The dhcp packet-rule command configures whitelist rules to filter DHCP packets.
The undo dhcp packet-rule command deletes configured whitelist rules.
By default, no whitelist rule is configured.
dhcp packet-rule ruleid { source-ip source-ip-address { source-ip-mask | source-ip-mask-length } | destination-ip destination-ip-address { destination-ip-mask-length | destination-ip-mask } } * [ source-port { bootpc | bootps } ] [ destination-port { bootpc | bootps } ]
undo dhcp packet-rule ruleid [ { source-ip source-ip-address { source-ip-mask | source-ip-mask-length } | destination-ip destination-ip-address { destination-ip-mask-length | destination-ip-mask } } * [ source-port { bootpc | bootps } ] [ destination-port { bootpc | bootps } ] ]
| Parameter | Description | Value |
|---|---|---|
| ruleid |
Specifies the ID of a whitelist rule. |
The value is an integer ranging from 1 to 1023. |
| source-ip source-ip-address |
Specifies a source IP address. |
The value is in dotted decimal notation. |
| source-ip-mask |
Specifies the mask of a specified source IP address. |
The value is in dotted decimal notation. |
| source-ip-mask-length |
Specifies the mask length of a specified source IP address. |
The value is an integer ranging from 1 to 32. |
| destination-ip destination-ip-address |
Specifies a destination IP address. |
The value is in dotted decimal notation. |
| destination-ip-mask-length |
Specifies the mask of a specified destination IP address. |
The value is in dotted decimal notation. |
| destination-ip-mask |
Specifies the mask length of a destination IP address. |
The value is an integer ranging from 1 to 32. |
| source-port |
Specifies the source port number. |
- |
| bootpc |
Specifies port 68. |
- |
| bootps |
Specifies port 67. |
- |
| destination-port |
Specifies the target port number. |
- |
Usage Scenario
DHCP snooping whitelist is used on the AC and network sides of the UPE to filter DHCP packets to be sent to the CPU. After DHCP snooping is enabled and a whitelist is created, run the dhcp packet-rule command to configure whitelist rules. Only DHCP packets listed in the whitelist are sent to the CPU, and the DHCP packets not listed in the whitelist are simply forwarded. This protects the device against attacks.
Prerequisites
A whitelist has been created for DHCP packets using the dhcp snooping packet whitelist command.
Precautions
Note the following when configuring whitelist rules:
1.The parameters of each rule in a whitelist cannot be completely the same. 2.Whitelist rules cannot be modified once they are configured. To modify parameters, run the undo dhcp packet-rule command to delete the whitelist rules and then configure new rules. 3.A whitelist does not take effect for DHCP packets whose destination IP address is an IP address of the device. 4.The source and destination IP addresses cannot be all 0s or all Fs. 5.The masks of source and destination IP addresses cannot be all 0s.6.In VS mode, this command is supported only by the admin VS.
<HUAWEI> system-view [~HUAWEI] dhcp snooping packet whitelist whitelist1 [*HUAWEI-dhcpsnp-whitelist-whitelist1] dhcp packet-rule 1 source-ip 1.1.1.1 255.255.255.0 destination-ip 2.2.2.2 255.255.255.0 source-port bootps destination-port bootpc