Block third-party DHCP servers on the Huawei Quidway S2300

I will give an example of how on the Huawei Quidway S2300 switch (using the S2326TP-EI as an example) to allow receiving DHCP responses from the uplink port and prohibiting client responses.

First, enable dhcp snooping:

dhcp enable
dhcp snooping enable
dhcp server detect

Let’s enable dhcp snooping in the client vlan:

vlan 226
dhcp snooping enable

And allow DHCP responses from the incoming uplink port:

interface GigabitEthernet0/0/1
dhcp snooping trusted

After that, responses from DHCP servers will be blocked on ports where “dhcp snooping trusted” is not indicated.

Save the configuration:

save config.cfg

Is done.

Configuring DHCP+TFTP for DOCSIS

Recently, it was necessary to configure the issuance of IP addresses to several old DOCSIS modems and the host located after the modem.
At hand was the Arris Cadant C3 and Thomson TCM-420 modems.

First of all, let’s start a DHCP server that will issue IP addresses to modems, for example, as I described in this article – Installing and configuring isc-dhcp-server.
And also we will launch a TFTP server on which there will be files for modems, for example, as I described in the article – Installing and Configuring a TFTP Server

Continue reading “Configuring DHCP+TFTP for DOCSIS”

Installing and configuring isc-dhcp-server in Ubuntu

Here’s an example of installing isc-dhcp-server in Ubuntu Server.

Installation command:

sudo apt-get install isc-dhcp-server

Open the first configuration file:

sudo nano /etc/default/isc-dhcp-server

Specify the name of the interface from which the IP addresses will be sent (for example, eth0):


Suppose that this interface has a static address in /etc/network/interfaces:

auto eth0
iface eth0 inet static

Let’s make a backup copy of the second configuration file:

sudo mv /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.backup

Create a new one:

sudo nano /etc/dhcp/dhcpd.conf

And we will add the following parameters to it:

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

shared-network cable {

subnet netmask {
option domain-name-servers,;
option domain-name "";
option routers;
option time-servers;
option broadcast-address;
default-lease-time 600;
max-lease-time 7200;

To reserve an IP address for a specific device, add after “max-lease-time 7200;” (before closing the quote “}”):

host test {
  hardware ethernet 00:01:02:aa:bb:cc;

It is more convenient for several hosts to specify one line:

host test { hardware ethernet 00:01:02:aa:bb:cc; fixed-address; }
host test2 { hardware ethernet 00:01:aa:aa:bb:cc; fixed-address; }

You can check whether dhcp server is started by the commands:

sudo service isc-dhcp-server status
sudo /etc/init.d/isc-dhcp-server status
sudo netstat -tulpn | grep :67

Restart the server for changes to the configuration files to take effect:

sudo service isc-dhcp-server restart
sudo /etc/init.d/isc-dhcp-server restart

You can see the issued IP by the command:

sudo less /var/lib/dhcp/dhcpd.leases

Logs are written to syslog (log-facility local7) to separate them, open the syslog configuration file in a text editor:

sudo nano /etc/rsyslog.d/50-default.conf

And in the end we add:

local7.*  /var/log/dhcp-server.log

After that they will be written in /var/log/syslog and in /var/log/dhcp-server.log

Let’s check if the DHCP server is running:

sudo netstat -tulpn | grep :67

An example of catching packages for analyzing problems via tcpdump:

sudo tcpdump port 67 or port 68 -e -n
sudo tcpdump ether host e0:cb:4e:c3:7c:44

In real time, you can watch logs like this:

tail -F /var/log/syslog | grep dhcpd
tail -F /var/log/syslog | grep
tail -F /var/log/syslog | grep e0:cb:4e:c3:7c:44

See also my articles:
IPTables rules for DHCP
DHCP configuration script
Installing ISC DHCP for ABillS
Configuring DHCP+TFTP for DOCSIS
Packet capturing with tcpdump

Blocking third-party DHCP on Cisco via DHCP Snooping

On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.

After connecting to the device immediately go to the configuration mode:


Continue reading “Blocking third-party DHCP on Cisco via DHCP Snooping”

IPTables rules for DHCP

Assume the default server INPUT DROP, now I will give an example of a simple rule permitting DHCP requests to the server, this will be enough for clients to get IP from the server (where em1 is the network interface on which the DHCP server is running):

iptables -I INPUT -p udp -i em1 --dport 67 -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

iptables -D INPUT -p udp -i em1 --dport 67 -j ACCEPT

Restrict access by IP is strictly impossible, because clients that do not have an IP address usually send a broadcast request from the IP address to, and extend already unicast from their received IP.

Here is an example of an IP restriction (where is the IP on which the DHCP server is running, and is the network of clients with which it is allowed to renew the IP lease):

iptables -t filter -A INPUT -i em1 -p udp -s --sport 68 -d --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s --sport 68 -d --dport 67 -j ACCEPT
iptables -t filter -A INPUT -i em1 -p udp -s --sport 68 -d --dport 67 -j ACCEPT

See also my articles:
Configuring IPTables
IPTables rules for TFTP

Installing and Using dhcpdump

dhcpdump – sniffer utility for analyzing DHCP packets.

I will give an example of the installation command in Ubuntu/Debian:

sudo apt-get install dhcpdump

Installation in CentOS:

yum install dhcpdump

Let’s see what network interfaces are in the system:


Example of running dhcpdump with the name of the network interface:

dhcpdump -i eth0

An example of intercepting DHCP packets with only the specified MAC address ending:

dhcpdump -i eth0 -h ^02:b0:eb

I’ll give an example of displaying the result not on the screen, but in a file:

dhcpdump -i eth0 > file.txt

Configuring FreeRADIUS DHCP for ABillS

Suppose you installed FreeRADIUS 2 as written in this article – Installation and configuration of the ABillS billing system
Now copy the dhcp.conf file into the FreeRADIUS configuration:

sudo cp /usr/abills/misc/freeradius/v2/dhcp.conf /usr/local/freeradius/etc/raddb/sites-enabled/

Continue reading “Configuring FreeRADIUS DHCP for ABillS”

DHCP configuration script

Suppose you need to add many subnets to the DHCP server configuration file, for example from to, in this case this script will help.
Download can be HERE.

The script must be made executable and run from linux:

chmod 755 script_dhcp_conf.php

The result is copied to the clipboard and pasted into the DHCP configuration file (in putty, the copying is done with the Ctrl+Ins key combination).

Sample script:



for($i=1; $i<=100; $i++)
subnet 172.16.$i.0 netmask {
       option routers 172.16.$i.1;
       option domain-name-servers,;
       option subnet-mask;
       default-lease-time 86400;
       max-lease-time 86400;
       next-server 172.16.$i.1;



How to fix error “dhcpd self-test failed. Please fix the config file”

I noticed once in the syslog:

dhcpd self-test failed. Please fix the config file

Isc-dhcp-server was installed on the server.

To check the correctness of the configuration file, use the command:

dhcpd -t
dhcpd -t -cf /dir/dhcpd.conf
/usr/sbin/dhcpd -t

The command should tell which line the error is, but noted that if it is not critical, it may not.
The key “t” executes the configuration test, and “cf” allows you to specify the path to the configuration file if it is not standard.

In my case, in the configuration file /etc/dhcp/dhcpd.conf, someone made a typo, in the line below (there was an extra letter):


Because of this, an error occurred, but despite the error dhcp worked.
Although there were also some critical errors, such as an incorrectly written mac address, DHCP did not start because of this error.