No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping Configuration Commands

DHCP Snooping Configuration Commands

dhcp snooping user-bind arp-detect enable

Function

The dhcp snooping user-bind arp-detect enable command enables association between the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) snooping.

The undo dhcp snooping user-bind arp-detect enable command disables association between ARP and DHCP snooping.

By default, association between ARP and DHCP snooping is disabled.

Format

dhcp snooping user-bind arp-detect enable

undo dhcp snooping user-bind arp-detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a client obtains an IP address and gets offline abnormally, the client cannot release its IP address by sending a DHCP release packet. As a result, the IP address cannot be reassigned to other clients. To resolve this problem, you can run the dhcp snooping user-bind arp-detect enable command to enable the association between ARP and DHCP snooping.

Prerequisites

The device has been configured as a DHCP relay agent, and DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

After association between ARP and DHCP Snooping is enabled:
  • The system periodically performs ARP probe on the IP address. If the system does not detect user within the probe times (specified by using arp detect times), the system deletes the matching DHCP binding entry, and sends a Release message to the DHCP server, requesting the DHCP server to release the IP address.
  • If the system does not find the user's ARP entry, the system sends ARP packets to detect the user. In this situation, the number of ARP packets on the network increases.

Example

# Enable association between ARP and DHCP snooping on the device.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping user-bind arp-detect enable
Related Topics

dhcp option82 enable

Function

The dhcp option82 enable command enables a device to insert the Option 82 field to a DHCP message.

The undo dhcp option82 enable command disables a device from inserting the Option 82 field to a DHCP message.

By default, a device does not insert the Option 82 field to a DHCP message.

Format

dhcp option82 { insert | rebuild } enable

undo dhcp option82 { insert | rebuild } enable

Parameters

Parameter Description Value
insert

Enables a device to insert the Option 82 field to a DHCP message.

-
rebuild

Enables a device to forcibly insert the Option 82 field to a DHCP message.

-

Views

VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

The device inserts the Option 82 field to a DHCP message in two modes:
  • Insert mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request message contains the Option 82 field, the device checks whether the Option 82 field contains the remote ID. If so, the device retains the Option 82 field; if not, the device inserts the remote ID.

  • Rebuild mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request message contains the Option 82 field, the device deletes the original Option 82 field and inserts the Option 82 field set by the administrator.

The device handles the reply packets from the DHCP server in the same way no matter whether the Insert or Rebuild method is used.

  • The DHCP reply packets contain Option 82:
    • If the DHCP request packets received by the device do not contain Option 82, the device deletes Option 82 from the DHCP reply packets, and forwards the packets to the DHCP client.
    • If the DHCP request packets contain Option 82, the device changes the Option 82 format in the DHCP reply packets into the Option 82 format in the DHCP request packets, and forwards the packets to the DHCP client.
  • If the DHCP reply packets do not contain Option 82, the device directly forwards the packets.
NOTE:

When receiving a DHCP Request message, the device checks whether the field GIADDR in the packet is 0. If so, the dhcp option82 enable command takes effect; if not, this command does not take effect.

If you run the dhcp option82 enable command in the VLAN view, the command takes effect for all the DHCP messages received on all the interfaces in the specified VLAN. If you run the dhcp option82 enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP messages sent to the DHCP server will not carry Option 82.

Prerequisites

DHCP snooping has been enabled on the device, or the device has been configured as a DHCP relay agent.

Example

# Enable the device to insert the Option 82 field to DHCP messages on Layer 2 Ethernet interface10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp option82 insert enable
# Enable the device to insert the Option 82 field to DHCP messages on Layer 3 Ethernet interface10GE1/0/1.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] dhcp option82 insert enable
# Enable the device to forcibly insert the Option 82 field to DHCP messages in VLAN 100.
<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp option82 rebuild enable

dhcp option82 format

Function

The dhcp option82 format command configures the format of the Option 82 field in a DHCP message.

The undo dhcp option82 format command restores the default format of the Option 82 field in a DHCP message.

By default, the Option 82 field in a DHCP message is in the format of default.

Format

In the system view, Layer 3 Ethernet interface view:

dhcp option82 [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

undo dhcp option82 [ circuit-id | remote-id ] format

Layer 2 Ethernet interface view:

dhcp option82 [ vlan vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

undo dhcp option82 [ vlan vlan-id ] [ circuit-id | remote-id ] format

Parameters

Parameter Description Value
circuit-id Specifies the circuit ID (CID) in the Option 82 field. If the CID is not specified, the format of the Option 82 field is default. -
remote-id Specifies the remote ID (RID) in the Option 82 field. If the RID is not specified, the format of the Option 82 field is default. -
default

Indicates the default format of the Option 82 field.

  • CID format: interface name:svlan.cvlan, host name/0/0/0/0/0, in ASCII format
  • RID format: device MAC address, in hexadecimal notation
-
common

Indicates the common format of the Option 82 field.

  • CID format: {eth|trunk}slot ID/subcard ID/port ID:svlan.cvlan host name0/0/0/0/0, in ASCII format
  • RID format: device MAC address (6 bytes), in ASCII format
-
extend

Indicates the extended format of the Option 82 field.

  • CID format: circuit-id type (0) + length (4) + SVLAN ID (2 bytes) + slot ID (5 bits) + subslot ID (3 bits) + port (1 byte), in hexadecimal notation

  • RID format: remote-id type (0) + length (6) + device MAC address (6 bytes), in hexadecimal notation

In the CID and RID formats, the values without a unit are fixed values of the fields; the values with a unit indicate the field lengths.

-
user-defined text Indicates the user-defined format of the Option 82 field.

The value is a string of 1 to 253 characters. For details, see the description in "Usage Guideline."

vlan vlan-id Specifies a VLAN ID. If the VLAN ID is specified, only the formats of the Option 82 field in the DHCP messages sent from the specified VLAN are specified; otherwise, the formats of the Option 82 field in all the DHCP messages are specified. The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After the function of inserting the Option 82 field to DHCP messages, you can use the dhcp option82 format command configures the format of the Option 82 field.
NOTE:

If you run the dhcp option82 format command in the system view, the command takes effect for all the DHCP messages on all the interfaces of the device.

You can use the following keywords to define the Option 82 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, 10GE1/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 82 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in a character string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain numerals 0 to 9, lowercase letters a to z, uppercase letter A to Z, and symbols ! @ # $ % ^ & * () _ + | - = \ [] {} ; : '" / ? . , <> `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 82 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example

# Configure the default format for the CID in the Option 82 field.

<HUAWEI> system-view
[~HUAWEI] dhcp option82 circuit-id format default

# Configure the extended format for the CID and RID in the Option 82 field.

<HUAWEI> system-view
[~HUAWEI] dhcp option82 format extend

# Configure the user-defined string for the CID in the Option 82 field and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII format.

<HUAWEI> system-view
[~HUAWEI] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# Configure a hexadecimal notation string for the CID of the Option 82 field and encapsulate the CID type (fixed as 0, indicating the hexadecimal notation), length (excluding the lengths of the CID type and the keyword length itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).

<HUAWEI> system-view
[~HUAWEI] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# Configure the user-defined string for the RID in the Option 82 field and encapsulate the device MAC address in hexadecimal notation.

<HUAWEI> system-view
[~HUAWEI] dhcp option82 remote-id format user-defined %mac

# On a Layer 2 Ethernet interface 10GE1/0/1, configure the default format for the CID in the Option 82 field.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp option82 circuit-id format default

# On a Layer 2 Ethernet interface 10GE1/0/1, configure the extended format for the CID and RID in the Option 82 field of DHCP messages from VLAN 10.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp option82 vlan 10 format extend

# On a Layer 2 Ethernet interface 10GE1/0/1, configure a user-defined format for the CID in the Option 82 field and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII format.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# On a Layer 2 Ethernet interface 10GE1/0/1, configure a hexadecimal notation string for the CID of the Option 82 field and encapsulate the CID type 0 (indicating the hexadecimal format), length (excluding the lengths of the CID type and the keyword length itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# On a Layer 2 Ethernet interface 10GE1/0/1, configure the user-defined format for the RID in the Option 82 field and encapsulate the device MAC address in hexadecimal notation.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp option82 remote-id format user-defined %mac
# On a Layer 3 Ethernet interface 10GE1/0/1, configure the default format for the CID in the Option 82 field.
<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] undo portswitch
[*HUAWEI-10GE1/0/1] dhcp option82 circuit-id format default
Related Topics

dhcp option82 vendor-specific format (system view)

Function

The dhcp option82 vendor-specific format command configures the format of the Sub9 field in the Option 82 field.

The undo dhcp option82 vendor-specific format command deletes the format of the Sub9 field in the Option 82 field.

By default, the format of the Sub9 field in the Option 82 field is not configured.

Format

dhcp option82 vendor-specific format vendor-sub-option sub-option-num { ascii ascii-text | hex hex-text | ip-address ip-address &<1-8> | sysname }

undo dhcp option82 vendor-specific format vendor-sub-option sub-option-num

Parameters

Parameter Description Value
vendor-sub-option sub-option-num Specifies the vendor-specific suboption in the Sub9 field. The value is an integer that ranges from 1 to 255.
ascii ascii-text Specifies the ASCII character string in the vendor-specific suboption in the Sub9 field. The value is an ASCII character string and must be smaller than 129 characters.
hex hex-text Specifies the HEX character string in the vendor-specific suboption in the Sub9 field. The value is in hexadecimal notation. The value can contain only numerals 0 to 9, lowercase letters a to f, and uppercase letters A to F. If no space is included, the value length must be an even number smaller than 257.
ip-address ip-address Specifies the IP address in the vendor-specific suboption in the Sub9 field. -
sysname Specifies the device name in the vendor-specific suboption in the Sub9 field. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In authentication for wired Ethernet access using DHCP, DHCP snooping, and Option 82, a device can insert suboptions (suboption 1, suboption 2, and suboption 9) to the Option 82 field in DHCP Request messages. These suboptions in DHCP Request messages carry information about user device locations. Unauthorized users cannot access the network by static IP addresses or embezzled accounts of authorized users. The dhcp option82 vendor-specific format command configures the suboptions in the Sub9 field.

Example

# Insert the device name to the vendor-specific suboption 1 in the Sub9 field.

<HUAWEI> system-view
[*HUAWEI] dhcp option82 vendor-specific format vendor-sub-option 1 sysname
Related Topics

dhcp snooping server record

Function

The dhcp snooping server record command enables detection of DHCP servers.

The undo dhcp snooping server record command disables detection of DHCP servers.

By default, detection of DHCP servers is disabled.

Format

dhcp snooping server record

undo dhcp snooping server record

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If bogus DHCP servers exist on the network, they send incorrect information to DHCP clients, such as the incorrect gateway address, incorrect DNS server, and incorrect IP address. As a result, DHCP clients cannot access the network or access incorrect networks.

After detection of DHCP servers is enabled, a DHCP snooping device checks and stores all information about DHCP servers in the DHCP Reply messages, such as DHCP server address and DHCP client port number, in the log. Based on logs, the network administrator checks for bogus DHCP servers on the network to maintain the network.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable detection of DHCP servers.

<HUAWEI> system-view 
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping server record
Related Topics

dhcp snooping alarm rate-limit enable

Function

The dhcp snooping alarm rate-limit enable command enables the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.

The undo dhcp snooping alarm rate-limit enable command disables the device from generating an alarm when the number of discarded DHCP messages reaches the threshold.

By default, the device is disabled from generating an alarm when the number of discarded DHCP messages reaches the threshold.

Format

dhcp snooping alarm rate-limit enable

undo dhcp snooping alarm rate-limit enable

Parameters

None

Views

System view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCP Request messages and Reply messages to the processing unit. If the rate of sending DHCP messages is high, processing efficiency of the processing unit is affected. After the dhcp snooping rate-limit enable command is run, the device checks the rate of sending DHCP messages. DHCP messages that are sent in a specified rate are sent to the processing unit and those that exceed the rate are discarded.

When the number of discarded DHCP messages reaches the threshold, an alarm is generated. To set the alarm threshold, run the dhcp snooping alarm rate-limit threshold command.

If you run the dhcp snooping alarm rate-limit enable command in the system view, the command takes effect on all the interfaces on the device. If you run the dhcp snooping alarm rate-limit enable command in the interface view, the command only takes effect on the specified interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# In the system view, enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.
<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping rate-limit enable
[*HUAWEI] dhcp snooping alarm rate-limit enable

# Enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping rate-limit enable
[*HUAWEI-10GE1/0/1] dhcp snooping alarm rate-limit enable

dhcp snooping alarm rate-limit threshold

Function

The dhcp snooping alarm rate-limit threshold command sets the alarm threshold for the number of discarded DHCP messages.

The undo dhcp snooping alarm rate-limit threshold command restores the default alarm threshold for the number of discarded DHCP messages.

By default, the global DHCP packets discarded alarm threshold 100 packets, interface DHCP packets discarded alarm threshold the same as configuration in system view values.

Format

dhcp snooping alarm rate-limit threshold threshold

undo dhcp snooping alarm rate-limit threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold. When the number of discarded DHCP messages reaches the threshold, an alarm is generated. The value is an integer that ranges from 1 to 1000. The default value is 100.

Views

System view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the dhcp snooping alarm rate-limit enable command to enable a device to generate an alarm when the number of discarded DHCP messages reaches the threshold, you can set the alarm threshold using the dhcp snooping alarm rate-limit threshold command. An alarm is generated when the number of discarded DHCP messages reaches the threshold.

If the alarm threshold is set in the system view and interface view, the smaller value takes effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Set the alarm threshold for the number of discarded DHCP messages on 10GE1/0/1 to 50.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping alarm rate-limit threshold 50

dhcp snooping alarm enable

Function

The dhcp snooping alarm enable command enables alarm for discarded DHCP messages.

The undo dhcp snooping alarm enable command disables alarm for discarded DHCP messages.

By default, the alarm function for discarded DHCP messages is disabled.

Format

dhcp snooping alarm { binding | mac-address | untrust-reply } enable

undo dhcp snooping alarm { binding | mac-address | untrust-reply } enable

Parameters

Parameter Description Value
binding Generates an alarm when the number of DHCP messages discarded because they do not match DHCP snooping binding entries reaches the threshold. -
mac-address Generates an alarm when the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header reaches the threshold. -
untrust-reply Generates an alarm when the number of DHCP Reply messages discarded by untrusted interfaces reaches the threshold. -

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur and the number of discarded attack messages reaches the threshold. The minimum interval for sending alarm messages is 1 minute. You can run the dhcp snooping alarm threshold command to set the alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

To make the dhcp snooping alarm binding enable or dhcp snooping alarm mac-address enable command take effect, you must first run the dhcp snooping check binding enable or dhcp snooping check mac-address enable command in the view of the specified interface.

Example

# On 10GE1/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable alarm for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping enable
[*HUAWEI-10GE1/0/1] dhcp snooping check mac-address enable
[*HUAWEI-10GE1/0/1] dhcp snooping alarm mac-address enable

dhcp snooping alarm threshold

Function

The dhcp snooping alarm threshold command sets the alarm threshold for the number of DHCP messages discarded by DHCP snooping.

The undo dhcp snooping alarm threshold command restores the default alarm threshold.

By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm threshold command in the system view.

Format

In the system view:

dhcp snooping alarm threshold threshold

undo dhcp snooping alarm threshold

In the interface view:

dhcp snooping alarm { binding | mac-address | untrust-reply } threshold threshold

undo dhcp snooping alarm { binding | mac-address | untrust-reply } threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the number of DHCP messages discarded by DHCP snooping. The value is an integer that ranges from 1 to 1000.
binding Specifies the alarm threshold for the number of DHCP messages discarded because they do not match the DHCP snooping binding entries. -
mac-address Specifies the alarm threshold for the number of DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address in the Ethernet frame header. -
untrust-reply Specifies the alarm threshold for the number of DHCP Reply messages discarded by untrusted interfaces. -

Views

System view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After trap for discarded DHCP messages is enabled, run the dhcp snooping alarm threshold command to specify the alarm threshold for the number of DHCP messages discarded by DHCP snooping. If the alarm threshold is not set on an interface, the interface uses the global alarm threshold.
NOTE:

If you run the dhcp snooping alarm threshold command in the system view, the command takes effect on all the interfaces of the device.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

To make the dhcp snooping alarm { mac-address | untrust-reply | user-bind } threshold threshold command take effect, you must run the dhcp snooping alarm { binding | mac-address | untrust-reply } enable command in the view of the specified interface at first.

Precautions

If you specify an alarm threshold for the number of DHCP messages discarded by DHCP snooping in the system view, an alarm is generated when the number of all the discarded DHCP messages reaches the threshold.

If the alarm threshold is set in the system view and the interface view, the alarm threshold on the interface takes effect.

Example

# Set the global alarm threshold for the number of discarded DHCP messages to 200.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping alarm threshold 200

# On 10GE1/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable trap for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address. Set the alarm threshold to 1000.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping enable
[*HUAWEI-10GE1/0/1] dhcp snooping check mac-address enable
[*HUAWEI-10GE1/0/1] dhcp snooping alarm mac-address enable
[*HUAWEI-10GE1/0/1] dhcp snooping alarm mac-address threshold 1000

dhcp snooping rate-limit

Function

The dhcp snooping rate-limit command sets the maximum rate of sending DHCP messages to the processing unit.

The undo dhcp snooping rate-limit command restores the default maximum rate of sending DHCP messages to the processing unit.

By default, the maximum rate of sending global DHCP messages to the processing unit is 100 pps. The maximum rate of DHCP packets sent by a VLAN or interface to the DHCP processing unit is the value set in the system view.

Format

In the system view:

dhcp snooping rate-limit rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping rate-limit

In the VLAN view and interface view:

dhcp snooping rate-limit rate

undo dhcp snooping rate-limit

Parameters

Parameter Description Value
rate Specifies the maximum rate of sending DHCP messages to the processing unit. The value ranges from 1 to 1000, in pps.
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Specifies the maximum rate of sending DHCP messages from a specified VLAN to the processing unit.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.

If this parameter is not specified, the command takes effect on all the DHCP messages.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCP Request messages and Reply messages to the processing unit. If the rate of sending DHCP messages is high, processing efficiency of the processing unit is affected. After the device is enabled to check the rate of sending DHCP messages to the processing unit, run the dhcp snooping rate-limit command to set the maximum rate of sending DHCP messages to the processing unit. DHCP messages that exceed the rate are discarded.

Prerequisites

The device has been enabled to check the rate of sending DHCP messages to the processing unit using the dhcp snooping rate-limit enable command.

Example

# In the system view, set the maximum rate of sending DHCP messages to the processing unit to 50 pps.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping rate-limit enable
[*HUAWEI] dhcp snooping rate-limit 50

dhcp snooping rate-limit enable

Function

The dhcp snooping rate-limit enable command enables the device to check the rate of sending DHCP messages to the processing unit.

The undo dhcp snooping rate-limit enable command disables the device from checking the rate of sending DHCP messages to the processing unit.

By default, the device does not check the rate of sending DHCP messages to the processing unit.

Format

In the system view:

dhcp snooping rate-limit enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping rate-limit enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN view and interface view:

dhcp snooping rate-limit enable

undo dhcp snooping rate-limit enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Enables the device to check the rate of sending DHCP messages from a specified VLAN to the processing unit.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.

If this parameter is not specified, the command takes effect on all the DHCP messages.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After DHCP snooping is enabled, the device sends all the received DHCP Request messages and Reply messages to the processing unit. If the rate of sending DHCP messages is high, processing efficiency of the processing unit is affected. After the device is enabled to check the rate of sending DHCP messages to the processing unit, DHCP messages that exceed the specified rate are discarded.
NOTE:

To set the rate of sending DHCP messages, run the dhcp snooping rate-limit command.

Example

# In the system view, enable the device to check the rate of sending DHCP messages to the processing unit.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping rate-limit enable

# In VLAN 10, enable the device to check the rate of sending DHCP messages to the processing unit.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 10
[*HUAWEI-vlan10] dhcp snooping enable
[*HUAWEI-vlan10] dhcp snooping rate-limit enable

dhcp snooping check mac-address enable

Function

The dhcp snooping check mac-address enable command enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.

The undo dhcp snooping check mac-address enable command disables the device from checking whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.

By default, the device does not check whether the CHADDR field is the same as the source MAC address in the header of a DHCP Request message.

Format

In the system view:

dhcp snooping check mac-address enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check mac-address enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view, port group view and interface view:

dhcp snooping check mac-address enable

undo dhcp snooping check mac-address enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In normal situations, the CHADDR field in a DHCP Request message matches the MAC address of the DHCP client that sends the message. The DHCP server identifies the client MAC address based on the CHADDR field in the DHCP Request message. If attackers continuously apply for IP addresses by changing the CHADDR field in the DHCP Request message, addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.
NOTE:

If you run the dhcp snooping check mac-address enable command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check mac-address enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping enable
[*HUAWEI-10GE1/0/1] dhcp snooping check mac-address enable

dhcp snooping check binding enable

Function

The dhcp snooping check binding enable enables the device to check DHCP messages against the DHCP snooping binding table.

The undo dhcp snooping check binding enable disables the device from checking DHCP messages against the DHCP snooping binding table.

By default, the device does not check DHCP messages against the DHCP snooping binding table.

Format

In the system view:

dhcp snooping check binding enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check binding enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view and interface view:

dhcp snooping check binding enable

undo dhcp snooping check binding enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> Enables the device to check DHCP messages in a specified VLAN against the DHCP snooping binding table. The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. The device forwards only DHCP messages that match binding entries. This prevents unauthorized users from sending bogus DHCP Request or Release messages to extend or release IP addresses.

The matching rules are as follows:

  • When the device receives a DHCP Request message, it performs the following operations:
    1. Checks whether the destination MAC address is all Fs. If so, the device considers that the user goes online for the first time and directly forwards the message. If not, the device considers that the user sends the DHCP Request message to renew the IP address lease and checks the DHCP Request message against the DHCP snooping binding table.
    2. Checks whether the CHADDR field in the DHCP Request message matches a DHCP snooping binding entry. If not, the device considers that the user goes online for the first time and directly forwards the message. If so, the device checks whether the VLAN ID, IP address, and interface number of the message match DHCP snooping binding entries. If all these fields match a DHCP snooping binding entry, the device forwards the message; otherwise, the device discards the message.
  • When receiving a DHCP Release message, the device checks whether the VLAN ID, IP address, MAC address, and interface number of the message match a dynamic DHCP snooping binding entry. If so, the device forwards the message; otherwise, the device discards the message.
NOTE:

If you run the dhcp snooping check binding enable command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping check binding enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable the device to check DHCP messages against the DHCP snooping binding table in VLAN 10.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 10
[*HUAWEI-vlan10] dhcp snooping enable
[*HUAWEI-vlan10] dhcp snooping check binding enable

dhcp snooping disable

Function

The dhcp snooping disable command disables DHCP snooping on an interface.

The undo dhcp snooping disable command cancels the configuration.

By default, DHCP snooping is not disabled on an interface.

Format

dhcp snooping disable

undo dhcp snooping disable

Parameters

None

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

If you run the dhcp snooping enable command to enable DHCP snooping in a VLAN, DHCP snooping is enabled on all the interfaces in the VLAN. If you do not run the dhcp snooping enable command to enable DHCP snooping on an interface, you cannot run the undo dhcp snooping enable command to disable DHCP snooping on the interface. To address this problem, run the dhcp snooping disable command to disable DHCP snooping on the interface. Users can properly go online from this interface, but no dynamic binding entry is generated.

NOTE:

The dhcp snooping disable command does not only disable DHCP snooping on an interface, but also clears the DHCP snooping configuration and the dynamic binding table. The undo dhcp snooping enable command, however, only disables DHCP snooping on the interface and does not clear the configuration or the dynamic binding table.

The undo dhcp snooping disable command enables DHCP snooping on an interface. To enable DHCP snooping, run the dhcp snooping enable command.

Example

# Disable DHCP snooping on 10GE1/0/1 in VLAN 10.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 10
[*HUAWEI-vlan10] dhcp snooping enable
[*HUAWEI-vlan10] quit
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping disable
Warning: All DHCP snooping functions on the port will be deleted. Continue? [Y/N]:y
Related Topics

dhcp snooping enable

Function

The dhcp snooping enable command enables DHCP snooping.

The undo dhcp snooping enable command disables DHCP snooping.

By default, DHCP snooping is disabled on the device.

Format

In the system view:

dhcp snooping enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN view and interface view:

dhcp snooping enable

undo dhcp snooping enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] }
Enables DHCP snooping in a specified VLAN.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

DHCP snooping is a security function to protect DHCP.

You must enable DHCP snooping in the system view before enabling DHCP snooping on an interface or in a VLAN.

Prerequisites

DHCP has been enabled globally using the dhcp enable command.

Follow-up Procedure

Run the dhcp snooping trusted command to configure the interface connected to the DHCP server as a trusted interface. A binding table is generated.

Precautions

If you run the dhcp snooping enable command in the VLAN view, the command takes effect for all the DHCP messages from the specified VLAN. If you run the dhcp snooping enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Example

# Enable DHCP snooping globally.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable

# Enable DHCP snooping on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping enable

# Enable DHCP snooping in VLAN 100.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable

dhcp snooping user-bind max-number

Function

The dhcp snooping user-bind max-number command sets the maximum number of DHCP snooping binding entries to be learned on an interface.

The undo dhcp snooping user-bind max-number command restores the default maximum number of DHCP snooping binding entries to be learned on an interface.

By default, a maximum of 32768 DHCP snooping binding entries can be learned on an interface.

Format

In the system view:

dhcp snooping user-bind max-number max-number [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping user-bind max-number [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN view and interface view:

dhcp snooping user-bind max-number max-number

undo dhcp snooping user-bind max-number

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of DHCP snooping binding entries can be learned on an interface.

The value is an integer that ranges from 1 to 32768.

vlan { vlan-id1 [ to vlan-id2 ] }

Specifies the maximum number of DHCP snooping binding entries can be learned in a VLAN.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

System view, VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The dhcp snooping max-user-number command sets the maximum number of DHCP snooping binding entries can be learned on an interface. When the number of DHCP snooping binding entries reaches the maximum value, subsequent users cannot access.

When the command is executed in the system view, the value specified in this command is the total number of DHCP snooping binding entries to be learned by all interfaces on the device. If you run the dhcp snooping max-user-number command in the VLAN view, the command takes effect on all the interfaces in the VLAN. If you run the dhcp snooping max-user-number command in the system view, VLAN view, and the interface view, the smallest value takes effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Set the maximum number of DHCP users to 100 on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] dhcp snooping enable
[*HUAWEI-10GE1/0/1] dhcp snooping user-bind max-number 100

# Set the maximum number of DHCP users in VLAN 100 to 100.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] dhcp snooping user-bind max-number 100

dhcp snooping sticky-mac

Function

The dhcp snooping sticky-mac command enables the device to generate static MAC address entries based on dynamic DHCP snooping binding entries.

The undo dhcp snooping sticky-mac command disables the device from generating static MAC address entries based on dynamic DHCP snooping binding entries.

By default, the device is disabled to generate static MAC address entries based on dynamic DHCP snooping binding entries.

Format

dhcp snooping sticky-mac

undo dhcp snooping sticky-mac

Parameters

None

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry consists of the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

After the dhcp snooping sticky-mac command is executed on an interface, the device generates static MAC address entries (snooping type) of DHCP users on the interface based on the corresponding dynamic binding entries, clears all the dynamic MAC address entries on the interface, disables the interface to learn dynamic MAC address entries, and enables the device to match the source MAC address based on MAC address entries. Then only the message with the source MAC address matching the static MAC address entry can pass through the interface; otherwise, messages are discarded. The CE6870EIdevice does not match source MAC addresses in Layer 3 packets with static MAC address entries or discard them. Therefore, the administrator needs to manually configure static MAC address entries (the static type) for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.
NOTE:
  • CE6870EI does not support Layer 3 packets.

  • To check MAC address entries generated on the device, run the display mac-address command.

  • If a DHCP snooping binding entry is updated, the corresponding static MAC address entry is automatically updated.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

The dhcp snooping sticky-mac command cannot be used with the following commands on an interface.

Command

Description

mac-address learning disable (Interface view and VLAN view)

Enables MAC address learning.

mac-address limit

Sets the maximum number of MAC addresses to be learned.

port-security enable

Enables port security.

ip source check user-bind enable

Enables IP packet check.

dhcp snooping trusted

Configures an interface as a trusted interface.

Example

# Enable the device to generate static MAC address entries based on DHCP snooping binding entries on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping sticky-mac
Related Topics

dhcp snooping trusted

Function

The dhcp snooping trusted command configures an interface as a trusted interface.

The undo dhcp snooping trusted command configures an interface as an untrusted interface.

By default, all interfaces are untrusted interfaces.

Format

In the VLAN view:

dhcp snooping trusted interface interface-type interface-number

undo dhcp snooping trusted interface interface-type interface-number

In the interface view:

dhcp snooping trusted

undo dhcp snooping trusted

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the type and number of an interface in a VLAN.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

VLAN view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To enable DHCP clients to obtain IP addresses from authorized DHCP servers, DHCP snooping supports the trusted interface and untrusted interfaces. The trusted interface forwards DHCP messages while untrusted interfaces discard received DHCP ACK messages and DHCP Offer messages.

An interface directly or indirectly connected to the DHCP server trusted by the administrator needs to be configured as the trusted interface, and other interfaces are configured as untrusted interfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

NOTE:

If you run the dhcp snooping trusted command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Configure 10GE1/0/1 in VLAN 100 as the trusted interface.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] dhcp snooping trusted interface 10ge 1/0/1

# Configure 10GE1/0/1 as the trusted interface.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] dhcp snooping enable
[*HUAWEI-10GE1/0/1] dhcp snooping trusted
Related Topics

dhcp snooping user-bind autosave

Function

The dhcp snooping user-bind autosave command enables automatic backup of the DHCP snooping binding table.

The undo dhcp snooping user-bind autosave command disables automatic backup of the DHCP snooping binding table.

By default, automatic backup of the DHCP snooping binding table is disabled.

Format

dhcp snooping user-bind autosave file-name

undo dhcp snooping user-bind autosave

Parameters

Parameter Description Value
file-name

Specifies the path for storing the file that backs up the binding table and the file name. The file path and name supported by the device must be both entered.

The value is a string of 1 to 51 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The dhcp snooping user-bind autosave command can retain the configured DHCP snooping binding entries after the device restarts. After a DHCP snooping binding table is generated, you can run the dhcp snooping user-bind autosave command to enable automatic backup of the DHCP snooping binding table.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

This prevents data loss in the DHCP snooping binding table. The suffix of the file must be .tbl.

If the system restarts within one day after the system time is changed, immediately run the dhcp snooping user-bind autosave command again to back up the latest dynamic binding entries because it is not the time to update the binding table. If you do not run this command, the lease will be inconsistent with the current system time after the dynamic binding table is restored.

Example

# Configure the device to back up the DHCP snooping binding table to the file backup.tbl in the flash.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping user-bind autosave flash:/backup.tbl
Related Topics

dhcp snooping users car

Function

The dhcp snooping users car command configures rate limitation on DHCP user traffic.

The undo dhcp snooping users car command cancels rate limitation on DHCP user traffic.

By default, rate limitation on DHCP user traffic is disabled.

NOTE:
CE6880EI does not support the command.

Format

dhcp snooping users car cir cir-value [ cbs cbs-value ]

undo dhcp snooping users car

Parameters

Parameter Description Value
cir cir-value Specifies the committed information rate (CIR), which is the average rate of traffic that can pass through an interface. The value is an integer that ranges from 1 to 100000000, in kbit/s.
cbs cbs-value Specifies the committed burst size (CBS), which is the average volume of burst traffic that can pass through an interface. The value is an integer that ranges from 1 to 536870912, in bytes.

Views

System view, VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After users go online on a DHCP network, user traffic is not limited by default. In this case, if the traffic of a user is extremely high, the limited network resources are occupied by the user, affecting resource usage of other DHCP users.

To solve this problem, you can configure rate limitation on user traffic based on DHCP snooping binding tables. The device then will discard extra traffic so that the input and output traffic is restricted within a reasonable range. After a DHCP user goes online, the device identifies it as an authorized user based on the DHCP snooping binding table and dynamically applies the configured traffic rate limitation policy for the user. This ensures that network resources can be effectively used.

Precautions

The configuration in the system view takes effect globally for DHCP users; the configuration in the VLAN view takes effect only for the DHCP users in the VLAN. If rate limitation on user traffic is configured both in the system view or VLAN view for the same DHCP user, the configuration in the VLAN view takes effect.

After the user traffic rate exceeds 1 Mbit/s, the errors of rate limitation are within 3% for the packets with 256 or more bytes. (CE6870EI)

After the user traffic rate exceeds 1 Mbit/s, the errors of rate limitation for the packets with less than 256 bytes are within 3% in a non-stack and 6% in a stack. (CE6870EI)

Example

# Configure rate limitation on DHCP user traffic in the system view.

<HUAWEI> system view
[~HUAWEI] dhcp snooping users car cir 64 cbs 128

# Configure rate limitation on DHCP user traffic in the VLAN view.

<HUAWEI> system view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping users car cir 64 cbs 128

dhcp snooping user-offline remove mac-address

Function

The dhcp snooping user-offline remove mac-address command enables the device to delete the MAC address entry of a user whose DHCP snooping binding entry is deleted.

The undo dhcp snooping user-offline remove mac-address command disables the device from deleting the MAC address entry of a user whose binding entry is deleted.

By default, the device does not delete the MAC address entry of a user whose DHCP snooping binding entry is deleted.

Format

dhcp snooping user-offline remove mac-address

undo dhcp snooping user-offline remove mac-address

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a user goes offline but its MAC address entry is not aged, the device forwards the packet whose destination address is the IP address of the user based on the dynamic MAC address entry. After the dhcp snooping user-offline remove mac-address command is executed, the user MAC address entry is deleted when the DHCP snooping binding entry is deleted. With the function of discarding unknown unicast packets on the network-side interface, the device discards packets destined to offline users.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable the device to delete the MAC address entry of a user whose DHCP snooping binding entry is deleted.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping user-offline remove mac-address
Related Topics

dhcp snooping fixed-port enable

Function

The dhcp snooping fixed-port enable command enables location fixation for DHCP snooping users.

The undo dhcp snooping fixed-port enable command disables location fixation for DHCP snooping users.

By default, location fixation is disabled for DHCP snooping users.

Format

dhcp snooping fixed-port enable

undo dhcp snooping fixed-port enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In mobile applications, if a user goes online from interfaceA and then switches to interfaceB, you need to disable location fixation for DHCP snooping users.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Disables location fixation for DHCP snooping users.

<HUAWEI> system-view
[~HUAWEI] dhcp enable
[*HUAWEI] dhcp snooping enable
[*HUAWEI] undo dhcp snooping fixed-port enable
Related Topics

display dhcp option82 configuration

Function

The display dhcp option82 configuration command displays the DHCP Option82 configuration.

Format

display dhcp option82 configuration [ vlan vlan-id | interface interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the DHCP Option 82 configuration in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays the DHCP Option 82 configuration on a specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can properly assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

After the Option 82 field is inserted to a DHCP message, run the display dhcp option82 configuration command to display the DHCP Option 82 configuration.

Example

# Display all the DHCP Option82 configurations.

<HUAWEI> display dhcp option82 configuration
#                                                                               
Vlan 10                                                                         
 dhcp option82 rebuild enable                                                   
#                                                                               
interface 10GE 1/0/1                                                  
 dhcp option82 rebuild enable                                                   
 dhcp option82 circuit-id format common                                         
#                                             

# Display the configuration of the DHCP Option 82 field on 10GE1/0/1.

<HUAWEI> display dhcp option82 configuration interface 10ge 1/0/1
#                                                                               
interface 10GE 1/0/1                                                  
 dhcp option82 rebuild enable                                                   
 dhcp option82 circuit-id format common                                         
#                                             

display dhcp snooping

Function

The display dhcp snooping command displays DHCP snooping running information.

Format

display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ]

Parameters

Parameter Description Value
interface interface-type interface-number Displays DHCP snooping running information on a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-
vlan vlan-id Displays DHCP snooping running information in a specified VLAN. The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display dhcp snooping command displays DHCP snooping running information. If no interface or VLAN is specified, global DHCP snooping running information is displayed. If an interface or a VLAN ID is specified, DHCP snooping running information about the interface or VLAN is displayed.

Example

# Display global DHCP snooping running information.

<HUAWEI> display dhcp snooping
 DHCP snooping global running information :                                     
 DHCP snooping                            : Enable                              
 Static user max number                   : 1024                                
 Current static user number               : 0                                   
 DHCP user max number                     : 32768    (default)                  
 Current DHCP user number                 : 0                                   
 DHCP snooping user-bind ARP-detect       : Disable  (default)                  
 Alarm threshold                          : 100      (default)                  
 Rate-limit                               : Disable  (default)                  
 Rate-limit value(pps)                    : 100      (default)                  
 Alarm rate-limit                         : Disable  (default)                  
 Alarm rate-limit threshold               : 100      (default)                  
 Discarded packets for rate-limit         : 0                                   
 Bind-table autosave                      : Disable  (default)                  
 Offline remove MAC-address               : Disable  (default)                  
 Client position fixed allowed            : Disable  (default)                  
              
 DHCP snooping                            : Enable                              
 Trusted interface                        : No                                  
 DHCP user max number                     : 32768    (default)                  
 Current DHCP user number                 : 0                                   
 Check MAC-address                        : Disable  (default)                  
 Alarm MAC-address                        : Disable  (default)                  
 Check binding                            : Disable  (default)                  
 Alarm binding                            : Disable  (default)                  
 Rate-limit                               : Disable  (default)                  
 Alarm rate-limit                         : Disable  (default)                  
 Alarm rate-limit threshold               : 0                                   
 Discarded packets for rate-limit         : 0                                   
 Alarm untrust-reply                      : Disable  (default)      

# Display DHCP snooping running information in VLAN 10.

<HUAWEI> display dhcp snooping vlan 10
 DHCP snooping                            : Enable                              
 DHCP user max number                     : 32768    (default)                  
 Current DHCP user number                 : 0                                   
 Check MAC-address                        : Disable  (default)                  
 Check binding                            : Disable  (default)                  
 Rate-limit                               : Disable  (default)                  
Table 16-87  Description of the display dhcp snooping command output

Item

Description

DHCP snooping

Whether DHCP snooping is enabled.

To enable DHCP snooping, run the dhcp snooping enable command.

Static user max number

Maximum number of static users.

Current static user number

Number of current static users.

DHCP user max number

Maximum number of DHCP snooping users.

To set the maximum number of DHCP snooping users, run the dhcp snooping user-bind max-number command.

Current DHCP user number

Number of current DHCP snooping users.

DHCP snooping user-bind ARP-detect

Whether association between ARP and DHCP snooping is enabled.

To enable association between ARP and DHCP snooping, run the dhcp snooping user-bind arp-detect enable command.

Alarm threshold

Global alarm threshold for the number of discarded DHCP snooping messages.

To set the global alarm threshold for the number of discarded DHCP snooping messages, run the dhcp snooping alarm threshold command.

Rate-limit

Whether a device is enabled to check the rate of sending DHCP messages.

To enable the device to check the rate of sending DHCP messages, run the dhcp snooping rate-limit enable command.

Rate-limit value(pps)

Rate limit of DHCP messages, in pps.

To set the rate limit of DHCP messages, run the dhcp snooping rate-limit command.

Alarm rate-limit

Whether trap for checking the rate of sending DHCP messages to the processing unit is enabled.

To enable trap for checking the rate of sending DHCP messages to the processing unit, run the dhcp snooping alarm rate-limit enable command.

Alarm rate-limit threshold

Alarm threshold for the number of discarded DHCP messages. An alarm is generated if the number of discarded DHCP messages reaches the alarm threshold.

To set the alarm threshold for the number of discarded DHCP messages, run the dhcp snooping alarm rate-limit threshold command.

Discarded packets for rate-limit

Number of discarded DHCP messages whose rate exceeds the rate limit.

Bind-table autosave

Whether a device is enabled to save the binding table.

To enable the device to save the binding table, run the dhcp snooping user-bind autosave command.

Offline remove MAC-address

Whether a device is enabled to delete MAC addresses of offline users.

To enable the device to delete MAC addresses of offline users, run the dhcp snooping user-offline remove mac-address command.

Client position fixed allowed

Whether location transition is enabled for DHCP snooping users.

To enable location transition for DHCP snooping users, run the dhcp snooping fixed-port enable command.

Trusted interface

Whether an interface is a trusted interface.

To configure an interface as a trusted interface, run the dhcp snooping trusted command.

Check MAC-address

Whether a device is enabled to check whether the CHADDR field in a DHCP Request message matches the source MAC address in the Ethernet frame header.

To enable the device to check whether the CHADDR field in a DHCP Request message matches the source MAC address in the Ethernet frame header, run the dhcp snooping check mac-address enable command.

Alarm MAC-address

Whether a device is enabled to generate an alarm when the number of discarded DHCP Request messages with the CHADDR field different from the source MAC address in the Ethernet frame header exceeds the alarm threshold.

To enable the device to generate an alarm when the number of discarded DHCP Request messages with the CHADDR field different from the source MAC address in the Ethernet frame header exceeds the alarm threshold, run the dhcp snooping alarm threshold command.

Check binding

Whether an interface is enabled to check DHCP Request messages.

To enable the interface to check DHCP Request messages, run the dhcp snooping check binding enable command.

Alarm binding

Whether a device is enabled to generate an alarm when the number of DHCP Request messages discarded within a specified period reaches the alarm threshold.

To enable the device to generate an alarm when the number of DHCP Request messages discarded within a specified period reaches the alarm threshold, run the dhcp snooping alarm threshold command.

Alarm untrust-reply

Whether a device is enabled to generate an alarm when an interface discards a DHCP Reply message from an untrusted interface.

To enable the device to generate an alarm when an interface discards a DHCP Reply message from an untrusted interface, run the dhcp snooping alarm threshold command.

display user-bind dhcp snooping

Function

The display user-bind dhcp snooping command displays the DHCP snooping binding table.

Format

display user-bind dhcp snooping { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays binding entries mapping on the specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ip-address ip-address

Displays binding entries mapping a specified IP address.

The value is in dotted decimal notation.

mac-address mac-address

Displays binding entries mapping a specified MAC address.

The value is in the format of H-H-H, in which H is a hexadecimal number of 4 digits.

vlan vlan-id

Displays binding entries mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping is enabled, the device generates a DHCP snooping binding table. A binding entry contains the MAC address, IP address, number of the interface connected to the DHCP client, and VLAN ID on the interface. You can run the display user-bind dhcp snooping command to view the DHCP snooping binding table.

Example

# Display information about the DHCP snooping binding table.

<HUAWEI> display user-bind dhcp snooping all
Flags: O - outer vlan, I - inner vlan, P - map vlan
IP Address       MAC Address     VSI/VLAN(O/I/P) Interface      Lease           
--------------------------------------------------------------------------------
10.0.0.8         0000-0000-1002  83  /--  /--    10GE1/0/1      2013.04.26-10:39
--------------------------------------------------------------------------------
Print count:           1          Total count:           1         

# Display detailed information about the DHCP snooping binding table.

<HUAWEI> display user-bind dhcp snooping all verbose
--------------------------------------------------------------------------------
 IP Address  : 10.0.0.8
 MAC Address : 0000-0000-1002
 VSI         : --
 VLAN(O/I/P) : 83  /--  /--  
 Interface   : 10GE4/0/0
 Lease       : 2013.04.26-10:39
 Gateway     : --
 Server-ip   : 192.168.1.1
--------------------------------------------------------------------------------
Print count:           1          Total count:           1         
Table 16-88  Description of the display user-bind dhcp snooping command output

Item

Description

Flags

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: Map VLAN

IP Address

User IP address.

MAC Address

User MAC address.

VSI

Name of the VPN instance that the online user belongs to.

VLAN(O/I/P)

ID of the VLAN that the user belongs to.

Interface

User access interface.

Lease

Time when the lease of the IP address used by the user expires.

Print count

Number of printed binding entries.

Total count

Total number of the DHCP snooping binding entries.

Gateway

Gateway address.

Server-ip

IP addresses of the DHCP server.

display dhcp snooping users car status

Function

The display dhcp snooping users car status command displays the status of rate limitation on DHCP user traffic.

Format

display dhcp snooping users car status [ ip-address ip-address | mac-address mac-address | vlan vlan-id | interface interface-type interface-number ] *

NOTE:
CE6880EI does not support the command.

Parameters

Parameter Description Value
ip-address ip-address Displays the status of rate limitation on DHCP user traffic with a specified IP address. The value is in dotted decimal notation.
mac-address mac-address Displays the status of rate limitation on DHCP user traffic with a specified MAC address. The value is in the H-H-H format. An H contains 1 to 4 hexadecimal digits.
vlan vlan-id Displays the status of rate limitation on DHCP user traffic in a specified VLAN. The value is an integer that ranges from 1 to 4094.
interface interface-type interface-number Displays the status of rate limitation on DHCP user traffic on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After rate limitation on user traffic is configured based on the DHCP snooping binding table, you can run the display dhcp snooping users car status command to check the status of rate limitation.

Example

# Display the status of rate limitation on DHCP user traffic with the IP address 10.10.1.1.

<HUAWEI> display dhcp snooping users car status ip-address 10.10.1.1
DHCP Bind-table:                                                                
Flags: O - outer vlan, I - inner vlan, P - map vlan                             
--------------------------------------------------------------------------------
IP Address       MAC Address     VSI/VLAN(O/I/P) Interface         Status  Slot 
--------------------------------------------------------------------------------
10.10.1.1        0001-0101-0101  1   /--  /--    10GE1/0/23        Success 1    
--------------------------------------------------------------------------------
Table 16-89  Description of the display dhcp snooping users car status command output

Item

Description

IP Address

IP address of a user.

MAC Address

MAC address of a user.

VSI/VLAN(O/I/P)

VSI or VLAN ID of a user.

Interface

Access interface connected to a user.

Status

Configuration status of rate limitation on user traffic.

  • Success: indicates that rate limitation is configured successfully.
  • Fail: indicates that rate limitation fails to be configured.

Slot

Slot ID.

display mac-address snooping

Function

The display mac-address snooping command displays static MAC address entries generated based on the DHCP snooping binding table.

Format

display mac-address snooping [ interface interface-type interface-number | vlan vlan-id ] *

Parameters

Parameter Description Value
interface interface-type interface-number
Displays the static MAC address entry on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id

Displays all the static MAC address entries on all the interfaces in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you run the dhcp snooping sticky-mac command in the interface view, the device generates static MAC address entries based on the DHCP snooping binding table. A static MAC address entry includes the user MAC address and VLAN ID. The display mac-address snooping command displays static MAC address entries generated based on the DHCP snooping binding table. If no interface or VLAN is specified, all the static MAC address entries generated based on the DHCP snooping binding table are displayed.

Example

# Display the static MAC address entries generated based on the DHCP snooping binding table on the device.

<HUAWEI> display mac-address snooping
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age
-------------------------------------------------------------------------------
0000-0000-0033 100/-/-       10GE1/0/1           snooping              -
-------------------------------------------------------------------------------
Total items: 1
Table 16-90  Description of the display mac-address snooping command output

Item

Description

MAC Address

User MAC address.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Port number.

Type

Type of a MAC address entry, including.

Age

Dynamic MAC learned time in seconds.

display snmp-agent trap feature-name dhcpsnp all

Function

The display snmp-agent trap feature-name dhcpsnp all command displays all trap messages of the DHCP Snooping module.

Format

display snmp-agent trap feature-name dhcpsnp all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap feature-name dhcpsnp all command to view all trap messages of the DHCP Snooping module.

Example

# Display all trap messages of the DHCP Snooping module.

<HUAWEI> display snmp-agent trap feature-name dhcpsnp all
------------------------------------------------------------------------------  
Feature name: DHCPSNP                                                           
Trap number : 4                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
hwDhcpPktRateAlarm             off                     on                       
hwDhcpSnpChaddrAlarm           off                     on                       
hwNomatchSnpBindTblDhcpPktAlarm                                                 
                               off                     on                       
hwUntrustedReplyPktAlarm       off                     on                       
Table 16-91  Description of the display snmp-agent trap feature-name dhcpsnp all command output

Item

Description

Feature name

Name of the module to which a trap message belongs.

Trap number

Number of trap messages.

Trap name

Name of a trap message of the DHCP Snooping module:

  • hwDhcpPktRateAlarm: The alarm is generated when the number of DHCP request packets discarded due to the rate limit exceeds the preset alarm threshold
  • hwDhcpSnpChaddrAlarm: The alarm is generated when the number of DHCP request packets discarded due to the mismatch between the MAC address in the CHADDR field and that in packet header exceeds the preset alarm threshold.
  • hwNomatchSnpBindTblDhcpPktAlarm: The alarm is generated when the number DHCP request packets discarded due to the lack of a matching entry in the DHCP binding table exceeds the upper threshold.
  • hwUntrustedReplyPktAlarm: The alarm is generated when the number of DHCP reply packets received from untrusted interfaces exceeds the preset alarm threshold.

Default switch status

Status of the default trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Status of the current trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

reset dhcp snooping statistics

Function

The reset dhcp snooping statistics command clears statistics on discarded DHCP messages after DHCP snooping is enabled.

Format

reset dhcp snooping statistics { global | interface interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [ interface interface-type interface-number ] }

Parameters

Parameter Description Value
global Clears statistics on the DHCP Snooping messages globally discarded.

-

interface interface-type interface-number Clears statistics on discarded DHCP messages on the specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id Clears statistics on discarded DHCP messages in a specified VLAN. vlan-id specifies the ID of the VLAN. vlan-id is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, if statistics on discarded DHCP messages are collected, you can run the reset dhcp snooping statistics command to clear the statistics.

Precautions

If both interface and vlan are specified, the specified interface must belong to the specified VLAN. In this way, the reset dhcp snooping statistics command clears statistics on discarded DHCP messages in the specified VLAN that the interface belongs to.

Example

# Clear statistics on discarded DHCP messages on 10GE1/0/1.

<HUAWEI> reset dhcp snooping statistics interface 10ge 1/0/1

reset user-bind dhcp snooping

Function

The reset user-bind dhcp snooping command clears DHCP snooping binding entries.

Format

reset user-bind dhcp snooping [ { vlan vlan-id | interface interface-type interface-number } * | ip-address ip-address ]

Parameters

Parameter Description Value
vlan vlan-id

Clears DHCP snooping binding entries mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number
Clears DHCP snooping binding entries mapping a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ip-address ip-address

Clears DHCP snooping binding entries mapping a specified IPv4 address.

The value is in dotted decimal notation.

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the mapping DHCP snooping binding entries are generated after DHCP users log in. The reset dhcp snooping user-bind command clears binding entries mapping a specified parameter. If no parameter is specified, all the binding entries are cleared.

Precautions

If both interface interface-type interface-number and vlan vlan-id are configured, the interface specified by interface interface-type interface-number must have been added to the VLAN specified by vlan vlan-id. In this case, the command clears the DHCP snooping binding entries on a specified interface belonging to a certain VLAN.

Example

# Clear DHCP snooping binding entries in VLAN 100.

<HUAWEI> reset user-bind dhcp snooping vlan 100

snmp-agent trap enable feature-name dhcpsnp

Function

The snmp-agent trap enable feature-name dhcpsnp command enables an alarm function for DHCP snooping.

The undo snmp-agent trap enable feature-name dhcpsnp command disables an alarm function for DHCP snooping.

By default, alarm functions are disabled for DHCP snooping.

Format

snmp-agent trap enable feature-name dhcpsnp [ trap-name { hwdhcppktratealarm | hwdhcpsnpchaddralarm | hwnomatchsnpbindtbldhcppktalarm | hwuntrustedreplypktalarm } ]

undo snmp-agent trap enable feature-name dhcpsnp [ trap-name { hwdhcppktratealarm | hwdhcpsnpchaddralarm | hwnomatchsnpbindtbldhcppktalarm | hwuntrustedreplypktalarm } ]

Parameters

Parameter Description Value
trap-name

Enables the specified alarm function on the DHCP snooping module.

-
hwdhcppktratealarm

Enables the device to generate an alarm when the number of DHCP request packets discarded due to the rate limit exceeds the preset alarm threshold.

-
hwdhcpsnpchaddralarm

Enables the device to generate an alarm when the number of DHCP request packets discarded due to the mismatch between the MAC address in the CHADDR field and that in packet header exceeds the preset alarm threshold.

-
hwnomatchsnpbindtbldhcppktalarm

Enables the device to generate an alarm when the number DHCP request packets discarded due to the lack of a matching entry in the DHCP binding table exceeds the upper threshold.

-
hwuntrustedreplypktalarm

Enables the device to generate an alarm when the number of DHCP reply packets received from untrusted interfaces exceeds the preset alarm threshold.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

If you want the device to generate DHCP snooping related alarms, run the snmp-agent trap enable feature-name dhcpsnp command to enable an alarm function for DHCP snooping.

Example

# Enable the device to generate an alarm when the number of DHCP request packets discarded due to rate limit exceeds the upper threshold.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name dhcpsnp trap-name hwdhcppktratealarm
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 74576

Downloads: 380

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next