Function of DHCP Request packets on S series switch

4

For S series switches, DHCP Request messages are sent in the following conditions:

- Respond to the DHCP Offer message sent by DHCP servers.
- Notify the selected DHCP server using the server identifier option.
- Check the allocated network addresses.
- Apply for the valid period of addresses.
- Extend the existing lease and prolong the lease period.

Other related questions:
DHCP functions of S series switches
DHCP dynamically configures and uniformly manages network parameters of hosts on a TCP/IP network. DHCP provides the following functions: - Dynamic allocation: DHCP allocates an IP address with a limited validity period (called lease) to a client. This mechanism applies to hosts that temporarily connect to a network with fewer IP addresses than the total number of hosts and hosts do not need to permanently connect to the network. For example, this mechanism can be used to allocate IP addresses to laptops used by employees on business trips or mobile terminals in cafes. - Static allocation: Fixed IP addresses are assigned to specified hosts. This mechanism applies to hosts with special IP address requirements. For example, the file server of an enterprise needs to use a fixed IP address to provide services for extranet users. Compared with manual IP address configuration, DHCP static allocation prevents manual configuration errors and helps network administrators perform unified maintenance and management. DHCP can allocate other network parameters except for the IP address to hosts, including the DNS server address, routing information, and gateway address.

DHCP option 60 support
S series switches (except S1700 switches) support the Option 60 field of DHCP Request packets only when they function as DHCP clients.

Prohibit DHCP broadcast packets on S series switch
ACL rules can be configured on S series switches (except S1700 switches) to deny DHCP broadcast packets on specified interfaces. For example, you can deny DHCP broadcast packets on GE0/0/1 as follows: 1. Create advanced ACL 3001 and configure a rule to deny DHCP broadcast packets. [Huawei] acl 3001 [Huawei-acl-adv-3001] rule deny udp destination-port eq 67 source-port eq 68 //Configure an ACL rule to deny DHCP broadcast packets. [Huawei-acl-adv-3001] quit 2. Configure the traffic classifier tc1 to classify packets that match ACL 3001. [Huawei] traffic classifier tc1 [Huawei-classifier-tc1] if-match acl 3001 [Huawei-classifier-tc1] quit 3. Configure the traffic behavior tb1 to deny packets. [Huawei] traffic behavior tb1 [Huawei-behavior-tb1] deny [Huawei-behavior-tb1] quit 4. Define a traffic policy and associate the traffic classifier and traffic behavior with the traffic policy. [Huawei] traffic policy tp1 [Huawei-trafficpolicy-tp1] classifier tc1 behavior tb1 [Huawei-trafficpolicy-tp1] quit 5. Apply the traffic policy to GE0/0/1. [Huawei] interface gigabitethernet 0/0/1 [Huawei-GigabitEthernet0/0/1] traffic-policy tp1 inbound [Huawei-GigabitEthernet0/0/1] quit

DHCP packet checksum check on S series switch
After the dhcp enable command is executed in the system view of S series switches, the switch checks the checksum of all passing DHCP packets as well as IP and UDP checksums.

Handling of many ARP request or replay packets received on S series switches
When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur: -Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network. -The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline. -Ping delay, packet loss, or failure occurs. You can perform the following steps to troubleshoot the preceding problems: Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel. 1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing. -If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6. If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2. 2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU. - If the CPU usage is in the normal range, go to step 3. - If the CPU usage is higher than 70%, go to step 5. 3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets. Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. The car command takes effect after you apply the attack defense policy. If the fault persists or the fault is removed but the CPU usage is still high, go to step 4. 4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source. Run the arp speed-limit source-ip [ ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations. By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address. After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s), --If the fault persists, go to step 5. -- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6. 5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. If the fault persists, go to step 6. 6. Collect the following information and contact Huawei technical support personnel: Results of the preceding troubleshooting procedure Configuration files, logs, and alarms of the switches

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top