Block third-party DHCP servers on the Huawei Quidway S2300 (DHCP Snooping)

I will give an example of how on the Huawei Quidway S2300 switch (using the S2326TP-EI as an example) to allow receiving DHCP responses from the uplink port and prohibiting client responses.

Continue reading “Block third-party DHCP servers on the Huawei Quidway S2300 (DHCP Snooping)”

Configuring DHCP+TFTP for DOCSIS

Recently, it was necessary to configure the issuance of IP addresses to several old DOCSIS modems and the host located after the modem.
At hand was the Arris Cadant C3 and Thomson TCM-420 modems.

First of all, let’s start a DHCP server that will issue IP addresses to modems, for example, as I described in this article – Installing and configuring isc-dhcp-server.
And also we will launch a TFTP server on which there will be files for modems, for example, as I described in the article – Installing and Configuring a TFTP Server

Continue reading “Configuring DHCP+TFTP for DOCSIS”

Installing and configuring isc-dhcp-server in Ubuntu

Here’s an example of installing isc-dhcp-server in Ubuntu Server.

Installation command:

sudo apt-get install isc-dhcp-server

Open the first configuration file:

sudo nano /etc/default/isc-dhcp-server

Specify the name of the interface from which the IP addresses will be sent (for example, eth0):


Suppose that this interface has a static address in /etc/network/interfaces:

auto eth0
iface eth0 inet static

Let’s make a backup copy of the second configuration file:

sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

Create a new one:

sudo nano /etc/dhcp/dhcpd.conf

And we will add the following parameters to it:

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

shared-network cable {

subnet netmask {
option domain-name-servers,;
option domain-name "";
option routers;
option time-servers;
option broadcast-address;
default-lease-time 600;
max-lease-time 7200;

To reserve an IP address for a specific device, add after “max-lease-time 7200;” (before closing the quote “}”):

host test {
  hardware ethernet 00:01:02:aa:bb:cc;

It is more convenient for several hosts to specify one line:

host test { hardware ethernet 00:01:02:aa:bb:cc; fixed-address; }
host test2 { hardware ethernet 00:01:aa:aa:bb:cc; fixed-address; }

You can check whether dhcp server is started by the commands:

sudo service isc-dhcp-server status
sudo /etc/init.d/isc-dhcp-server status
sudo netstat -tulpn | grep :67

Restart the server for changes to the configuration files to take effect:

sudo service isc-dhcp-server restart
sudo /etc/init.d/isc-dhcp-server restart

You can see the issued IP by the command:

sudo less /var/lib/dhcp/dhcpd.leases

Logs are written to syslog (log-facility local7) to separate them, open the syslog configuration file in a text editor:

sudo nano /etc/rsyslog.d/50-default.conf

And in the end we add:

local7.*  /var/log/dhcp-server.log

After that they will be written in /var/log/syslog and in /var/log/dhcp-server.log

Let’s check if the DHCP server is running:

sudo netstat -tulpn | grep :67

An example of catching packages for analyzing problems via tcpdump:

sudo tcpdump port 67 or port 68 -e -n
sudo tcpdump ether host e0:cb:4e:c3:7c:44

In real time, you can watch logs like this:

tail -F /var/log/syslog | grep dhcpd
tail -F /var/log/syslog | grep
tail -F /var/log/syslog | grep e0:cb:4e:c3:7c:44

See also my articles:
IPTables rules for DHCP
DHCP configuration script
Installing ISC DHCP for ABillS
Configuring DHCP+TFTP for DOCSIS
Packet capturing with tcpdump

Blocking third-party DHCP on Cisco via DHCP Snooping

On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.

After connecting to the device immediately go to the configuration mode:


Continue reading “Blocking third-party DHCP on Cisco via DHCP Snooping”