dhcp packet-rule

Function

The dhcp packet-rule command configures whitelist rules to filter DHCP packets.

The undo dhcp packet-rule command deletes configured whitelist rules.

By default, no whitelist rule is configured.

Format

dhcp packet-rule ruleid { source-ip source-ip-address { source-ip-mask | source-ip-mask-length } | destination-ip destination-ip-address { destination-ip-mask-length | destination-ip-mask } } * [ source-port { bootpc | bootps } ] [ destination-port { bootpc | bootps } ]

undo dhcp packet-rule ruleid [ { source-ip source-ip-address { source-ip-mask | source-ip-mask-length } | destination-ip destination-ip-address { destination-ip-mask-length | destination-ip-mask } } * [ source-port { bootpc | bootps } ] [ destination-port { bootpc | bootps } ] ]

Parameters

Parameter Description Value
ruleid

Specifies the ID of a whitelist rule.

The value is an integer ranging from 1 to 1023.
source-ip source-ip-address

Specifies a source IP address.

The value is in dotted decimal notation.
source-ip-mask

Specifies the mask of a specified source IP address.

The value is in dotted decimal notation.
source-ip-mask-length

Specifies the mask length of a specified source IP address.

The value is an integer ranging from 1 to 32.
destination-ip destination-ip-address

Specifies a destination IP address.

The value is in dotted decimal notation.
destination-ip-mask-length

Specifies the mask of a specified destination IP address.

The value is in dotted decimal notation.
destination-ip-mask

Specifies the mask length of a destination IP address.

The value is an integer ranging from 1 to 32.
source-port

Specifies the source port number.

-
bootpc

Specifies port 68.

-
bootps

Specifies port 67.

-
destination-port

Specifies the target port number.

-

Views

DHCP snooping whitelist view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

DHCP snooping whitelist is used on the AC and network sides of the UPE to filter DHCP packets to be sent to the CPU. After DHCP snooping is enabled and a whitelist is created, run the dhcp packet-rule command to configure whitelist rules. Only DHCP packets listed in the whitelist are sent to the CPU, and the DHCP packets not listed in the whitelist are simply forwarded. This protects the device against attacks.

Prerequisites

A whitelist has been created for DHCP packets using the dhcp snooping packet whitelist command.

Precautions

Note the following when configuring whitelist rules:

1.The parameters of each rule in a whitelist cannot be completely the same.

2.Whitelist rules cannot be modified once they are configured. To modify parameters, run the undo dhcp packet-rule command to delete the whitelist rules and then configure new rules.

3.A whitelist does not take effect for DHCP packets whose destination IP address is an IP address of the device.

4.The source and destination IP addresses cannot be all 0s or all Fs.

5.The masks of source and destination IP addresses cannot be all 0s.

6.In VS mode, this command is supported only by the admin VS.

Example

# Configure rules for the whitelist named whitelist1.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping packet whitelist whitelist1
[*HUAWEI-dhcpsnp-whitelist-whitelist1] dhcp packet-rule 1 source-ip 1.1.1.1 255.255.255.0 destination-ip 2.2.2.2 255.255.255.0 source-port bootps destination-port bootpc
Parent Topic: DHCP Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >