevent DHCP messages from being broadcast on S series switches
For S series switches excluding the S1700, the switch can be configured with ACL rules to prevent broadcast DHCP messages on some interfaces. Assume that DHCP messages are not allowed on GE0/0/1. The configuration procedure is follows: 1. Create advanced ACL 3001 and configure an ACL rule to prevent broadcast DHCP messages. [Huawei] acl 3001 [Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to prevent broadcast DHCP messages. [Huawei-acl-adv-3001] quit 2. Configure a traffic classifier named tc1 to classify the packets that match ACL 3001. [Huawei] traffic classifier tc1 [Huawei-classifier-tc1] if-match acl 3001 [Huawei-classifier-tc1] quit 3. Configure a traffic behavior named tb1 to prevent broadcast DHCP messages. [Huawei] traffic behavior tb1 [Huawei-behavior-tb1] deny [Huawei-behavior-tb1] quit 4. Define a traffic policy and associate the traffic classifier with the traffic behavior. [Huawei] traffic policy tp1 [Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1 [Huawei-trafficpolicy-tp1] quit 5. Apply the traffic policy to GE0/0/1. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Huawei-GigabitEthernet0/0/1] quit

DHCP option 60 support
S series switches (except S1700 switches) support the Option 60 field of DHCP Request packets only when they function as DHCP clients.

Function of DHCP Request packets on S series switch
For S series switches, DHCP Request messages are sent in the following conditions: - Respond to the DHCP Offer message sent by DHCP servers. - Notify the selected DHCP server using the server identifier option. - Check the allocated network addresses. - Apply for the valid period of addresses. - Extend the existing lease and prolong the lease period.

DHCP packet checksum check on S series switch
After the dhcp enable command is executed in the system view of S series switches, the switch checks the checksum of all passing DHCP packets as well as IP and UDP checksums.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top