Computer networks

Fake DHCP and Huawei Switches

Given: WAN on Huawei S2326 and S2352, switches have static records about ip and mas of computers on ports (user-bind static ip-address xxxx mac-address xxxx-xxxx-xxxx interface Ethernet0/0/1), since ip are obtained automatically - you have to do dhcp enable (otherwise users cannot get the address). Rules have also been added to the ACL:
rule 45 deny udp source-port eq bootps
rule 50 deny udp destination-port eq bootpc
prohibiting the sending of dhcpack packets from routers that are safely connected to the network by the crooked hands of users with the bare ass of the LAN port.
However, the problem is that with the dhcp enable option enabled, these rules are ignored, and with it disabled, the user cannot reach the dhcp server with the address 0.0.0.0 (user-bind static does not allow)
Now the question is: how can you block enemy dhcp without disabling static entries ip/mac on ports? I just can't understand why the dhcp enable option allows dhcp packets to be passed both from the client and from the server on this port. Even if there is an explicit prohibition in acl.
On D-Links, this was solved using static mac, max learning address 1 and acl with a similar rule on subscriber ports, in huawei the entries static mac and mac-address learning disable do not prevent sending packets with another mac-source.