No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping Configuration Commands

DHCP Snooping Configuration Commands

NOTE:
  • Among the AR500 series routers, only AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H, AR509G-Lc support DHCP snooping.

  • AR510 series do not support DHCP Snooping.

arp dhcp-snooping-detect enable

Function

The arp dhcp-snooping-detect enable command enables association between the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) snooping.

The undo arp dhcp-snooping-detect enable command disables association between ARP and DHCP snooping.

By default, association between ARP and DHCP snooping is disabled.

Format

arp dhcp-snooping-detect enable

undo arp dhcp-snooping-detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a DHCP client sends a DHCP Release message to release its IP address, the DHCP snooping-enabled device immediately deletes the binding entry of the DHCP client. If a DHCP client is abnormally disconnected and cannot send a DHCP Release message, the DHCP snooping-enabled device cannot immediately delete the binding entry of the DHCP client.

To address the preceding problem, you can run the arp dhcp-snooping-detect enable command to enable association between ARP and DHCP snooping. When the ARP entry mapping an IP address expires, the DHCP snooping-enabled device detects the IP address by performing ARP probe. If the user is not found after a specified number of probes, the device deletes the ARP entry. The device re-detects the IP address by performing ARP probe. If the user still cannot be found after a specified number of probes, the device deletes the binding entry of the user.

Prerequisites

Before association between the ARP and DHCP snooping is enabled, ensure that an IP address configured on the device is on the same network segment as the IP address of the client for ARP detection.

Example

# Enable association between ARP and DHCP snooping on the device.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] arp dhcp-snooping-detect enable
Related Topics

dhcp option82 enable

Function

The dhcp option82 enable command enables a device to insert the Option 82 field to a DHCP message.

The undo dhcp option82 enable command disables a device from inserting the Option 82 field to a DHCP message.

By default, a device does not insert the Option 82 field to a DHCP message.

Format

dhcp option82 { insert | rebuild } enable

undo dhcp option82 { insert | rebuild } enable

Parameters

Parameter Description Value
insert

Enables a device to insert the Option 82 field to a DHCP message.

-
rebuild

Enables a device to forcibly insert the Option 82 field to a DHCP message.

-

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

The device inserts the Option 82 field to a DHCP message in two modes:
  • Insert mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request message contains the Option 82 field, the device checks whether the Option 82 field contains the remote ID. If so, the device retains the Option 82 field; if not, the device inserts the remote ID.

  • Rebuild mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request message contains the Option 82 field, the device deletes the original Option 82 field and inserts the Option 82 field set by the administrator.

The device handles the reply packets from the DHCP server in the same way no matter whether the Insert or Rebuild method is used.

  • The DHCP reply packets contain Option 82:
    • If the DHCP request packets received by the device do not contain Option 82, the device deletes Option 82 from the DHCP reply packets, and forwards the packets to the DHCP client.
    • If the DHCP request packets contain Option 82, the device changes the Option 82 format in the DHCP reply packets into the Option 82 format in the DHCP request packets, and forwards the packets to the DHCP client.
  • If the DHCP reply packets do not contain Option 82, the device directly forwards the packets.

Prerequisites

DHCP snooping has been enabled on the device, or the device has been configured as a DHCP relay agent.

Precautions

  • When receiving a DHCP Request message, the device checks whether the field GIADDR in the packet is 0. If so, the dhcp option82 enable command takes effect; if not, this command does not take effect.
  • If you run the dhcp option82 enable command in the VLAN view, the command takes effect for all the DHCP messages received on all the interfaces in the specified VLAN. If you run the dhcp option82 enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.
  • DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP messages sent to the DHCP server will not carry Option 82.

Example

# Enable the device to insert the Option 82 field to DHCP messages on Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp option82 insert enable
# Enable the device to forcibly insert the Option 82 field to DHCP messages in VLAN 100.
<Huawei> system-view
[Huawei] vlan 100
[Huawei-vlan100] dhcp option82 rebuild enable

dhcp option82 format

Function

The dhcp option82 format command configures the format of the Option 82 field in a DHCP message.

The undo dhcp option82 format command restores the default format of the Option 82 field in a DHCP message.

By default, the Option 82 field in a DHCP message is in the format of default.

Format

dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

undo dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format

Parameters

Parameter Description Value
circuit-id Specifies the circuit ID (CID) in the Option 82 field. If the CID is not specified, the format of the Option 82 field is default. -
remote-id Specifies the remote ID (RID) in the Option 82 field. If the RID is not specified, the format of the Option 82 field is default. -
default

Indicates the default format of the Option 82 field.

  • CID format: interface name:svlan.cvlan, host name/0/0/0/0/0, in ASCII format
  • RID format: device MAC address, in hexadecimal notation
-
common

Indicates the common format of the Option 82 field.

  • CID format: {eth|trunk}slot ID/subcard ID/port ID:svlan.cvlan host name0/0/0/0/0, in ASCII format
  • RID format: device MAC address (6 bytes), in ASCII format
-
extend

Indicates the extended format of the Option 82 field.

  • CID format: circuit-id type (0) + length (4) + SVLAN ID (2 bytes) + slot ID (5 bits) + subslot ID (3 bits) + port (1 byte), in hexadecimal notation

  • RID format: remote-id type (0) + length (6) + device MAC address (6 bytes), in hexadecimal notation

In the CID and RID formats, the values without a unit are fixed values of the fields; the values with a unit indicate the field lengths.

-
user-defined text Indicates the user-defined format of the Option 82 field.

The value is a string of 1 to 253 characters. For details, see the description in "Usage Guideline."

vlan vlan-id Specifies a outer VLAN ID. If the VLAN ID is specified, only the formats of the Option 82 field in the DHCP messages sent from the specified VLAN are specified; otherwise, the formats of the Option 82 field in all the DHCP messages are specified. The value is an integer that ranges from 1 to 4094.
ce-vlan ce-vlan-id Specifies an inner VLAN ID. The value is an integer that ranges from 1 to 4094.

Views

System view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the function of inserting the Option 82 field to DHCP messages, you can use the dhcp option82 format command configures the format of the Option 82 field.

If you run the dhcp option82 format command in the system view, the command takes effect for all the DHCP messages on all the interfaces of the device.

You can use the following keywords to define the Option 82 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, Eth0/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 4096. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 82 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in a character string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain numerals 0 to 9, lowercase letters a to z, uppercase letter A to Z, and symbols ! @ # $ % ^ & * () _ + | - = \ [] {} ; : '" / ? . , <> `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 82 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."
Precautions
  • All Option82 fields configured in the system view or in the same interface view share a length of 1-255 bytes. If their total length exceeds 255 bytes, some Option82 information will be lost.

  • There is no limit on the number of Option 82 fields configured on the device. However, a large number of Option 82 fields will occupy a lot of memory and prolong the device processing time. To ensure device performance, you are advised to configure Option 82 fields based on the service requirements and device memory size.

Example

# Configure the default format for the CID in the Option 82 field.

<Huawei> system-view
[Huawei] dhcp option82 circuit-id format default

# Configure the extended format for the CID and RID in the Option 82 field.

<Huawei> system-view
[Huawei] dhcp option82 format extend

# Configure the user-defined string for the CID in the Option 82 field and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII format.

<Huawei> system-view
[Huawei] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# Configure a hexadecimal notation string for the CID of the Option 82 field and encapsulate the CID type (fixed as 0, indicating the hexadecimal notation), length (excluding the lengths of the CID type and the keyword length itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).

<Huawei> system-view
[Huawei] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# Configure the user-defined string for the RID in the Option 82 field and encapsulate the device MAC address in hexadecimal notation.

<Huawei> system-view
[Huawei] dhcp option82 remote-id format user-defined %mac

# On Eth0/0/1, configure the default format for the CID in the Option 82 field.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp option82 circuit-id format default

# On Eth0/0/1, configure the extended format for the CID and RID in the Option 82 field of DHCP messages from VLAN 10.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp option82 vlan 10 format extend

# On Eth0/0/1, configure a user-defined format for the CID in the Option 82 field and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII format.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# On Eth0/0/1, configure a hexadecimal notation string for the CID of the Option 82 field and encapsulate the CID type (fixed as 0, indicating the hexadecimal notation), length (excluding the lengths of the CID type and the keyword length itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# On Eth0/0/1, configure the user-defined format for the RID in the Option 82 field and encapsulate the device MAC address in hexadecimal notation.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp option82 remote-id format user-defined %mac
Related Topics

dhcp server detect

Function

The dhcp server detect command enables detection of DHCP servers.

The undo dhcp server detect command disables detection of DHCP servers.

By default, detection of DHCP servers is disabled.

Format

dhcp server detect

undo dhcp server detect

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If bogus DHCP servers exist on the network, they send incorrect information to DHCP clients, such as the incorrect gateway address, incorrect DNS server, and incorrect IP address. As a result, DHCP clients cannot access the network or access incorrect networks.

After detection of DHCP servers is enabled, a DHCP snooping device checks and stores all information about DHCP servers in the DHCP Reply messages, such as DHCP server address and DHCP client port number, in the log. Based on logs, the network administrator checks for bogus DHCP servers on the network to maintain the network.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable detection of DHCP servers.

<Huawei> system-view 
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] dhcp server detect
Related Topics

dhcp snooping alarm enable

Function

The dhcp snooping alarm enable command enables alarm for discarded DHCP messages.

The undo dhcp snooping alarm enable command disables alarm for discarded DHCP messages.

By default, the alarm function for discarded DHCP messages is disabled.

Format

dhcp snooping alarm { user-bind | mac-address | untrust-reply } enable [ threshold threshold ]

undo dhcp snooping alarm { user-bind | mac-address | untrust-reply } enable [ threshold ]

Parameters

Parameter Description Value
user-bind Generates an alarm when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold. -
mac-address Generates an alarm when the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header reaches the threshold. -
untrust-reply Generates an alarm when the number of DHCP Reply messages discarded by untrusted interfaces reaches the threshold. -
threshold threshold Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated. The value is an integer that ranges from 1 to 1000.

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur and the number of discarded attack messages reaches the threshold. The minimum interval for sending alarm messages is 1 minute. You can run the dhcp snooping alarm threshold command to set the alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

To make the dhcp snooping alarm user-bind enable or dhcp snooping alarm mac-address enable command take effect, you must first run the dhcp snooping check user-bind enable or dhcp snooping check mac-address enable command in the view of the specified interface.

Example

# On Eth0/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable alarm for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcp snooping check mac-address enable
[Huawei-Ethernet0/0/1] dhcp snooping alarm mac-address enable

dhcp snooping alarm threshold

Function

The dhcp snooping alarm threshold command sets the alarm threshold for the number of DHCP messages discarded by DHCP snooping.

The undo dhcp snooping alarm threshold command restores the default alarm threshold.

By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm threshold command in the system view.

Format

In the system view:

dhcp snooping alarm threshold threshold

undo dhcp snooping alarm threshold

In the interface view:

dhcp snooping alarm { user-bind | mac-address | untrust-reply } threshold threshold

undo dhcp snooping alarm { user-bind | mac-address | untrust-reply } threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the number of DHCP messages discarded by DHCP snooping. The value is an integer that ranges from 1 to 1000.
user-bind Specifies the alarm threshold for the number of DHCP messages discarded because they do not match the DHCP snooping binding entries. -
mac-address Specifies the alarm threshold for the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header. -
untrust-reply Specifies the alarm threshold for the number of DHCP Reply messages discarded by untrusted interfaces. -

Views

System view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After trap for discarded DHCP messages is enabled, run the dhcp snooping alarm threshold command to specify the alarm threshold for the number of DHCP messages discarded by DHCP snooping. If the alarm threshold is not set on an interface, the interface uses the global alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

To make the dhcp snooping alarm { mac-address | untrust-reply | user-bind } threshold threshold command take effect, you must run the dhcp snooping alarm { user-bind | mac-address | untrust-reply } enable command in the view of the specified interface at first.

Precautions

If you run the dhcp snooping alarm threshold command in the system view, the command takes effect on all the interfaces of the device.

If you specify an alarm threshold for the number of DHCP messages discarded by DHCP snooping in the system view, an alarm is generated when the number of all the discarded DHCP messages reaches the threshold.

Example

# Set the global alarm threshold for the number of discarded DHCP messages to 200.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] dhcp snooping alarm threshold 200

# On Eth0/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable trap for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address. Set the alarm threshold to 1000.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcp snooping check mac-address enable
[Huawei-Ethernet0/0/1] dhcp snooping alarm mac-address enable
[Huawei-Ethernet0/0/1] dhcp snooping alarm mac-address threshold 1000

dhcp snooping check dhcp-giaddr enable

Function

The dhcp snooping check dhcp-giaddr enable command enables the device to check whether the GIADDR field in DHCP messages is 0.

The undo dhcp snooping check dhcp-giaddr enable command disables the device from checking whether the GIADDR field in DHCP messages is 0.

By default, the device does not check whether the GIADDR field in DHCP messages is 0.

Format

dhcp snooping check dhcp-giaddr enable

undo dhcp snooping check dhcp-giaddr enable

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure that the device obtains parameters such as MAC addresses for generating a binding table, DHCP snooping needs to be applied to Layer 2 access devices or the first DHCP relay agent from the device. Therefore, the GIADDR field in the DHCP messages received by the DHCP snooping-enabled device is 0. If the GIADDR field is not 0, the message is unauthorized and then discarded.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check dhcp-giaddr enable command in the VLAN view, the command takes effect on all the DHCP messages from the specified VLAN. If you run the dhcp snooping check dhcp-giaddr enable command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.

Example

# Enable the device to check whether the GIADDR field in DHCP messages from VLAN1 10 is 0.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] vlan 10
[Huawei-vlan10] dhcp snooping check dhcp-giaddr enable

# Enable the device to check whether the GIADDR field in DHCP messages received on Eth0/0/1 is 0.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcp snooping check dhcp-giaddr enable

dhcp snooping check mac-address enable

Function

The dhcp snooping check mac-address enable command enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.

The undo dhcp snooping check mac-address enable command disables the device from checking whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.

By default, the device does not check whether the CHADDR field is the same as the source MAC address in the header of a DHCP Request message.

Format

dhcp snooping check mac-address enable

undo dhcp snooping check mac-address enable

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In normal situations, the CHADDR field in a DHCP Request message matches the MAC address of the DHCP client that sends the message. The DHCP server identifies the client MAC address based on the CHADDR field in the DHCP Request message. If attackers continuously apply for IP addresses by changing the CHADDR field in the DHCP Request message, addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check mac-address enable command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check mac-address enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.

Example

# Enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address on Eth0/0/1.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcp snooping check mac-address enable

dhcp snooping check user-bind enable

Function

The dhcp snooping check user-bind enable enables the device to check DHCP messages against the DHCP snooping binding table.

The undo dhcp snooping check user-bind enable disables the device from checking DHCP messages against the DHCP snooping binding table.

By default, the device does not check DHCP messages against the DHCP snooping binding table.

Format

dhcp snooping check user-bind enable

undo dhcp snooping check user-bind enable

Parameters

None

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. The device forwards only DHCP messages that match binding entries. This prevents unauthorized users from sending bogus DHCP Request or Release messages to extend or release IP addresses.

The matching rules are as follows:

  • When the device receives a DHCP Request message, it performs the following operations:
    1. Checks whether the destination MAC address is all Fs. If so, the device considers that the user goes online for the first time and directly forwards the message. If not, the device considers that the user sends the DHCP Request message to renew the IP address lease and checks the DHCP Request message against the DHCP snooping binding table.
    2. Checks whether the CHADDR field in the DHCP Request message matches a DHCP snooping binding entry. If not, the device considers that the user goes online for the first time and directly forwards the message. If so, the device checks whether the VLAN ID, IP address, and interface number of the message match DHCP snooping binding entries. If all these fields match a DHCP snooping binding entry, the device forwards the message; otherwise, the device discards the message.
  • When receiving a DHCP Release message, the device checks whether the VLAN ID, IP address, MAC address, and interface number of the message match a dynamic DHCP snooping binding entry. If so, the device forwards the message; otherwise, the device discards the message.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check user-bind enable command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping check user-bind enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Example

# Enable the device to check DHCP messages against the DHCP snooping binding table in VLAN 10.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] vlan 10
[Huawei-vlan10] dhcp snooping enable
[Huawei-vlan10] dhcp snooping check user-bind enable

dhcp snooping disable

Function

The dhcp snooping disable command disables DHCP snooping on an interface.

The undo dhcp snooping disable command cancels the configuration.

By default, DHCP snooping is not disabled on an interface.

Format

dhcp snooping disable

undo dhcp snooping disable

Parameters

None

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you run the dhcp snooping enable command to enable DHCP snooping in a VLAN, DHCP snooping is enabled on all the interfaces in the VLAN. If you do not run the dhcp snooping enable command to enable DHCP snooping on an interface, you cannot run the undo dhcp snooping enable command to disable DHCP snooping on the interface. To address this problem, run the dhcp snooping disable command to disable DHCP snooping on the interface. Users can properly go online from this interface, but no dynamic binding entry is generated.

Precautions

  • The dhcp snooping disable command does not only disable DHCP snooping on an interface, but also clears the DHCP snooping configuration and the dynamic binding table. The undo dhcp snooping enable command, however, only disables DHCP snooping on the interface and does not clear the configuration or the dynamic binding table.
  • The undo dhcp snooping disable command enables DHCP snooping on an interface. To enable DHCP snooping, run the dhcp snooping enable command.

Example

# Disable DHCP snooping on Eth0/0/1 in VLAN 10.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] vlan 10
[Huawei-vlan10] dhcp snooping enable
[Huawei-vlan10] quit
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping disable
Related Topics

dhcp snooping enable

Function

The dhcp snooping enable command enables DHCP snooping.

The undo dhcp snooping enable command disables DHCP snooping.

By default, DHCP snooping is disabled on the device.

Format

In the system view:

dhcp snooping enable [ ipv4 | ipv6 | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping enable [ ipv4 | ipv6 | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN view and interface view:

dhcp snooping enable

undo dhcp snooping enable

Parameters

Parameter Description Value
ipv4

Indicates that the device processes only DHCPv4 messages.

-
ipv6

Indicates that the device processes only DHCPv6 messages.

-
vlan { vlan-id1 [ to vlan-id2 ] }
Enables DHCP snooping in a specified VLAN.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

DHCP snooping is a security function to protect DHCP. When you run the dhcp snooping enable command to enable DHCP snooping on a device, the device can process both DHCPv4 and DHCPv6 messages. In practice, however, if the DHCP snooping device needs to process only DHCPv4 or DHCPv6 messages, you can run the dhcp snooping enable ipv4 or dhcp snooping enable ipv6 command, which improves CPU efficiency.

You must enable DHCP snooping in the system view before enabling DHCP snooping on an interface or in a VLAN.

Prerequisites

DHCP has been enabled globally using the dhcp enable command.

Precautions

If you run the dhcp snooping enable command in the VLAN view, the command takes effect for all the DHCP messages from the specified VLAN. If you run the dhcp snooping enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Before enabling DHCP snooping on an interface or in a VLAN, ensure that the DHCP relay or DHCP server function has been enabled on this interface or corresponding VLANIF interface; if they are not enabled, the device will not obtain the binding entries of users.

Example

# Enable DHCP snooping globally and configure the device to process only ipv4 messages.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable ipv4

#Enable DHCP snooping on Eth0/0/1.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable

# Enable DHCP snooping in VLAN 100.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] vlan 100
[Huawei-vlan100] dhcp snooping enable

dhcp snooping enable no-user-binding

Function

The dhcp snooping enable no-user-binding command disables the interfaces from generating DHCP snooping binding entries after DHCP snooping is enabled.

The undo dhcp snooping enable no-user-binding command restores the default setting.

By default, an interface generates DHCP snooping binding entries after DHCP snooping is enabled.

Format

System view:

dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

VLAN view, interface view:

dhcp snooping enable no-user-binding

undo dhcp snooping enable no-user-binding

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] }
Disables the interfaces in the specified VLANs from generating DHCP snooping binding entries.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be greater than vlan-id1.
The value is an integer that ranges from 1 to 4094

Views

System view, VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

After DHCP snooping is enabled on a device, the device generates DHCP snooping binding entries for users by default. When the number of binding entries on the device reaches the upper limit, new users cannot go online. In certain scenarios, for example, on a trusted DHCP network, if you do not want to limit the number of online users but want to record user location information, run the dhcp snooping enable no-user-binding command to disable the device from generating DHCP snooping binding entries.

When the command is executed in an interface view, the command takes effect for all DHCP users connecting to the interface. When the command is executed in the VLAN view, the command takes effect for all the DHCP users belonging to this VLAN on all interfaces. When the command is executed in the system view, the command takes effect in the same way as it is executed in the VLAN view, except that multiple VLANs can be specified.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

After this command is executed, the device deletes the binding entries from the corresponding VLAN or interface.

This command cannot be used together with dhcp snooping check user-bind enable; otherwise, online users cannot go offline.

Example

# In the system view, disable the interfaces in VLAN 10 and VLAN 20 from generating DHCP snooping binding entries.

<Huawei> system-view
[Huawei] dhcp snooping enable no-user-binding vlan 10 20

# In the VLAN view, disable the interfaces in VLAN 10 from generating DHCP snooping binding entries.

<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] dhcp snooping enable no-user-binding 

# In the interface view, disable Eth0/0/1 from generating DHCP snooping binding entries.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable no-user-binding
Related Topics

dhcp snooping max-user-number

Function

The dhcp snooping max-user-number command sets the maximum number of DHCP snooping binding entries to be learned on an interface.

The undo dhcp snooping max-user-number command restores the default maximum number of DHCP snooping binding entries to be learned on an interface.

By default, a maximum of 128 DHCP snooping binding entries can be learned on an interface.

Format

dhcp snooping max-user-number max-number

undo dhcp snooping max-user-number

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of DHCP snooping binding entries can be learned on an interface.

The value is an integer that ranges from 1 to 128.

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The dhcp snooping max-user-number command sets the maximum number of DHCP snooping binding entries can be learned on an interface. When the number of DHCP snooping binding entries reaches the maximum value, subsequent users cannot access.

If you run the dhcp snooping max-user-number command in the VLAN view, the command takes effect on all the interfaces in the VLAN. If you run the dhcp snooping max-user-number command in the VLAN view, and the interface view, the smallest value takes effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Set the maximum number of DHCP users to 100 on Eth0/0/1.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcp snooping max-user-number 100

# Set the maximum number of DHCP users in VLAN 100 to 100.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] vlan 100
[Huawei-vlan100] dhcp snooping enable
[Huawei-vlan100] dhcp snooping max-user-number 100

dhcp snooping trusted

Function

The dhcp snooping trusted command configures an interface as a trusted interface.

The undo dhcp snooping trusted command configures an interface as an untrusted interface.

By default, all interfaces are untrusted interfaces.

NOTE:

The AR530 series do not support this command.

Format

In the VLAN view:

dhcp snooping trusted interface interface-type interface-number

undo dhcp snooping trusted interface interface-type interface-number

In the interface view:

dhcp snooping trusted

undo dhcp snooping trusted

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the type and number of an interface in a VLAN.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To enable DHCP clients to obtain IP addresses from authorized DHCP servers, DHCP snooping supports the trusted interface and untrusted interfaces. The trusted interface forwards DHCP messages while untrusted interfaces discard received DHCP ACK messages and DHCP Offer messages.

An interface directly or indirectly connected to the DHCP server trusted by the administrator needs to be configured as the trusted interface, and other interfaces are configured as untrusted interfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping trusted command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Example

# Configure Eth0/0/1 in VLAN 100 as the trusted interface.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] vlan 100
[Huawei-vlan100] dhcp snooping enable
[Huawei-vlan100] dhcp snooping trusted interface ethernet 0/0/1

# Configure Eth0/0/1 as the trusted interface.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcp snooping trusted
Related Topics

dhcp snooping user-alarm percentage

Function

The dhcp snooping user-alarm percentage command configures the alarm thresholds for the percentage of DHCP snooping binding entries.

The undo dhcp snooping user-alarm percentage command restores the default alarm thresholds for the percentage of DHCP snooping binding entries.

By default, the lower alarm threshold for the percentage of DHCP snooping binding entries is 50, and the upper alarm threshold for the percentage of DHCP snooping binding entries is 100.

Format

dhcp snooping user-alarm percentage percent-lower-value percent-upper-value

undo dhcp snooping user-alarm percentage

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the percentage of DHCP snooping binding entries.

The value is an integer that ranges from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the percentage of DHCP snooping binding entries.

The value is an integer that ranges from 1 to 100, but must be larger than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After you run the dhcp snooping max-user-number command to set the maximum number of DHCP snooping binding entries on an interface, you can run the dhcp snooping user-alarm percentage command to set the alarm thresholds for the percentage of DHCP snooping binding entries.

When the percentage of learned DHCP snooping binding entries against the maximum number of DHCP snooping entries allowed by the device reaches or exceeds the upper alarm threshold, the device generates an alarm. When the percentage of learned DHCP snooping binding entries against the maximum number of DHCP snooping entries allowed by the device reaches or falls below the lower alarm threshold later, the device generates a clear alarm.

Example

# Set the lower alarm threshold for the DHCP user count percentage to 30 and the upper alarm threshold to 80.

<Huawei> system-view
[Huawei] dhcp snooping user-alarm percentage 30 80

dhcp snooping user-bind autosave

Function

The dhcp snooping user-bind autosave command enables automatic backup of the DHCP snooping binding table.

The undo dhcp snooping user-bind autosave command disables automatic backup of the DHCP snooping binding table.

By default, automatic backup of the DHCP snooping binding table is disabled.

NOTE:

The AR530 series do not support this command.

Format

dhcp snooping user-bind autosave file-name [ write-delay delay-time ]

undo dhcp snooping user-bind autosave

Parameters

Parameter Description Value
file-name

Specifies the path for storing the file that backs up the binding table and the file name. The file path and name supported by the device must be both entered.

The value is a string of 1 to 51 case-insensitive characters without spaces.

write-delay delay-time

Specifies the interval for local automatic backup of the DHCP snooping binding table.

If this parameter is not specified, the backup interval is the default value.

The value is an integer that ranges from 60 to 4294967295, in seconds. By default, the system backs up the DHCP snooping binding table every two days.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The dhcp snooping user-bind autosave command can retain the configured DHCP snooping binding entries after the device restarts. After a DHCP snooping binding table is generated, you can run the dhcp snooping user-bind autosave command to enable automatic backup of the DHCP snooping binding table.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

This prevents data loss in the DHCP snooping binding table. The suffix of the file must be .tbl.

Currently, the DHCP snooping binding table can be backed up to only the SD card.

If the system restarts within one day after the system time is changed, immediately run the dhcp snooping user-bind autosave command again to back up the latest dynamic binding entries because it is not the time to update the binding table. If you do not run this command, the lease will be inconsistent with the current system time after the dynamic binding table is restored.

Example

# Configure the device to back up the DHCP snooping binding table to the file backup.tbl in the SD card every 5000 seconds.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] dhcp snooping user-bind autosave sd1:/backup.tbl write-delay 5000
Related Topics

dhcp snooping user-transfer enable

Function

The dhcp snooping user-transfer enable command enables location transition for DHCP snooping users.

The undo dhcp snooping user-transfer enable command disables location transition for DHCP snooping users.

By default, location transition is enabled for DHCP snooping users.

Format

dhcp snooping user-transfer enable

undo dhcp snooping user-transfer enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In mobile applications, if a user goes online from interfaceA and then switches to interfaceB, you need to enable location transition for DHCP snooping users.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Disable location transition for DHCP snooping users.

<Huawei> system-view
[Huawei] dhcp enable
[Huawei] dhcp snooping enable
[Huawei] undo dhcp snooping user-transfer enable
Related Topics

dhcpv6 option18 format

Function

The dhcpv6 option18 format command configures the format of the Option 18 field in a DHCPv6 message.

The undo dhcpv6 option18 format command restores the default format of the Option 18 field in a DHCPv6 message.

By default, the format of the Option 18 field is not configured in a DHCPv6 message.

NOTE:

The AR530 series do not support this command.

Format

dhcpv6 option18 format user-defined text

undo dhcpv6 option18 format

Parameters

Parameter Description Value
user-defined text Indicates the user-defined format of the Option 18 field.

The value is a string of 1 to 251 characters.

The details about the user-defined format string are provided in the Usage Guidelines.

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After the dhcpv6 option18 { insert | rebuild } enable command is executed to enable the device to insert the Option 18 field to a DHCPv6 message, you can run the dhcpv6 option18 format command to configure the format of the Option 18 field in a DHCPv6 message.

You can use the following keywords to define the Option 18 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, Eth0/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 18 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in a character string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain numerals 0 to 9, lowercase letters a to z, uppercase letter A to Z, and symbols ! @ # $ % ^ & * () _ + | - = \ [] {} ; : '" / ? . , <> `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 18 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example

# Configure the format of the Option 18 field in a DHCPv6 message in VLAN 10.

<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] dhcpv6 option18 format user-defined "%length %svlan %5slot %3subslot %8port"

# Configure the format of the Option 18 field in a DHCPv6 message on Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcpv6 option18 format user-defined "%length %svlan %5slot %3subslot %8port"
Related Topics

dhcpv6 option37 format

Function

The dhcpv6 option37 format command configures the format of the Option 37 field in a DHCPv6 message.

The undo dhcpv6 option37 format command restores the default format of the Option 37 field in a DHCPv6 message.

By default, the format of the Option 37 field is not configured in a DHCPv6 message.

NOTE:

The AR530 series do not support this command.

Format

dhcpv6 option37 format user-defined text

undo dhcpv6 option37 format

Parameters

Parameter Description Value
user-defined text Indicates the user-defined format of the Option 37 field.

The value is a string of 1 to 247 characters.

The details about the user-defined format string are provided in the Usage Guidelines.

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After the dhcpv6 option37 { insert | rebuild } enable command is executed to enable the device to insert the Option 37 field to a DHCPv6 message, you can run the dhcpv6 option37 format command to configure the format of the Option 37 field in a DHCPv6 message.

You can use the following keywords to define the Option 37 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, Eth0/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 37 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in a character string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain numerals 0 to 9, lowercase letters a to z, uppercase letter A to Z, and symbols ! @ # $ % ^ & * () _ + | - = \ [] {} ; : '" / ? . , <> `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 37 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example

# Configure the format of the Option 37 field in a DHCPv6 message in VLAN 10.

<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] dhcpv6 option37 format user-defined "%length %svlan %5slot %3subslot %8port"

# Configure the format of the Option 37 field in a DHCPv6 message on Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcpv6 option37 format user-defined "%length %svlan %5slot %3subslot %8port"

dhcpv6 { option18 | option37 } enable

Function

The dhcpv6 { option18 | option37 } enable command enables the device to insert the Option 18 or Option 37 field to a DHCPv6 message.

The undo dhcpv6 { option18 | option37 } enable command disables the device from inserting the Option 18 or Option 37 field to a DHCPv6 message.

By default, the device does not insert the Option 18 or Option 37 field to a DHCPv6 message.

NOTE:

The AR530 series do not support this command.

Format

dhcpv6 { option18 | option37 } { insert | rebuild } enable

undo dhcpv6 { option18 | option37 } { insert | rebuild } enable

Parameters

Parameter

Description

Value

insert

Enables the device to insert the Option 18 or Option 37 field to a DHCPv6 message.

-

rebuild

Enables the device to forcibly insert the Option 18 or Option 37 field to a DHCPv6 message.

-

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The function of the Option 18 and Option 37 field is similar to the function of the Option 82 field (see the dhcp option82 enable command). The Option 18 field contains the port number of a client and the Option 37 field contains the MAC address of the client. A device inserts the Option 18 or Option 37 field to a DHCPv6 Request message to notify the DHCP server of the DHCPv6 client location. The DHCP server can properly assign an IP address and other configurations to the DHCPv6 client, ensuring DHCP client security.
NOTE:

If you run the dhcpv6 { option18 | option37 } enable command in the VLAN view, the command takes effect for all the DHCPv6 messages received from the specified VLAN. If you run the dhcpv6 { option18 | option37 } enable command in the interface view, the command takes effect for all the DHCPv6 messages received on the specified interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

If you run the dhcpv6 { option18 | option37 } enable command in the VLAN view, the command takes effect for all the DHCPv6 messages received from the specified VLAN. If you run the dhcpv6 { option18 | option37 } enable command in the interface view, the command takes effect for all the DHCPv6 messages received on the specified interface.

Example

# Insert the Option 37 field to DHCPv6 Request messages sent by Eth0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] dhcp snooping enable
[Huawei-Ethernet0/0/1] dhcpv6 option37 insert enable
Related Topics

dhcpv6 snooping relay-information enable

Function

The dhcpv6 snooping relay-information enable command enables Lightweight DHCPv6 Relay Agent (LDRA) for DHCPv6 snooping.

The undo dhcpv6 snooping relay-information enable command disables LDRA.

By default, LDRA is disabled for DHCPv6 snooping.

NOTE:

The AR530 series do not support this command.

Format

dhcpv6 snooping relay-information enable [ trust ]

undo dhcpv6 snooping relay-information enable [ trust ]

Parameters

Parameter Description Value
trust

Configures the device to trust the received Relay-Forward messages.

If this parameter is not specified, the device does not trust the received Relay-Forward messages.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

In some scenarios, for example, interfaces in the same VLAN have different network access rights and QoS requirements, the DHCPv6 server must be able to detect user access locations, and assign corresponding access control and QoS policies. The DHCPv6 relay agent is usually configured on the gateway. The relay agent can record user access locations; however, if access devices are located between the relay agent and users, the relay agent cannot detect the access locations of users.

LDRA can meet the requirements of these scenarios. LDRA is configured on the user-side access device. The LDRA-enabled device can forward user access locations (such as the network-side interfaces on clients) to the DHCPv6 server. The DHCPv6 server delivers policies to users accordingly.

This command enables LDRA for DHCPv6 snooping and configures the handling methods for received Relay-Forward messages:
  • Trust: The device forwards the received Relay-Forward messages to the DHCPv6 server. This method is usually used when multiple LDRA-enabled devices are directly connected. If the downstream LDRA-enabled device trusts the Relay-Forward messages from the upstream LDRA-enabled device, this method can be used.
  • Untrust: The device discards the received Relay-Forward messages. This method is usually used when an LDRA-enabled device directly connects to users, and the users may send invalid Relay-Forward messages.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The LDRA function only records the client location information and forwards the information to the DHCPv6 server. The differentiated policies for IP address allocation, accounting, access control, and QoS are configured on the DHCPv6 server.

Example

# Enable LDRA for DHCPv6 snooping in VLAN10.

<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] dhcpv6 snooping relay-information enable

display dhcp option82 configuration

Function

The display dhcp option82 configuration command displays the DHCP Option82 configuration.

Format

display dhcp option82 configuration [ vlan vlan-id | interface interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the DHCP Option 82 configuration in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number

Displays the DHCP Option 82 configuration on a specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can properly assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

After the Option 82 field is inserted to a DHCP message, run the display dhcp option82 configuration command to display the DHCP Option 82 configuration.

Example

# Display all the DHCP Option82 configurations.

<Huawei> display dhcp option82 configuration
#                                                                               
vlan 10                                                                         
 dhcp option82 rebuild enable                                                   
#                                                                               
interface Ethernet0/0/1                                                  
 dhcp option82 rebuild enable                                                   
 dhcp option82 circuit-id format common                                         
#                                             

# Display the configuration of the DHCP Option 82 field on Eth0/0/1.

<Huawei> display dhcp option82 configuration interface ethernet 0/0/1
#                                                                               
interface Ethernet0/0/1                                                  
 dhcp option82 rebuild enable                                                   
 dhcp option82 circuit-id format common                                         
#                                             

display dhcp snooping

Function

The display dhcp snooping command displays DHCP snooping running information.

Format

display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ]

Parameters

Parameter Description Value
interface interface-type interface-number Displays DHCP snooping running information on a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-
vlan vlan-id Displays DHCP snooping running information in a specified VLAN. The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display dhcp snooping command displays DHCP snooping running information. If no interface or VLAN is specified, global DHCP snooping running information is displayed. If an interface or a VLAN ID is specified, DHCP snooping running information about the interface or VLAN is displayed.

Example

# Display global DHCP snooping running information.

<Huawei> display dhcp snooping
 DHCP snooping global running information :                                     
 DHCPv4 snooping                          : Enable                              
 Static user max number                   : 512                                 
 Current static user number               : 0                                   
 Dhcp user max number                     : 512      (default)                  
 Current dhcp user number                 : 0                                   
 Arp dhcp-snooping detect                 : Disable  (default)                  
 Alarm threshold                          : 100      (default)                  
 Bind-table autosave                      : Disable  (default)                  
 Offline remove mac-address               : Disable  (default)                  
 Client position transfer allowed         : Enable   (default)                  
              
 DHCP snooping running information for VLAN 500 :                               
 DHCP snooping                            : Enable                              
 Dhcp user max number                     : 512      (default)                  
 Current dhcp user number                 : 0                                   
 Check dhcp-giaddr                        : Disable  (default)                  
 Check dhcp-chaddr                        : Disable  (default)                  
 Check dhcp-request                       : Disable  (default)                  
              
 DHCP snooping running information for interface Ethernet0/0/1 :         
 DHCP snooping                            : Enable                  
 Trusted interface                        : No                                  
 Dhcp user max number                     : 512      (default)                  
 Current dhcp user number                 : 0                                   
 Check dhcp-giaddr                        : Disable  (default)                  
 Check dhcp-chaddr                        : Disable  (default)                  
 Alarm dhcp-chaddr                        : Enable                              
 Alarm dhcp-chaddr threshold              : 10                                  
 Discarded dhcp packets for check chaddr  : 0                                   
 Check dhcp-request                       : Disable  (default)                  
 Alarm dhcp-request                       : Disable  (default)                  
 Alarm dhcp-reply                         : Disable  (default)                  

# Display DHCP snooping running information in VLAN 10.

<Huawei> display dhcp snooping vlan 10
 DHCP snooping running information for VLAN 10 :                                
 DHCP snooping                            : Enable                              
 Dhcp user max number                     : 100                                 
 Current dhcp user number                 : 0                                   
 Check dhcp-giaddr                        : Disable  (default)                  
 Check dhcp-chaddr                        : Disable  (default)                  
 Check dhcp-request                       : Disable  (default)                  
Table 14-99  Description of the display dhcp snooping command output

Item

Description

DHCPv4 snooping

Whether the DHCPv4 snooping is enabled globally.

To enable DHCP snooping, run the dhcp snooping enable command.

DHCP snooping

Whether DHCP snooping is enabled on the interface or in the VLAN.

To enable DHCP snooping, run the dhcp snooping enable command.

Static user max number

Maximum number of static users.

Current static user number

Number of current static users.

Dhcp user max number

Maximum number of DHCP snooping users.

To set the maximum number of DHCP snooping users, run the dhcp snooping max-user-number command.

Current dhcp user number

Number of current DHCP snooping users.

Arp dhcp-snooping detect

Whether association between ARP and DHCP snooping is enabled.

To enable association between ARP and DHCP snooping, run the arp dhcp-snooping-detect enable command.

Alarm threshold

Global alarm threshold for the number of discarded DHCP snooping messages.

To set the global alarm threshold for the number of discarded DHCP snooping messages, run the dhcp snooping alarm threshold command.

Bind-table autosave

Whether a device is enabled to save the binding table.

Offline remove MAC-address

Whether a device is enabled to delete MAC addresses of offline users.

Client position transfer allowed

Whether location transition is enabled for DHCP snooping users.

To enable location transition for DHCP snooping users, run the dhcp snooping user-transfer enable command.

Trusted interface

Whether an interface is a trusted interface.

Check dhcp-giaddr

Whether a device is enabled to check the GIADDR field in a DHCP Request message.

To enable the device to check the GIADDR field in a DHCP Request message, run the dhcp snooping check dhcp-giaddr enable command.

Check dhcp-chaddr

Whether a device is enabled to check whether the CHADDR field in a DHCP Request message matches the source MAC address in the Ethernet frame header.

To enable the device to check whether the CHADDR field in a DHCP Request message matches the source MAC address in the Ethernet frame header, run the dhcp snooping check mac-address enable command.

Alarm dhcp-chaddr

Whether a device is enabled to generate an alarm when the number of discarded DHCP Request messages with the CHADDR field different from the source MAC address in the Ethernet frame header exceeds the alarm threshold.

To enable the device to generate an alarm when the number of discarded DHCP Request messages with the CHADDR field different from the source MAC address in the Ethernet frame header exceeds the alarm threshold, run the dhcp snooping alarm threshold command.

Check dhcp-request

Whether an interface is enabled to check DHCP Request messages.

To enable the interface to check DHCP Request messages, run the dhcp snooping check user-bind enable command.

Alarm dhcp-request

Whether a device is enabled to generate an alarm when the number of DHCP Request messages discarded within a specified period reaches the alarm threshold.

To enable the device to generate an alarm when the number of DHCP Request messages discarded within a specified period reaches the alarm threshold, run the dhcp snooping alarm threshold command.

Alarm dhcp-reply

Whether a device is enabled to generate an alarm when an interface discards a DHCP Reply message from an untrusted interface.

To enable the device to generate an alarm when an interface discards a DHCP Reply message from an untrusted interface, run the dhcp snooping alarm threshold command.

display dhcp snooping configuration

Function

The display dhcp snooping configuration command displays the DHCP snooping configuration.

Format

display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the DHCP snooping configuration in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number
Displays the DHCP snooping configuration on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping configuration is complete, run the display dhcp snooping configuration command to view the DHCP snooping configuration. If no VLAN or interface is specified, all the DHCP snooping configurations are displayed. If a VLAN or an interface is specified, only the DHCP snooping configuration in the VLAN or on the interface is displayed.

Example

# Display all the DHCP snooping configurations.

<Huawei> display dhcp snooping configuration
#
dhcp snooping enable
#
vlan 3
 dhcp snooping enable
 dhcp snooping check dhcp-giaddr enable
#
interface Ethernet0/0/1
 dhcp snooping enable
#                 

display dhcp snooping statistics

Function

The display dhcp snooping statistics command displays statistics on the received DHCP messages.

Format

display dhcp snooping statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use the display dhcp snooping statistics command to view statistics on the received DHCP messages of all types.

Example

# Display statistics on the received DHCP messages.

<Huawei> display dhcp snooping statistics 
 DHCP Snooping Statistics:                                                      
                                                                                
 Client Request:                                                                 
  Dhcp Discover:                  0                                             
  Dhcp Request:                   0                                             
  Dhcp Decline:                   0                                             
  Dhcp Release:                   0                                             
  Dhcp Inform:                    0                                             
 Server Reply:                                                                  
  Dhcp Offer:                     0                                             
  Dhcp Ack:                       0                                             
  Dhcp Nak:                       0                                             
 Drop Packet:                                                                   
  Dropped by mac-address check:   0                                             
  Dropped by untrust reply:       0                                             
  Dropped by request conflict:    0 
  Dropped by untrust relay-forw:  0  
 Delete DHCP snooping table:                      
  Receive release packet:         0                         
  Receive decline packet:         0                            
  Lease expired:                  0                               
  User command:                   0                            
  Client transferes:              0                          
  Interface down:                 0                  
  Arp detect:                     0         
Table 14-100  Description of the display dhcp snooping statistics command output

Item

Description

Client Request

Number of packets sent by DHCP clients, including:

  • Number of DHCP Discover packets
  • Number of DHCP Request packets
  • Number of DHCP Decline packets
  • Number of DHCP Release packets
  • Number of DHCP Inform packets

Server Reply

Number of packets sent by the DHCP server, including:

  • Number of DHCP Offer packets
  • Number of DHCP ACK packets
  • Number of DHCP NAK packets

Drop Packet

Number of discarded packets.

Dropped by mac-address check

Number of discarded DHCP messages whose MAC address is different from the CHADDR value.

Dropped by untrust reply

Number of untrusted reply packets that are discarded.

Dropped by request conflict

Number of packets that are discarded because the client and server MAC addresses conflict.

Dropped by untrust relay-forw

Number of untrusted Relay-Forward packets that are discarded.

Delete DHCP snooping table

Number of DHCP snooping binding entries deleted by the device.

Receive release packet

Number of DHCP snooping binding entries deleted by the device after the device receives DHCP release packets.

Receive decline packet

Number of DHCP snooping binding entries deleted by the device after the device receives DHCP decline packets.

Lease expired

Number of DHCP snooping entries deleted by the device because of lease expiry.

User command

Number of DHCP snooping binding entries deleted by using commands.

Client transferes

Number of DHCP snooping binding entries deleted because the client connects to another interface on the device.

Interface down

Number of DHCP snooping binding entries deleted because the port is shut down.

Arp detect

Number of DHCP snooping binding entries deleted due to ARP detection.

Related Topics

display dhcp snooping user-bind

Function

The display dhcp snooping user-bind command displays the DHCP snooping binding table.

Format

display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays binding entries mapping on the specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ip-address ip-address

Displays binding entries mapping a specified IP address.

The value is in dotted decimal notation.

mac-address mac-address

Displays binding entries mapping a specified MAC address.

The value is in the format of H-H-H, in which H is a hexadecimal number of 4 digits.

vlan vlan-id

Displays binding entries mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping is enabled, the device generates a DHCP snooping binding table. A binding entry contains the MAC address, IP address, number of the interface connected to the DHCP client, and VLAN ID on the interface. You can run the display dhcp snooping user-bind command to view the DHCP snooping binding table.

Example

# Display information about the DHCP snooping binding table.

  • Display all binding entries.

    <Huawei> display dhcp snooping user-bind all
    DHCP Dynamic Bind-table:
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping 
    IP Address       MAC Address     VSI/VLAN(O/I/P) Interface      Lease           
    --------------------------------------------------------------------------------
    10.1.28.141      78ac-d4b5-b858  10  /--  /--    Eth0/0/1       2008.10.17-07:31
    --------------------------------------------------------------------------------
    Print count:           1          Total count:           1 
  • Display detailed information about binding entries.
    <Huawei> display dhcp snooping user-bind all verbose
    DHCP Dynamic Bind-table:                                                        
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
    --------------------------------------------------------------------------------
     IP Address  : 10.10.21.254                                                     
     MAC Address : 0200-0000-00e8                                                   
     VSI         : --                                                               
     VLAN(O/I/P) : 10  /--  /--                                                     
     Interface   : Eth0/0/1                                                         
     Lease       : 2008.01.20-19:54                                                 
     Gateway     : 10.10.21.1                                                       
     Server-ip   : 10.10.21.1                                                       
     IPSG Status : ineffective                                                      
    --------------------------------------------------------------------------------
    Print count:           1          Total count:           1 
Table 14-101  Description of the display dhcp snooping user-bind command output

Item

Description

DHCP Dynamic Bind-table

DHCP snooping binding entries.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: Vlan-mapping

IP Address

User IP address.

MAC Address

User MAC address.

VSI

Name of the VPN instance that the online user belongs to.

VLAN(O/I/P)

Outer VLAN ID, inner VLAN ID, or VLAN mapping information of the online user.

Interface

User access interface.

Lease

Time when the lease of the IP address used by the user expires.

Gateway

Gateway address.

Server-ip

IP addresses of the DHCP server.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • effective
  • ineffective

This field is invalid if IP packet checking is not enabled.

display dhcpv6 snooping user-bind

Function

The display dhcpv6 snooping user-bind command displays the DHCPv6 snooping binding table.

NOTE:

The AR530 series do not support this command.

Format

display dhcpv6 snooping user-bind { { interface interface-type interface-number | ipv6-address ipv6-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays binding entries on the specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ipv6-address ipv6-address

Displays the binding entry mapping a specified IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

mac-address mac-address

Displays the binding entry mapping a specified MAC address.

The value is in hexadecimal notation.

vlan vlan-id

Displays the binding entry mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

If the parameter is not specified, brief information about the binding table is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping is enabled, the device generates a DHCP snooping binding table by listening to DHCP Request messages and Reply messages. A binding entry contains the MAC address, IP address, number of the interface connected to the DHCP client, and VLAN ID. You can run the display dhcpv6 snooping user-bind command to view the DHCPv6 snooping binding table.

Example

# Display the DHCPv6 binding table.

  • Display all the dynamic binding entries.

    <Huawei> display dhcpv6 snooping user-bind all
    DHCPV6 Dynamic Bind-table:                                                      
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                          
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Lease           
    --------------------------------------------------------------------------------
    2222:2::2E                      4a8c-ccdb-0000  10  /--  /--    2016.03.04-11:28
    --------------------------------------------------------------------------------
    Print count:           1          Total count:           1                      
  • Display detailed information about the binding table.

    <Huawei> display dhcpv6 snooping user-bind all verbose
    DHCPV6 Dynamic Bind-table:                                                      
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
    --------------------------------------------------------------------------------
     IP Address  : FC00:1::1                                                          
     MAC Address : 00d5-0191-02de                                                   
     VSI         : --                                                               
     VLAN(O/I/P) : 500 /--  /--                                                     
     Interface   : Eth0/0/1                                                         
     Lease       : 2008.10.01-00:27                                                 
     IPSG Status : ineffective                                                      
     User State  : BOUND                                                            
    --------------------------------------------------------------------------------
    print count:           1          total count:           1                      
Table 14-102  Description of the display dhcpv6 snooping user-bind command output

Item

Description

DHCPV6 Dynamic Bind-table

DHCPv6 Snooping dynamic binding table.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: Vlan-mapping

IP Address

User IPv6 address.

MAC Address

User MAC address.

VSI

Name of the VPN instance that the online user belongs to.

VLAN(O/I/P)

Outer VLAN ID, inner VLAN ID, or VLAN mapping information of the online user.

Interface

User access interface.

Lease

Time when the lease of the IP address used by the user expires.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • effective
  • ineffective

This field is invalid if IP packet checking is not enabled.

User State

Status of an DHCPv6 snooping binding entry is as follows:
  • START
  • DETECTION
  • BOUND
  • LIVE

reset dhcp snooping statistics

Function

The reset dhcp snooping statistics command clears statistics on discarded DHCP messages after DHCP snooping is enabled.

Format

reset dhcp snooping statistics { global | interface interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [ interface interface-type interface-number ] }

Parameters

Parameter Description Value
global Clears statistics on the DHCP Snooping messages globally discarded.

-

interface interface-type interface-number Clears statistics on discarded DHCP messages on the specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id Clears statistics on discarded DHCP messages in a specified VLAN. vlan-id specifies the ID of the VLAN. vlan-id is an integer that ranges from 1 to 4094.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, if statistics on discarded DHCP messages are collected, you can run the reset dhcp snooping statistics command to clear the statistics.

Precautions

If both interface and vlan are specified, the specified interface must belong to the specified VLAN. In this way, the reset dhcp snooping statistics command clears statistics on discarded DHCP messages in the specified VLAN that the interface belongs to.

Example

# Clear statistics on discarded DHCP messages on Eth0/0/1.

<Huawei> reset dhcp snooping statistics interface ethernet 0/0/1

reset dhcp snooping user-bind

Function

The reset dhcp snooping user-bind command clears DHCP snooping binding entries.

Format

reset dhcp snooping user-bind [ [ vlan vlan-id | interface interface-type interface-number ] * | ip-address [ ip-address ] | ipv6-address [ ipv6-address ] ]

NOTE:

The AR500 series do not support the keyword ipv6-address.

Parameters

Parameter Description Value
vlan vlan-id

Clears DHCP snooping binding entries mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number
Clears DHCP snooping binding entries mapping a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ip-address

Clears DHCP snooping binding entries mapping IPv4 addresses.

-

ipv6-address

Clears DHCP snooping binding entries mapping IPv6 addresses.

NOTE:

The AR530 series do not support this parameter.

-

ip-address

Clears DHCP snooping binding entries mapping a specified IPv4 address.

The value is in dotted decimal notation.

ipv6-address

Clears DHCP snooping binding entries mapping a specified IPv6 address.

NOTE:

The AR530 series do not support this parameter.

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the mapping DHCP snooping binding entries are generated after DHCP users log in. The reset dhcp snooping user-bind command clears binding entries mapping a specified parameter. If no parameter is specified, all the binding entries are cleared.

Precautions

If both interface interface-type interface-number and vlan vlan-id are configured, the interface specified by interface interface-type interface-number must have been added to the VLAN specified by vlan vlan-id. In this case, the command clears the DHCP snooping binding entries on a specified interface belonging to a certain VLAN.

Example

# Clear DHCP snooping binding entries in VLAN 100.

<Huawei> reset dhcp snooping user-bind vlan 100
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 38043

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next