For some specific scenarios, we need to block DHCP broadcast packets (Discovery, Request) to exit a specific interface.
In this specific scenario, PC1 gets dynamic IP from DHCP server located on LSW2. LSW1 just forwards the discovery and request packets towards LSW2.
The requirement is to block these packets to exit GE0/0/3 on LSW1.
Solution
Solution: configure a traffic policy and apply it in outbound direction on S5720S-28X-LI-24S-AC interface where you want to block the packets (in this case GE0/0/3 of LSW1)
The traffic classifier will use an advanced ACL to match the DHCP traffic, which is UDP traffic for ports 67 and 68.
The traffic behavior will be set to "deny" and, optionally to "statistic enable" to check afterwards if packets are dropped.
Configuration
is as bellow:
acl number
3000
rule 5 permit
udp destination-port eq bootps
rule 10
permit udp destination-port eq bootpc
#
traffic
classifier c1 operator and
if-match acl
3000
#
traffic
behavior b1
deny
statistic
enable
#
traffic policy
p1
classifier c1
behavior b1
#
interface
GigabitEthernet0/0/3
port link-type
trunk
port trunk
allow-pass vlan 2 to 4094
traffic-policy
p1 outbound
dhcp snooping
enable
if you have some other questions about Huawei Switch, you can contact for supports@thunder-link.com.
No comments:
Post a Comment