No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DHCP Snooping Configuration Commands

DHCP Snooping Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

arp dhcp-snooping-detect enable

Function

The arp dhcp-snooping-detect enable command enables association between the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) snooping.

The undo arp dhcp-snooping-detect enable command disables association between ARP and DHCP snooping.

By default, association between ARP and DHCP snooping is disabled.

Format

arp dhcp-snooping-detect enable

undo arp dhcp-snooping-detect enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a DHCP client sends a DHCP Release message to release its IP address, the DHCP snooping-enabled device immediately deletes the binding entry of the DHCP client. If a DHCP client is abnormally disconnected and cannot send a DHCP Release message, the DHCP snooping-enabled device cannot immediately delete the binding entry of the DHCP client.

If association between ARP and DHCP snooping is enabled using this command and no ARP entry corresponding to the IP address in the DHCP snooping binding entry is found, the DHCP snooping-enabled device performs an ARP probe on the IP address. If no user is detected for consecutive four times, the DHCP snooping-enabled device deletes the DHCP snooping binding entry corresponding to the IP address. (The probe interval is 20 seconds, and the probe times and probe interval are fixed values and cannot be modified.) If the DHCP snooping-enabled device supports the DHCP relay function, this device then sends a DHCP Release message in place of the DHCP client to notify the DHCP server to release the IP address.

Prerequisites

Before association between the ARP and DHCP snooping is enabled, ensure that an IP address configured on the device is on the same network segment as the IP address of the client for ARP probe.

Example

# Enable association between ARP and DHCP snooping on the device.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] arp dhcp-snooping-detect enable
Related Topics

dhcp option82 append vendor-specific

Function

The dhcp option82 append vendor-specific command inserts the Sub9 suboption into Option 82.

The undo dhcp option82 append vendor-specific command restores the default configuration.

By default, Sub9 suboption is not inserted into the Option 82 field of DHCP messages.

Format

dhcp option82 append vendor-specific

undo dhcp option82 append vendor-specific

Parameters

None

Views

Interface view, VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the dhcp option82 append vendor-specific command is run on a DHCP relay agent or DHCP snooping device, the device will insert the Sub9 suboption into the Option 82 field of a received DHCP message. When this DHCP message is forwarded to the DHCP server, the server obtains the DHCP client location information from the Sub9 suboption.

The Sub9 suboption has old and new formats. The old format contains the vendor ID, for example, hwid. The new format does not contain the vendor ID.

Both the dhcp option82 append vendor-specific and dhcp option82 vendor-specific format commands can insert the Sub9 into the Option 82 field of the DHCP message, except that the Sub9 formats are different:
  • dhcp option82 append vendor-specific: inserts the Sub9 of the new format. The new format includes the location information such as the node identifier, node chassis ID, node slot ID, node port number, and user VLAN.
  • dhcp option82 vendor-specific format: inserts the Sub9 of the old format. The old format includes the DHCP client information such as user IP address and device name.
Precautions
  • When both the dhcp option82 append vendor-specific and dhcp option82 vendor-specific format commands are run, the dhcp option82 append vendor-specific command takes effect.
  • The Sub9 suboption can be inserted into Option 82 only when the Sub9 format is the same as the DHCP packet format. If the formats are different:
    • If the dhcp option82 vendor-specific format command has been run, the Sub9 of the new format cannot be inserted into Option 82.
    • If the dhcp option82 append vendor-specific command has been run, whether the Sub9 of the old format can be inserted depends on the Option 82 insertion method (which is configured using the dhcp option82 enable command).
      • When the Option 82 insertion method is Insert, the Sub9 is not inserted.

      • When the Option 82 insertion method is Rebuild, the Sub9 is reconstructed and then inserted into Option 82.

  • The total length of the Option 82 field cannot exceed 255 bytes.

Example

# Insert the Sub9 suboption into the Option 82 field of DHCP messages.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 append vendor-specific

dhcp option82 enable

Function

The dhcp option82 enable command enables a device to insert the Option 82 field to a DHCP message.

The undo dhcp option82 enable command disables a device from inserting the Option 82 field to a DHCP message.

By default, a device does not insert the Option 82 field to a DHCP message.

Format

dhcp option82 { insert | rebuild } enable

undo dhcp option82 { insert | rebuild } enable

Parameters

Parameter Description Value
insert

Enables a device to insert the Option 82 field to a DHCP message.

-
rebuild

Enables a device to forcibly insert the Option 82 field to a DHCP message.

-

Views

VLAN view, Ethernet interface view, Ethernet sub-interface view, GE interface view, GE sub-interface view, XGE interface view, XGE sub-interface view, 40GE interface view, 40GE sub-interface view, 100GE interface view, 100GE sub-interface view, Eth-Trunk interface view, Eth-Trunk sub-interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

The device inserts the Option 82 field to a DHCP message in two modes:
  • Insert mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request message contains the Option 82 field, the device checks whether the Option 82 field contains the remote ID. If so, the device retains the Option 82 field; if not, the device inserts the remote ID.

  • Rebuild mode: Upon receiving a DHCP Request message without the Option 82 field, the device inserts the Option 82 field. If the DHCP Request message contains the Option 82 field, the device deletes the original Option 82 field and inserts the Option 82 field set by the administrator.

The device handles the reply packets from the DHCP server in the same way regardless of whether the Insert or Rebuild method is used.

  • The DHCP reply packets contain Option 82:
    • If the DHCP request packets received by the device do not contain Option 82, the device deletes Option 82 from the DHCP reply packets, and forwards the packets to the DHCP client.
    • If the DHCP request packets contain Option 82, the device changes the Option 82 format in the DHCP reply packets into the Option 82 format in the DHCP request packets, and forwards the packets to the DHCP client.
  • If the DHCP reply packets do not contain Option 82, the device directly forwards the packets.
NOTE:

The physical interface can insert Option82 to the DHCP packets directly forwarded, but does not insert Option82 to the DHCP packets forwarded through a tunnel.

Prerequisites

DHCP snooping has been enabled on the device, or the device has been configured as a DHCP relay agent.

Precautions

  • When receiving a DHCP Request message, the device checks whether the field GIADDR in the packet is 0. If so, the dhcp option82 enable command takes effect; if not, this command does not take effect.
  • DHCP Option 82 must be configured on the user-side of a device; otherwise, the DHCP messages sent to the DHCP server will not carry Option 82.

Example

# Enable the device to insert the Option 82 field to DHCP messages on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp option82 insert enable
# Enable the device to forcibly insert the Option 82 field to DHCP messages in VLAN 100.
<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp option82 rebuild enable

dhcp option82 encapsulation

Function

The dhcp option82 encapsulation command configures suboptions inserted into the DHCP Option 82 field.

The undo dhcp option82 encapsulation command restores the default suboptions inserted into the DHCP Option 82 field.

By default, the circuit-id (CID) and remote-id (RID) suboptions are inserted into the DHCP Option 82 field.

Format

dhcp option82 encapsulation { circuit-id | remote-id | subscriber-id | vendor-specific-id } *

undo dhcp option82 encapsulation

Parameters

Parameter Description Value
circuit-id

Inserts the circuit-id suboption.

-
remote-id

Inserts the remote-id suboption.

-
subscriber-id

Inserts the subscriber-id (SID) suboption.

-
vendor-specific-id

Inserts the vendor-specific suboption in the Sub9 field.

-

Views

System view, VLAN view, interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This function applies to a DHCP relay agent or a DHCP snooping-enabled device. The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can assign an IP address and other configurations to the DHCP client, ensuring DHCP client security. The administrator can run this command to configure the device to insert one or more of the circuit-id suboption, remote-id suboption, subscriber-id suboption and vendor-specific suboption in the Sub9 field into the DHCP Option 82 field. After the command is run, suboptions that are not configured to be inserted are not inserted into the DHCP Option 82 field by default.

Prerequisites

The DHCP function has been enabled in the system view using the dhcp enable command.

Example

# Insert the circuit-id suboption into the DHCP Option 82 field.

<HUAWEI> system-view
[HUAWEI] dhcp option82 encapsulation circuit-id 

dhcp option82 format

Function

The dhcp option82 format command configures the format of the Option 82 field in a DHCP message.

The undo dhcp option82 format command restores the default format of the Option 82 field in a DHCP message.

By default, the Option 82 field in a DHCP message is in the format of default.

Format

dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format { default | common | extend | user-defined text }

undo dhcp option82 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] [ circuit-id | remote-id ] format

Parameters

Parameter Description Value
circuit-id Indicates the circuit ID (CID) in the Option 82 field. If the CID is not specified, the format of the Option 82 field is default. -
remote-id Indicates the remote ID (RID) in the Option 82 field. If the RID is not specified, the format of the Option 82 field is default. -
default

Indicates the default format of the Option 82 field.

  • CID format: interface name:svlan.cvlan, host name/0/0/0/0/0, in ASCII format
  • RID format: device MAC address, in hexadecimal notation
-
common

Indicates the common format of the Option 82 field.

  • CID format: {eth|trunk}slot ID/subcard ID/port ID:svlan.cvlan host name0/0/0/0/0, in ASCII format
  • RID format: device MAC address (6 bytes), in ASCII format
-
extend

Indicates the extended format of the Option 82 field.

  • CID format: circuit-id type (0) + length (4) + S-VLAN ID (2 bytes) + slot ID (5 bits) + subslot ID (3 bits) + port (1 byte), in hexadecimal notation

  • RID format: remote-id type (0) + length (6) + device MAC address (6 bytes), in hexadecimal notation

In the CID and RID formats, the values without a unit are fixed values of the fields; the values with a unit indicate the field lengths.

-
user-defined text Indicates the user-defined format of the Option 82 field.

The value is a string of 1 to 255 characters. For details, see the description in "Usage Guideline."

vlan vlan-id Indicates an outer VLAN ID. If a VLAN ID is specified, only the format of the Option 82 field in the DHCP messages sent from the specified VLAN is configured. If no VLAN is specified, the format of the Option 82 field in all the DHCP messages received by the interface is configured. The value is an integer that ranges from 1 to 4094.
ce-vlan ce-vlan-id Indicates an inner VLAN ID. The value is an integer that ranges from 1 to 4094.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the function of inserting the Option 82 field to DHCP messages is enabled, you can use the dhcp option82 format command to configure the format of the Option 82 field.

If you run the dhcp option82 format command in the system view, the command takes effect for all the DHCP messages on all the interfaces of the device.

You can use the following keywords to define the Option 82 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, GE1/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The keyword length can be configured only once.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 82 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in a character string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain Arabic numerals, uppercase letters, lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - = \ [ ] { } ; : ' " / ? . , < > `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 82 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."
Precautions
  • All Option82 fields configured in the system view or in the same interface view share a length of 1-255 bytes. If their total length exceeds 255 bytes, some Option82 information will be lost.

  • There is no limit on the number of Option 82 fields configured on the device. However, a large number of Option 82 fields will occupy a lot of memory and prolong the device processing time. To ensure device performance, you are advised to configure Option 82 fields based on the service requirements and device memory size.

Example

# Configure the default format for the CID in the Option 82 field.

<HUAWEI> system-view
[HUAWEI] dhcp option82 circuit-id format default

# Configure the extended format for the CID and RID in the Option 82 field.

<HUAWEI> system-view
[HUAWEI] dhcp option82 format extend

# Configure the user-defined string for the CID in the Option 82 field and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII format.

<HUAWEI> system-view
[HUAWEI] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# Configure a hexadecimal notation string for the CID of the Option 82 field and encapsulate the CID type (fixed as 0, indicating the hexadecimal notation), length (excluding the lengths of the CID type and the keyword length itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).

<HUAWEI> system-view
[HUAWEI] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# Configure the user-defined string for the RID in the Option 82 field and encapsulate the device MAC address in hexadecimal notation.

<HUAWEI> system-view
[HUAWEI] dhcp option82 remote-id format user-defined %mac

# On GE1/0/1, configure the default format for the CID in the Option 82 field.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp option82 circuit-id format default

# On GE1/0/1, configure the extended format for the CID and RID in the Option 82 field of DHCP messages from VLAN 10.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp option82 vlan 10 format extend

# On GE1/0/1, configure a user-defined format for the CID in the Option 82 field and encapsulate the port name, outer VLAN ID, inner VLAN ID, and host name in ASCII format.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp option82 circuit-id format user-defined "%portname:%svlan.%cvlan %sysname"

# On GE1/0/1, configure a hexadecimal notation string for the CID of the Option 82 field and encapsulate the CID type (fixed as 0, indicating the hexadecimal notation), length (excluding the lengths of the CID type and the keyword length itself), outer VLAN ID, slot ID (5 bits), subcard ID (3 bits), and port ID (8 bits).

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp option82 circuit-id format user-defined 0 %length %svlan %5slot %3subslot %8port

# On GE1/0/1, configure the user-defined format for the RID in the Option 82 field and encapsulate the device MAC address in hexadecimal notation.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp option82 remote-id format user-defined %mac
Related Topics

dhcp option82 subscriber-id format

Function

The dhcp option82 subscriber-id format command inserts the Sub6 suboption into the DHCP Option 82 field of DHCP messages and configures the format of the Sub6 suboption.

The undo dhcp option82 subscriber-id format command cancels the configuration of the Sub6 suboption inserted into the DHCP Option 82 field of DHCP messages.

By default, the Sub6 suboption is not inserted into the DHCP Option 82 field of DHCP messages.

Format

dhcp option82 subscriber-id format { ascii ascii-text | hex hex-text }

undo dhcp option82 subscriber-id format

Parameters

Parameter Description Value
ascii ascii-text

Specifies the ASCII character string in the Sub6 field.

The value is an ASCII character string and contains fewer than 129 characters.

hex hex-text

Specifies the HEX character string in the Sub6 field.

The value is in hexadecimal notation. The value can contain only digits 0 to 9, uppercase letters A to F, and lowercase letters a to f. If no space is included, the value length must be an even number smaller than 257.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In an authentication system for wired Ethernet access based on DHCP, DHCP snooping, and Option82, a device can insert suboptions (suboption 1, suboption 2, suboption 6, and suboption 9) into the Option 82 field in DHCP Request messages. These suboptions in DHCP Request messages help locate user devices. Unauthorized users cannot access the network by using static IP addresses or stealing accounts of authorized users. You can run the dhcp option82 subscriber-id format command to configure the Sub6 suboption.

Prerequisites

DHCP has been enabled using the dhcp enable command.

Example

# Configure the Sub6 suboption inserted into the DHCP Option 82 field of DHCP messages on GE0/0/1 and specify the ASCII character string in the Sub6 suboption.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp option82 subscriber-id format ascii hw

dhcp option82 vendor-specific format

Function

The dhcp option82 vendor-specific format command configures the Sub9 field in the Option 82 field.

The undo dhcp option82 vendor-specific format command deletes the configuration of the Sub9 field inserted into the DHCP Option 82 field.

By default, the Sub9 field inserted into the Option 82 field is not configured.

Format

dhcp option82 vendor-specific format vendor-sub-option sub-option-num { ascii ascii-text | hex hex-text | ip-address ip-address &<1-8> | sysname }

undo dhcp option82 vendor-specific format vendor-sub-option sub-option-num

Parameters

Parameter Description Value
vendor-sub-option sub-option-num Specifies the vendor-specific suboption in the Sub9 field. The value is an integer that ranges from 1 to 255.
ascii ascii-text Specifies the ASCII character string in the vendor-specific suboption in the Sub9 field. The value is an ASCII character string and must be smaller than 129 characters.
hex hex-text Specifies the HEX character string in the vendor-specific suboption in the Sub9 field. The value is in hexadecimal notation. The value can contain only numerals 0 to 9, lowercase letters a to f, and uppercase letters A to F. If no space is included, the value length must be an even number smaller than 257.
ip-address ip-address Specifies the IP address in the vendor-specific suboption in the Sub9 field. -
sysname Specifies the device name in the vendor-specific suboption in the Sub9 field. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In authentication for wired Ethernet access using DHCP, DHCP snooping, and Option 82, a device can insert suboptions (suboption 1, suboption 2, and suboption 9) to the Option 82 field in DHCP Request messages. These suboptions in DHCP Request messages carry information about user device locations. Unauthorized users cannot access the network by static IP addresses or embezzled accounts of authorized users. The dhcp option82 vendor-specific format command configures the suboptions in the Sub9 field.

Prerequisites

DHCP has been enabled using the dhcp enable command.

Example

# Insert the device name to the vendor-specific suboption 1 in the Sub9 field.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp option82 vendor-specific format vendor-sub-option 1 sysname
Related Topics

dhcp server detect

Function

The dhcp server detect command enables detection of DHCP servers.

The undo dhcp server detect command disables detection of DHCP servers.

By default, detection of DHCP servers is disabled.

Format

dhcp server detect

undo dhcp server detect

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If bogus DHCP servers exist on the network, they send incorrect information to DHCP clients, such as the incorrect gateway address, incorrect DNS server, and incorrect IP address. As a result, DHCP clients cannot access the network or access incorrect networks.

After detection of DHCP servers is enabled, a DHCP snooping device checks and stores all information about DHCP servers in the DHCP Reply messages, such as DHCP server address and DHCP client port number, in the log. Based on logs, the network administrator checks for bogus DHCP servers on the network to maintain the network.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable detection of DHCP servers.

<HUAWEI> system-view 
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp server detect
Related Topics

dhcp snooping alarm dhcp-rate enable

Function

The dhcp snooping alarm dhcp-rate enable command enables the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.

The undo dhcp snooping alarm dhcp-rate enable command disables the device from generating an alarm when the number of discarded DHCP messages reaches the threshold.

By default, the device is disabled from generating an alarm when the number of discarded DHCP messages reaches the threshold.

Format

dhcp snooping alarm dhcp-rate enable [ threshold threshold ]

undo dhcp snooping alarm dhcp-rate enable [ threshold ]

Parameters

Parameter

Description

Value

threshold threshold

Specifies the alarm threshold. If the number of discarded DHCP messages reaches the threshold, an alarm is generated. For details, see the dhcp snooping alarm dhcp-rate threshold.

The value is an integer that ranges from 1 to 1000. The default value is 100.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCP Request messages and Reply messages to the processing unit. If the rate of sending DHCP messages is high, processing efficiency of the processing unit is affected. After the dhcp snooping check dhcp-rate enable command is run, the device checks the rate of sending DHCP messages. DHCP messages that are sent in a specified rate are sent to the processing unit and those that exceed the rate are discarded.

If the number of discarded DHCP messages reaches the threshold, an alarm is generated. To set the alarm threshold, run the dhcp snooping alarm dhcp-rate threshold command.

If you run the dhcp snooping alarm dhcp-rate enable command in the system view, the command takes effect on all the interfaces of the device. If you run the dhcp snooping alarm dhcp-rate enable command in the interface view, the command only takes effect on the specified interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

To ensure that alarms can be properly reported, you need to run the snmp-agent trap enable feature-name dhcp command to enable the DHCP module to report the corresponding alarm. You can check whether the DHCP module is enabled to report the corresponding alarm using the display snmp-agent trap feature-name dhcp all command.

Example

# In the system view, enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold.
<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable
[HUAWEI] dhcp snooping alarm dhcp-rate enable

# Enable the device to generate an alarm when the number of discarded DHCP messages reaches the threshold on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-rate enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-rate enable

dhcp snooping alarm dhcp-rate threshold

Function

The dhcp snooping alarm dhcp-rate threshold command sets the alarm threshold for the number of discarded DHCP messages.

The undo dhcp snooping alarm dhcp-rate threshold command restores the default alarm threshold for the number of discarded DHCP messages.

By default, the global alarm threshold for the number of discarded DHCP messages is 100, and the alarm threshold for the number of discarded DHCP messages on an interface is the same as that configured in the system view.

Format

dhcp snooping alarm dhcp-rate threshold threshold

undo dhcp snooping alarm dhcp-rate threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold. If the number of discarded DHCP messages reaches the threshold, an alarm is generated. The value is an integer that ranges from 1 to 1000. The default value is 100.

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the dhcp snooping alarm dhcp-rate enable command to enable a device to generate an alarm when the number of discarded DHCP messages reaches the threshold, you can set the alarm threshold using the dhcp snooping alarm dhcp-rate threshold command. An alarm is generated when the number of discarded DHCP messages reaches the threshold.

If the alarm threshold is set in the system view and interface view, the smaller value takes effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Set the alarm threshold for the number of discarded DHCP messages on GE1/0/1 to 50.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-rate threshold 50

dhcp snooping alarm enable

Function

The dhcp snooping alarm enable command enables alarm for discarded DHCP messages.

The undo dhcp snooping alarm enable command disables alarm for discarded DHCP messages.

By default, the alarm function for discarded DHCP messages is disabled.

Format

dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable [ threshold threshold ]

undo dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable [ threshold ]

Parameters

Parameter Description Value
dhcp-request Generates an alarm when the number of DHCPv4 Request messages discarded because they do not match DHCP snooping binding entries reaches the threshold. -
dhcp-chaddr Generates an alarm when the number of DHCPv4 request messages discarded because the CHADDR field in the DHCP messages does not match the source MAC address in the data frame header reaches the threshold. -
dhcp-reply Generates an alarm when the number of DHCPv4 Response messages discarded by untrusted interfaces reaches the threshold. -
threshold threshold Specifies the alarm threshold. When the number of discarded DHCPv4 messages reaches the threshold, an alarm is generated. The value is an integer that ranges from 1 to 1000.

Views

Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur and the number of discarded attack messages reaches the threshold. The minimum interval for sending alarm messages is 1 minute. You can run the dhcp snooping alarm threshold command to set the alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

By default, a device does not check messages received by the clients. Therefore, to make the command take effect, ensure the following is ready:
  • The device has been enabled to check DHCP messages against the binding entries using the dhcp snooping check dhcp-request enable command before the dhcp snooping alarm dhcp-request enable command is run.
  • The device has been enabled to check whether the CHADDR field is the same as the source MAC address in the header of a DHCPv4 Request message using the dhcp snooping check dhcp-chaddr enable command before the dhcp snooping alarm dhcp-chaddr enable command is run.

To ensure that alarms can be properly reported, you need to run the snmp-agent trap enable feature-name dhcp command to enable the DHCP module to report the corresponding alarm. You can check whether the DHCP module is enabled to report the corresponding alarm using the display snmp-agent trap feature-name dhcp all command.

Example

# On GE1/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable alarm for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-chaddr enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-chaddr enable

dhcp snooping alarm threshold

Function

The dhcp snooping alarm threshold command sets the alarm threshold for the number of DHCP messages discarded by DHCP snooping.

The undo dhcp snooping alarm threshold command restores the default alarm threshold.

By default, an alarm is generated in the system when at least 100 DHCP snooping messages are discarded, and the alarm threshold on an interface is set using the dhcp snooping alarm threshold command in the system view.

Format

In the system view:

dhcp snooping alarm threshold threshold

undo dhcp snooping alarm threshold

In the interface view:

dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } threshold threshold

undo dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } threshold

Parameters

Parameter Description Value
threshold Specifies the alarm threshold for the number of DHCP snooping-discarded messages. The value is an integer that ranges from 1 to 1000.
dhcp-request Specifies the alarm threshold for the number of DHCPv4 Request messages discarded because they do not match the DHCP snooping binding entries. -
dhcp-chaddr Specifies the alarm threshold for the number of DHCP messages discarded because the CHADDR field in the DHCPv4 request messages does not match the source MAC address in the data frame header. -
dhcp-reply Specifies the alarm threshold for the number of DHCPv4 Response messages discarded by untrusted interfaces. -

Views

System view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After trap for discarded DHCP messages is enabled, run the dhcp snooping alarm threshold command to specify the alarm threshold for the number of DHCP messages discarded by DHCP snooping. If the alarm threshold is not set on an interface, the interface uses the global alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

The DHCP snooping alarm function has been enabled using the dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable command.

Precautions

If you run the dhcp snooping alarm threshold command in the system view, the command takes effect on all the interfaces of the device.

If you specify an alarm threshold for the number of DHCP messages discarded by DHCP snooping in the system view, an alarm is generated when the number of all the discarded DHCP messages reaches the threshold.

Example

# Set the global alarm threshold for the number of discarded DHCP messages to 200.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping alarm threshold 200

# On GE1/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable alarm for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address. Set the alarm threshold to 1000.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-chaddr enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-chaddr enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-chaddr threshold 1000

dhcp snooping check dhcp-giaddr enable

Function

The dhcp snooping check dhcp-giaddr enable command enables the device to check whether the GIADDR field in DHCP messages is 0.

The undo dhcp snooping check dhcp-giaddr enable command disables the device from checking whether the GIADDR field in DHCP messages is 0.

By default, the device does not check whether the GIADDR field in DHCP messages is 0.

Format

In the system view:

dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view and interface view:

dhcp snooping check dhcp-giaddr enable

undo dhcp snooping check dhcp-giaddr enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> Enables the device to check whether the GIADDR field in DHCP messages sent from a specified VLAN is 0.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure that the device obtains parameters such as MAC addresses for generating a binding table, DHCP snooping needs to be applied to Layer 2 access devices or the first DHCP relay agent from the device. Therefore, the GIADDR field in the DHCP messages received by the DHCP snooping-enabled device is 0. If the GIADDR field is not 0, the message is unauthorized and then discarded. This function is recommended if DHCP snooping is enabled on the DHCP relay agent.

In normal situations, the GIADDR field in DHCP messages sent by user PCs is 0. If the GIADDR field is not 0, the DHCP server cannot correctly allocate IP addresses. To prevent attackers from applying IP addresses with the DHCP messages containing a non-0 GIADDR field, you are advised to configure this function.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check dhcp-giaddr enable command in the VLAN view, the command takes effect on all the DHCP messages from the specified VLAN. If you run the dhcp snooping check dhcp-giaddr enable command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.

Example

# Enable the device to check whether the GIADDR field in DHCP messages from VLAN1 10 is 0.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping check dhcp-giaddr enable

# Enable the device to check whether the GIADDR field in DHCP messages received on GE1/0/1 is 0.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-giaddr enable

dhcp snooping check dhcp-rate

Function

The dhcp snooping check dhcp-rate command sets the maximum rate of sending DHCP messages to the processing unit.

The undo dhcp snooping check dhcp-rate command restores the default maximum rate of sending DHCP messages to the processing unit.

By default, the maximum rate of sending global DHCP messages to the processing unit is 100 pps, which is the same as the maximum rate of sending DHCP messages on interfaces to the processing unit.

Format

In the system view:

dhcp snooping check dhcp-rate rate [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping check dhcp-rate

In the VLAN view and interface view:

dhcp snooping check dhcp-rate rate

undo dhcp snooping check dhcp-rate

Parameters

Parameter Description Value
rate Specifies the maximum rate of sending DHCP messages to the processing unit. The value is an integer that ranges from 1 to 100, in pps.
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Specifies the maximum rate of sending DHCP messages from a specified VLAN to the processing unit.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.

If this parameter is not specified, the command takes effect on all the DHCP messages.

The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCP Request messages and Reply messages to the processing unit. If the rate of sending DHCP messages is high, processing efficiency of the processing unit is affected. After the device is enabled to check the rate of sending DHCP messages to the processing unit, run the dhcp snooping check dhcp-rate command to set the maximum rate of sending DHCP messages to the processing unit. DHCP messages that exceed the rate are discarded.

Prerequisites

The device has been enabled to check the rate of sending DHCP messages to the processing unit using the dhcp snooping check dhcp-rate enable command.

Precautions

If the maximum rates of sending DHCP messages to the processing unit are set in the system view, VLAN view, and interface view, the smallest value takes effect.

Example

# In the system view, set the maximum rate of sending DHCP messages to the processing unit to 50 pps.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable
[HUAWEI] dhcp snooping check dhcp-rate 50

dhcp snooping check dhcp-rate enable

Function

The dhcp snooping check dhcp-rate enable command enables the device to check the rate of sending DHCP messages to the processing unit.

The undo dhcp snooping check dhcp-rate enable command disables the device from checking the rate of sending DHCP messages to the processing unit.

By default, the device does not check the rate of sending DHCP messages to the processing unit.

Format

In the system view:

dhcp snooping check dhcp-rate enable [ rate ] [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping check dhcp-rate enable [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN view and interface view:

dhcp snooping check dhcp-rate enable [ rate ]

undo dhcp snooping check dhcp-rate enable

Parameters

Parameter Description Value
rate

Specifies the maximum rate of sending DHCP messages to the processing unit.

For the function of rate, see the command dhcp snooping check dhcp-rate.

The value ranges from 1 to 100, in pps. The default value is 100.
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Enables the device to check the rate of sending DHCP messages from a specified VLAN to the processing unit.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.

If this parameter is not specified, the command takes effect on all the DHCP messages.

The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the device sends all the received DHCP Request messages and Reply messages to the processing unit. If the rate of sending DHCP messages is high, processing efficiency of the processing unit is affected. After the device is enabled to check the rate of sending DHCP messages to the processing unit, DHCP messages that exceed the specified rate are discarded.

The default maximum rate of sending DHCP messages is 100 pps. To set the maximum rate, run the dhcp snooping check dhcp-rate command.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# In the system view, enable the device to check the rate of sending DHCP messages to the processing unit.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping check dhcp-rate enable

# In VLAN 10, enable the device to check the rate of sending DHCP messages to the processing unit.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping check dhcp-rate enable

dhcp snooping check dhcp-chaddr enable

Function

The dhcp snooping check dhcp-chaddr enable command enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.

The undo dhcp snooping check dhcp-chaddr enable command disables the device from checking whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.

By default, the device does not check whether the CHADDR field is the same as the source MAC address in the header of a DHCP Request message.

Format

In the system view:

dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view and interface view:

dhcp snooping check dhcp-chaddr enable

undo dhcp snooping check dhcp-chaddr enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
Enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In normal situations, the CHADDR field in a DHCP Request message matches the MAC address of the DHCP client that sends the message. The DHCP server identifies the client MAC address based on the CHADDR field in the DHCP Request message. If attackers continuously apply for IP addresses by changing the CHADDR field in the DHCP Request message, addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check dhcp-chaddr enable command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check dhcp-chaddr enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.

Example

# Enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping check dhcp-chaddr enable

dhcp snooping check dhcp-request enable

Function

The dhcp snooping check dhcp-request enable enables the device to check DHCP messages against the DHCP snooping binding table.

The undo dhcp snooping check dhcp-request enable disables the device from checking DHCP messages against the DHCP snooping binding table.

By default, the device does not check DHCP messages against the DHCP snooping binding table.

Format

In the system view:

dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view and interface view:

dhcp snooping check dhcp-request enable

undo dhcp snooping check dhcp-request enable

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> Enables the device to check DHCP messages from a specified VLAN against the DHCP snooping binding table. The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. The device forwards only DHCP messages that match binding entries. This prevents unauthorized users from sending bogus DHCP Request or Release messages to extend or release IP addresses.

The matching rules are as follows:

  • When the device receives a DHCP Request message, it performs the following operations:
    1. Checks whether the destination MAC address is all Fs. If so, the device considers the user to have gone online for the first time and directly forwards the message. If not, the device considers the user to have sent the DHCP Request message to renew the IP address lease and checks the DHCP Request message against the DHCP snooping binding table.
    2. Checks whether the CHADDR field in the DHCP Request message matches a DHCP snooping binding entry. If not, the device considers the user to have gone online for the first time and directly forwards the message. If so, the device checks whether the VLAN ID, IP address, and interface number of the message match DHCP snooping binding entries. If all these fields match a DHCP snooping binding entry, the device forwards the message; otherwise, the device discards the message.
  • When receiving a DHCP Release message, the device checks whether the VLAN ID, IP address, MAC address, and interface number of the message match a dynamic DHCP snooping binding entry. If so, the device forwards the message; otherwise, the device discards the message.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check dhcp-request enable command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping check dhcp-request enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Example

# Enable the device to check DHCP messages against the DHCP snooping binding table in VLAN 10.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping check dhcp-request enable

dhcp snooping disable

Function

The dhcp snooping disable command disables DHCP snooping on an interface.

The undo dhcp snooping disable command cancels the configuration.

By default, if the dhcp snooping enable command is used on an interface or in a VLAN that an interface belongs to, DHCP snooping is enabled on this interface.

Format

dhcp snooping disable

undo dhcp snooping disable

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you run the dhcp snooping enable command to enable DHCP snooping in a VLAN, DHCP snooping is enabled on all the interfaces in the VLAN. If you do not run the dhcp snooping enable command to enable DHCP snooping on an interface, you cannot run the undo dhcp snooping enable command to disable DHCP snooping on the interface. To address this problem, run the dhcp snooping disable command to disable DHCP snooping on the interface. Users can properly go online from this interface, but no dynamic binding entry is generated.

Precautions

  • The dhcp snooping disable command does not only disable DHCP snooping on an interface, but also clears the DHCP snooping configuration and the dynamic binding table. The undo dhcp snooping enable command, however, only disables DHCP snooping on the interface and does not clear the configuration or the dynamic binding table.
  • The undo dhcp snooping disable command enables DHCP snooping on an interface. To enable DHCP snooping, run the dhcp snooping enable command.

Example

# Disable DHCP snooping on GE1/0/1 in VLAN 10.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping disable
Related Topics

dhcp snooping enable

Function

The dhcp snooping enable command enables DHCP snooping.

The undo dhcp snooping enable command disables DHCP snooping.

By default, DHCP snooping is disabled on the device.

Format

In the system view:

dhcp snooping enable [ ipv4 | ipv6 | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping enable [ ipv4 | ipv6 | vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN viewand interface view:

dhcp snooping enable

undo dhcp snooping enable

Parameters

Parameter Description Value
ipv4

Indicates that the device processes only DHCPv4 messages.

-
ipv6

Indicates that the device processes only DHCPv6 messages.

-
vlan { vlan-id1 [ to vlan-id2 ] }
Enables DHCP snooping in a specified VLAN.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The specified VLAN ID must exist.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

DHCP snooping is a security function to protect DHCP. When you run the dhcp snooping enable command to enable DHCP snooping on a device, the device can process both DHCPv4 and DHCPv6 messages. In practice, however, if the DHCP snooping device needs to process only DHCPv4 or DHCPv6 messages, you can run the dhcp snooping enable ipv4 or dhcp snooping enable ipv6 command, which improves CPU efficiency.

You must enable DHCP snooping in the system view before enabling DHCP snooping on an interface or in a VLAN.

Prerequisites

DHCP has been enabled globally using the dhcp enable command.

Follow-up Procedure

After DHCP snooping is enabled on the interface connected to users or in the VLAN, run the dhcp snooping trusted command to configure the interface connected to the DHCP server as a trusted interface. The binding entry can be generated only when DHCP snooping is enabled on the interface and the interface is configured as a trusted one.

Precautions

The dhcp snooping enable command in the system view is the prerequisite for DHCP snooping-related functions. After the undo dhcp snooping enable command is run, all DHCP snooping-related configurations of the device are deleted. After DHCP snooping is enabled again using the dhcp snooping enable command, all DHCP snooping-related configurations of the device are restored to the default configurations.

If you run the dhcp snooping enable command in the VLAN view, the command takes effect for all the DHCP messages from the specified VLAN. If you run the dhcp snooping enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

If both DHCP relay and VRRP are configured on a device, DHCP snooping cannot be configured.

DHCP snooping cannot be enabled if the DHCP server is at the subordinate VLAN side and the DHCP client is at the principle VLAN side.

Example

# Enable DHCP snooping globally and configure the device to process only ipv4 messages.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4

# Enable DHCP snooping on GE 1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable

# Enable DHCP snooping in VLAN 100.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable

# Enable DHCP snooping in VLANs ranging from VLAN 20 to VLAN 25 in a batch.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan batch 20 to 25
[HUAWEI] dhcp snooping enable vlan 20 to 25

dhcp snooping enable no-user-binding

Function

The dhcp snooping enable no-user-binding command disables the interfaces from generating DHCP snooping binding entries after DHCP snooping is enabled.

The undo dhcp snooping enable no-user-binding command restores the default setting.

By default, an interface generates DHCP snooping binding entries after DHCP snooping is enabled.

Format

System view:

dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping enable no-user-binding vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

VLAN view, interface view:

dhcp snooping enable no-user-binding

undo dhcp snooping enable no-user-binding

Parameters

Parameter Description Value
vlan { vlan-id1 [ to vlan-id2 ] }
Disables the interfaces in the specified VLANs from generating DHCP snooping binding entries.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

After DHCP snooping is enabled on a device, the device generates DHCP snooping binding entries for users by default. If the number of binding entries on the device reaches the upper limit, new users cannot go online. In certain scenarios, for example, on a trusted DHCP network, if you do not want to limit the number of online users but want to record user location information, run the dhcp snooping enable no-user-binding command to disable the device from generating DHCP snooping binding entries.

When the command is executed in an interface view, the command takes effect for all DHCP users connecting to the interface. When the command is executed in the VLAN view, the command takes effect for all the DHCP users belonging to this VLAN on all interfaces. When the command is executed in the system view, the command takes effect in the same way as it is executed in the VLAN view, except that multiple VLANs can be specified.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

After this command is executed, the device deletes the binding entries from the corresponding VLAN or interface.

If the DHCP snooping binding entry-dependent function such as IPSG or DAI is configured on the device, the corresponding function does not take effect after this command is run.

This command cannot be used together with dhcp snooping check dhcp-request enable; otherwise, online users cannot go offline.

Example

# In the system view, disable the interfaces in VLAN 10 and VLAN 20 from generating DHCP snooping binding entries.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable no-user-binding vlan 10 20

# In the VLAN view, disable the interfaces in VLAN 10 from generating DHCP snooping binding entries.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable no-user-binding 

# In the interface view, disable GE1/0/1 from generating DHCP snooping binding entries.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable no-user-binding

dhcp snooping max-user-number

Function

The dhcp snooping max-user-number command sets the maximum number of DHCP snooping binding entries to be learned on an interface.

The undo dhcp snooping max-user-number command restores the default maximum number of DHCP snooping binding entries to be learned on an interface.

By default, a maximum of 32768 DHCP snooping binding entries can be learned on an interface.

Format

In the system view:

dhcp snooping max-user-number max-user-number [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

undo dhcp snooping max-user-number [ vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> ]

In the VLAN view and interface view:

dhcp snooping max-user-number max-user-number

undo dhcp snooping max-user-number

Parameters

Parameter

Description

Value

max-user-number

Specifies the maximum number of DHCP snooping binding entries that can be learned on an interface.

The value is an integer that ranges from 1 to 32768.

vlan { vlan-id1 [ to vlan-id2 ] }

Specifies the maximum number of DHCP snooping binding entries can be learned in a VLAN.
  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.
The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The dhcp snooping max-user-number command sets the maximum number of DHCP snooping binding entries to be learned on an interface. If the number of DHCP snooping binding entries reaches the maximum value, subsequent users cannot access.

When the command is executed in the system view, the value specified in this command is the total number of DHCP snooping binding entries to be learned by all interfaces on the device. If you run the dhcp snooping max-user-number command in the VLAN view, the command takes effect on all the interfaces in the VLAN. If you run the dhcp snooping max-user-number command in the system view, VLAN view, and the interface view, the smallest value takes effect.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Set the maximum number of DHCP users to 100 on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping max-user-number 100

# Set the maximum number of DHCP users in VLAN 100 to 100.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable
[HUAWEI-vlan100] dhcp snooping max-user-number 100

dhcp snooping over-vpls enable

Function

The dhcp snooping over-vpls enable command enables DHCP snooping on the device on a Virtual Private LAN Service (VPLS) network.

The undo dhcp snooping over-vpls enable command disables DHCP snooping on the device on a VPLS network.

By default, DHCP snooping is disabled on the device on a VPLS network.

Format

dhcp snooping over-vpls enable

undo dhcp snooping over-vpls enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The DHCP packets on a VPLS network are different from common DHCP packets. Therefore, DHCP snooping cannot take effect for the device on the VPLS network even if the function is enabled globally using the dhcp snooping enable command in the system view. To make DHCP snooping take effect for the device applied to the VPLS network, run the dhcp snooping over-vpls enable command to enable the function.

To enable DHCP snooping for the device on the VPLS network, enable it on the device closed to the user side so that the DHCP packets from the user side to the VPLS network can be controlled.

Prerequisites

DHCP has been enabled globally using the dhcp enable command in the system view.

Precautions

SA cards of S series do not support DHCP snooping on a VPLS network.

The device management interfaces do not support DHCP snooping on a VPLS network.

After you run the dhcp snooping over-vpls enable command, the maximum number of concurrent users is 50 in the default CPCAR configuration.

When the device is applied to a VPLS network, you only need to run the dhcp snooping over-vpls enable command to enable DHCP snooping on the device and other DHCP snooping command have no changes.

Example

# Enable DHCP snooping on the device on a VPLS network.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping over-vpls enable
Related Topics

dhcp snooping trusted

Function

The dhcp snooping trusted command configures an interface as a trusted interface.

The undo dhcp snooping trusted command configures an interface as an untrusted interface.

By default, all interfaces are untrusted interfaces.

Format

In the VLAN view:

dhcp snooping trusted interface interface-type interface-number

undo dhcp snooping trusted interface interface-type interface-number

In the interface view:

dhcp snooping trusted

undo dhcp snooping trusted

Parameters

Parameter Description Value
interface interface-type interface-number Specifies the type and number of an interface in a VLAN.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To enable DHCP clients to obtain IP addresses from authorized DHCP servers, DHCP snooping supports the trusted interface and untrusted interfaces. The trusted interface forwards DHCP messages while untrusted interfaces discard received DHCP ACK messages and DHCP Offer messages.

An interface directly or indirectly connected to the DHCP server trusted by the administrator needs to be configured as the trusted interface, and other interfaces are configured as untrusted interfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

Prerequisites

In the system view, run thedhcp snooping enable command to enable DHCP snooping.

Precautions

If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the device will not consider DHCP packets received by this interface as attack packets or perform attack defense operations on the DHCP packets received by this interface.

If you run the dhcp snooping trusted command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

You are advised not to configured more than 15 trusted ports in a VLAN.

Example

# Configure GE1/0/1 in VLAN 100 as the trusted interface.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping trusted interface gigabitethernet 1/0/1

# Configure GE1/0/1 as the trusted interface.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping trusted
Related Topics

dhcp snooping user-alarm percentage

Function

The dhcp snooping user-alarm percentage command configures the alarm thresholds for the percentage of DHCP snooping binding entries.

The undo dhcp snooping user-alarm percentage command restores the default alarm thresholds for the percentage of DHCP snooping binding entries.

By default, the lower alarm threshold for the percentage of DHCP snooping binding entries is 50, and the upper alarm threshold for the percentage of DHCP snooping binding entries is 100.

Format

dhcp snooping user-alarm percentage percent-lower-value percent-upper-value

undo dhcp snooping user-alarm percentage

Parameters

Parameter Description Value
percent-lower-value

Specifies the lower alarm threshold for the percentage of DHCP snooping binding entries.

The value is an integer that ranges from 1 to 100.

percent-upper-value

Specifies the upper alarm threshold for the percentage of DHCP snooping binding entries.

The value is an integer that ranges from 1 to 100, but must be greater than or equal to the lower alarm threshold.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After you run the dhcp snooping max-user-number command to set the maximum number of DHCP snooping binding entries on an interface, you can run the dhcp snooping user-alarm percentage command to set the alarm thresholds for the percentage of DHCP snooping binding entries.

When the percentage of learned DHCP snooping binding entries against the maximum number of DHCP snooping entries allowed by the device reaches or exceeds the upper alarm threshold, the device generates an alarm. When the percentage of learned DHCP snooping binding entries against the maximum number of DHCP snooping entries allowed by the device reaches or falls below the lower alarm threshold later, the device generates a clear alarm.

Example

# Set the lower alarm threshold for the DHCP user count percentage to 30 and the upper alarm threshold to 80.

<HUAWEI> system-view
[HUAWEI] dhcp snooping user-alarm percentage 30 80

dhcp snooping user-bind autosave

Function

The dhcp snooping user-bind autosave command enables local automatic backup of the DHCP snooping binding table.

The undo dhcp snooping user-bind autosave command disables local automatic backup of the DHCP snooping binding table.

By default, local automatic backup of the DHCP snooping binding table is disabled.

Format

dhcp snooping user-bind autosave file-name [ write-delay delay-time ]

undo dhcp snooping user-bind autosave

Parameters

Parameter Description Value
file-name

Specifies the path for storing the file that backs up the binding table and the file name. The file path and name supported by the device must be both entered.

The value is a string of 1 to 51 case-insensitive characters without spaces.

write-delay delay-time

Specifies the interval for local automatic backup of the DHCP snooping binding table.

If this parameter is not specified, the backup interval is the default value.

The value is an integer that ranges from 60 to 4294967295, in seconds. By default, the interval for local automatic backup of the DHCP snooping binding table is 3600 seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The dhcp snooping user-bind autosave command can retain the configured DHCP snooping binding entries after the device restarts. After a DHCP snooping binding table is generated, you can run the dhcp snooping user-bind autosave command to enable local automatic backup of the DHCP snooping binding table.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

This prevents data loss in the DHCP snooping binding table. The suffix of the file must be .tbl.

If the system restarts within one hour after the system time is changed, immediately run the dhcp snooping user-bind autosave command again to back up the latest dynamic binding entries because it is not the time to update the binding table. If you do not run this command, the lease will be inconsistent with the current system time after the dynamic binding table is restored.

If a device where the DHCP snooping binding table is backed up is powered off and then restarted after the lease of DHCP snooping binding table expires, the DHCP snooping entries cannot be restored.

The DHCP snooping binding tables are backed up to LPUs, but not to the MPU.

Example

# Configure the device to back up the DHCP snooping binding table to the file backup.tbl in the CF card every 5000 seconds.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind autosave cfcard:/backup.tbl write-delay 5000
Related Topics

dhcp snooping user-bind ftp

Function

The dhcp snooping user-bind ftp command enables the device to automatically back up DHCP snooping binding entries on the remote FTP server.

The undo dhcp snooping user-bind ftp command disables the device from automatically backing up DHCP snooping binding entries on the remote FTP server.

By default, the device is not enabled to automatically back up DHCP snooping binding entries on the remote FTP server.

Format

dhcp snooping user-bind ftp remotefilename filename host-ip ip-address username username password password [ write-delay delay-time ]

undo dhcp snooping user-bind ftp

Parameters

Parameter Description Value
remotefilename filename

Specifies the name of the file where DHCP snooping binding entries will be backed up on the remote FTP server.

The value is a string of 1 to 64 case-sensitive characters without spaces. The string cannot contain the following characters: ~ * \ | : " ? < >.

host-ip ip-address

Specifies the IP address of the remote FTP server.

The value is in dotted decimal notation.

username username

Specifies the user name to connect to the FTP server.

The value is a string of 1 to 64 case-sensitive characters without spaces.

password password

Specifies the password to connect to the FTP server.

The value is a string of case-sensitive characters without spaces. It can be a cipher-text password of 48 characters or a plain-text password of 1 to 16 characters.

NOTE:

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

write-delay delay-time

Specifies the interval for automatically backing up DHCP snooping binding entries.

If this parameter is not used, the default interval is used.

The value is an integer that ranges from 300 to 4294967295, in seconds.

By default, the system backs up DHCP snooping binding entries every one hour.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the device restarts, to prevent loss of generated DHCP snooping binding entries on the device, run the dhcp snooping user-bind ftp command to enable the device to automatically back up DHCP snooping binding entries on the remote FTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The FTP protocol will bring risk to device security. The SFTP protocol configured using the dhcp snooping user-bind sftp command is recommended.

Example

# Enable the device to automatically back up DHCP snooping binding entries to the backup file on the FTP server at 10.137.12.10 with the FTP user name huawei and password Huawei@123.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind ftp remotefilename backup host-ip 10.137.12.10 username huawei password Huawei@123

dhcp snooping user-bind ftp load

Function

The dhcp snooping user-bind ftp load command configures the device to obtain and restore backup DHCP snooping binding entries on the remote FTP server.

Format

dhcp snooping user-bind ftp load remotefilename filename host-ip ip-address username username password password

Parameters

Parameter Description Value
remotefilename filename

Specifies the name of the file from which the device obtains DHCP snooping binding entries.

The value is a string of 1 to 64 characters without spaces. The string cannot contain the following characters: ~ * \ | : " ? < >.

host-ip ip-address

Specifies the IP address of the remote FTP server.

The value is in dotted decimal notation.

username username

Specifies the user name to connect to the FTP server.

The value is a string of 1 to 64 characters without spaces.

password password

Specifies the password to connect to the FTP server.

The value is a string of characters without spaces. It can be a cipher-text password of 48 characters or a plain-text password of 1 to 16 characters.

NOTE:

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After running the dhcp snooping user-bind ftp command to enable the device to automatically back up DHCP snooping binding entries on the remote FTP server, you can run the dhcp snooping user-bind ftp load command to configure the device to obtain and restore backup DHCP snooping binding entries on the remote FTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The FTP protocol will bring risk to device security. The SFTP protocol configured using the dhcp snooping user-bind sftp load command is recommended.

Example

# Configure the device to obtain and restore backup DHCP snooping binding entries from the backup file on the remote FTP server at 10.137.12.10 with the FTP user name huawei and password Huawei@123.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind ftp load remotefilename backup host-ip 10.137.12.10 username huawei password Huawei@123
Warning: FTP is not a secure protocol, and it is recommended to use SFTP.  
Info: Downloading the file from the remote FTP server. Please wait...done. 
 Total number of dynamic binding table in remote file: 30 
 Recovering dynamic binding table, please wait for a moment....
 10 successful, 20 failed.
 Binding Collisions         :    20     Exceeds max limits     :     0
 Invalid interfaces         :     0     Invalid vlans          :     0
 Invalid snp configurations :     0     Expired leases         :     0            
 Parse failures             :     0
Table 14-56  Description of the dhcp snooping user-bind ftp load command output

Item

Description

Total number of dynamic binding table in remote file Number of DHCP snooping binding entries stored on the remote server.
m successful, n failed m DHCP snooping binding entries are recovered successfully, and n DHCP snooping binding entries fail to be recovered.
Binding Collisions Number of DHCP snooping binding entries that cannot be restored because of collision between local entries and remote entries.
Exceeds max limits Number of DHCP snooping binding entries that cannot be restored because the number of local entries reaches the upper limit.
Invalid interfaces Number of DHCP snooping binding entries that cannot be restored because the local interface becomes invalid, for example, Down.
Invalid vlans Number of DHCP snooping binding entries that cannot be restored because the VLAN on local device becomes invalid, for example, unavailable VLAN.
Invalid snp configurations Number of DHCP snooping binding entries that cannot be restored because the DHCP snooping function is not enabled.
Expired leases Number of DHCP snooping binding entries that cannot be restored because the lease of DHCP snooping binding table expires.
Parse failures Number of DHCP snooping binding entries that cannot be restored because the device fails to parse the binding table file.

dhcp snooping user-bind sftp

Function

The dhcp snooping user-bind sftp command enables the device to automatically back up DHCP snooping binding entries on the remote SFTP server.

The undo dhcp snooping user-bind sftp command disables the device from automatically backing up DHCP snooping binding entries on the remote SFTP server.

By default, the device is not enabled to automatically back up DHCP snooping binding entries on the remote SFTP server.

Format

dhcp snooping user-bind sftp remotefilename filename host-ip ip-address username username password password [ write-delay delay-time ]

undo dhcp snooping user-bind sftp

Parameters

Parameter Description Value
remotefilename filename

Specifies the name of the file where DHCP snooping binding entries will be backed up on the remote SFTP server.

The value is a string of 1 to 64 characters without spaces. The string cannot contain the following characters: ~ * \ | : " ? < >.

host-ip ip-address

Specifies the IP address of the remote SFTP server.

The value is in dotted decimal notation.

username username

Specifies the user name to connect to the SFTP server.

The value is a string of 1 to 64 case-sensitive characters without spaces.

password password

Specifies the password to connect to the SFTP server.

The value is a string of case-sensitive characters without spaces. It can be a cipher-text password of 48 characters or a plain-text password of 1 to 16 characters.

NOTE:

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

write-delay delay-time

Specifies the interval for automatically backing up DHCP snooping binding entries.

If this parameter is not used, the default interval is used.

The value is an integer that ranges from 300 to 4294967295, in seconds.

By default, the system backs up DHCP snooping binding entries every one hour.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the device restarts, to prevent loss of generated DHCP snooping binding entries on the device, run the dhcp snooping user-bind sftp command to enable the device to automatically back up DHCP snooping binding entries on the remote SFTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The suffix of the file must be .tbl.

Example

# Enable the device to automatically back up DHCP snooping binding entries to the backup file on the SFTP server at 10.137.12.10 with the SFTP user name huawei and password Huawei@123.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind sftp remotefilename backup host-ip 10.137.12.10 username huawei password Huawei@123

dhcp snooping user-bind sftp load

Function

The dhcp snooping user-bind sftp load command configures the device to obtain and restore backup DHCP snooping binding entries on the remote SFTP server.

Format

dhcp snooping user-bind sftp load remotefilename filename host-ip ip-address username username password password

Parameters

Parameter Description Value
remotefilename filename

Specifies the name of the file from which the device obtains DHCP snooping binding entries.

The value is a string of 1 to 64 characters without spaces. The string cannot contain the following characters: ~ * \ | : " ? < >.

host-ip ip-address

Specifies the IP address of the remote SFTP server.

The value is in dotted decimal notation.

username username

Specifies the user name to connect to the SFTP server.

The value is a string of 1 to 64 characters without spaces.

password password

Specifies the password to connect to the SFTP server.

The value is a string of characters without spaces. It can be a cipher-text password of 48 characters or a plain-text password of 1 to 16 characters.

NOTE:

To improve security, it is recommended that the password contains at least two types of lower-case letters, upper-case letters, numerals, and special characters, and contains at least 6 characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After running the dhcp snooping user-bind sftp command to enable the device to automatically back up DHCP snooping binding entries on the remote SFTP server, you can run the dhcp snooping user-bind sftp load command to configure the device to obtain and restore backup DHCP snooping binding entries on the remote SFTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Example

# Configure the device to obtain and restore backup DHCP snooping binding entries from the backup file on the remote SFTP server at 10.137.12.10 with the SFTP user name huawei and password Huawei@123.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind sftp load remotefilename backup host-ip 10.137.12.10 username huawei password Huawei@123
Info: Downloading the file from the remote SFTP server. Please wait...done.   
 Total number of dynamic binding table in remote file: 30 
 Recovering dynamic binding table, please wait for a moment....
 10 successful, 20 failed.
 Binding Collisions         :    20     Exceeds max limits     :     0
 Invalid interfaces         :     0     Invalid vlans          :     0
 Invalid snp configurations :     0     Expired leases         :     0            
 Parse failures             :     0
Table 14-57  Description of the dhcp snooping user-bind sftp load command output

Item

Description

Total number of dynamic binding table in remote file Number of DHCP snooping binding entries stored on the remote server.
m successful, n failed m DHCP snooping binding entries are recovered successfully, and n DHCP snooping binding entries fail to be recovered.
Binding Collisions Number of DHCP snooping binding entries that cannot be restored because of collision between local entries and remote entries.
Exceeds max limits Number of DHCP snooping binding entries that cannot be restored because the number of local entries reaches the upper limit.
Invalid interfaces Number of DHCP snooping binding entries that cannot be restored because the local interface becomes invalid, for example, Down.
Invalid vlans Number of DHCP snooping binding entries that cannot be restored because the VLAN on local device becomes invalid, for example, unavailable VLAN.
Invalid snp configurations Number of DHCP snooping binding entries that cannot be restored because the DHCP snooping function is not enabled.
Expired leases Number of DHCP snooping binding entries that cannot be restored because the lease of DHCP snooping binding table expires.
Parse failures Number of DHCP snooping binding entries that cannot be restored because the device fails to parse the binding table file.

dhcp snooping user-bind tftp

Function

The dhcp snooping user-bind tftp command enables the device to automatically back up DHCP snooping binding entries on the remote TFTP server.

The undo dhcp snooping user-bind tftp command disables the device from automatically backing up DHCP snooping binding entries on the remote TFTP server.

By default, the device is not enabled to automatically back up DHCP snooping binding entries on the remote TFTP server.

Format

dhcp snooping user-bind tftp remotefilename filename host-ip ip-address [ write-delay delay-time ]

undo dhcp snooping user-bind tftp

Parameters

Parameter Description Value
remotefilename filename

Specifies the name of the file where DHCP snooping binding entries will be backed up on the remote TFTP server.

The value is a string of 1 to 64 case-sensitive characters without spaces. The string cannot contain the following characters: ~ * \ | : " ? < >.

host-ip ip-address

Specifies the IP address of the TFTP server.

The value is in dotted decimal notation.

write-delay delay-time

Specifies the interval for automatically backing up DHCP snooping binding entries.

If this parameter is not used, the default interval is used.

The value is an integer that ranges from 300 to 4294967295, in seconds.

By default, the interval for local automatic backup of the DHCP snooping binding table is 3600 seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the device restarts, to prevent loss of generated DHCP snooping binding entries on the device, run the dhcp snooping user-bind tftp command to enable the device to automatically back up DHCP snooping binding entries on the remote TFTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The TFTP protocol will bring risk to device security. The SFTP protocol configured using the dhcp snooping user-bind sftp command is recommended.

Example

# Enable the device to automatically back up DHCP snooping binding entries to the backup file on the TFTP server at 10.137.12.10 at intervals of 5000s.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind tftp remotefilename backup host-ip 10.137.12.10 write-delay 5000

dhcp snooping user-bind tftp load

Function

The dhcp snooping user-bind tftp load command configures the device to obtain and restore backup DHCP snooping binding entries on the remote TFTP server.

Format

dhcp snooping user-bind tftp load remotefilename filename host-ip ip-address

Parameters

Parameter Description Value
remotefilename filename

Specifies the name of the file from which the device obtains DHCP snooping binding entries.

The value is a string of 1 to 64 characters without spaces. The string cannot contain the following characters: ~ * \ | : " ? < >.

host-ip ip-address

Specifies the IP address of the remote TFTP server.

The value is in dotted decimal notation.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After running the dhcp snooping user-bind tftp command to enable the device to automatically back up DHCP snooping binding entries on the remote TFTP server, you can run the dhcp snooping user-bind tftp load command to configure the device to obtain and restore backup DHCP snooping binding entries on the remote TFTP server.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The TFTP protocol will bring risk to device security. The SFTP protocol configured using the dhcp snooping user-bind sftp load command is recommended.

Example

# Configure the device to obtain and restore backup DHCP snooping binding entries from the backup file on the remote TFTP server at 10.137.12.10.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-bind tftp load remotefilename backup host-ip 10.137.12.10 
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...
100%
TFTP: Downloading the file successfully.
656 byte(s) received in 1 second(s).
 Total number of dynamic binding table in remote file: 20 
 Recovering dynamic binding table, please wait for a moment....
 10 successful, 10 failed.
 Binding Collisions         :    10     Exceeds max limit    :     0
 Invalid interfaces         :     0     Invalid vlan         :     0
 Invalid snp configurations :     0     Expired leases       :     0            
 Parse failures             :     0
Table 14-58  Description of the dhcp snooping user-bind tftp load command output

Item

Description

Total number of dynamic binding table in remote file Number of DHCP snooping binding entries stored on the remote server.
Binding Collisions Number of DHCP snooping binding entries that cannot be restored because of collision between local entries and remote entries.
Exceeds max limit Number of DHCP snooping binding entries that cannot be restored because the number of local entries reaches the upper limit.
Invalid interfaces Number of DHCP snooping binding entries that cannot be restored because the local interface becomes invalid, for example, Down.
Invalid vlan Number of DHCP snooping binding entries that cannot be restored because the VLAN on local device becomes invalid, for example, unavailable VLAN.
Invalid snp configurations Number of DHCP snooping binding entries that cannot be restored because the DHCP snooping function is not enabled.
Expired leases Number of DHCP snooping binding entries that cannot be restored because the lease of DHCP snooping binding table expires.
Parse failures Number of DHCP snooping binding entries that cannot be restored because the device fails to parse the binding table file.

dhcp snooping user-offline remove mac-address

Function

The dhcp snooping user-offline remove mac-address command enables the device to delete the MAC address entry of a user whose DHCP snooping binding entry is deleted.

The undo dhcp snooping user-offline remove mac-address command disables the device from deleting the MAC address entry of a user whose binding entry is deleted.

By default, the device does not delete the MAC address entry of a user whose DHCP snooping binding entry is deleted.

Format

dhcp snooping user-offline remove mac-address

undo dhcp snooping user-offline remove mac-address

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a user goes offline but its MAC address entry is not aged, the device forwards the packet whose destination address is the IP address of the user based on the dynamic MAC address entry. After the dhcp snooping user-offline remove mac-address command is executed, the user MAC address entry is deleted when the DHCP snooping binding entry is deleted. With the function of discarding unknown unicast packets on the network-side interface, the device discards packets destined to offline users.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Enable the device to delete the MAC address entry of a user whose DHCP snooping binding entry.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] dhcp snooping user-offline remove mac-address
Related Topics

dhcp snooping user-transfer enable

Function

The dhcp snooping user-transfer enable command enables location transition for DHCP snooping users.

The undo dhcp snooping user-transfer enable command disables location transition for DHCP snooping users.

By default, location transition is enabled for DHCP snooping users.

Format

dhcp snooping user-transfer enable

undo dhcp snooping user-transfer enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a mobile user goes online through interface A, goes offline, and then goes online through interface B, the user sends a DHCP Discover message to apply an IP address. By default, if DHCP snooping is enabled on the device, the device allows the user to go online and updates the DHCP snooping binding entries. However, this may bring security risks. For example, if an attacker pretends an authorized user to send a DHCP Discover message, the authorized user cannot access the network after the DHCP snooping binding table is updated. To prevent such attacks, you can disable the DHCP snooping location transition function. After this function is disabled, the device discards the DHCP Discover messages sent by a user who has an entry in the DHCP snooping binding table (user's MAC address exists in the DHCP snooping binding table) through another interface.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Example

# Disable location transition for DHCP snooping users.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] undo dhcp snooping user-transfer enable
Related Topics

dhcpv6 interface-id format

Function

The dhcpv6 interface-id format command configures the Interface-ID format in DHCPv6 packets.

The undo dhcpv6 interface-id format command restores the default Interface-ID format in DHCPv6 packets.

By default, the Interface-ID format in DHCPv6 packets is default.

Format

dhcpv6 interface-id format { default | user-defined text }

undo dhcpv6 interface-id format

Parameters

Parameter Description Value
default

Specifies the default Interface-ID format.

The default Interface-ID format is %04svlan.%04cvlan.%mac:%portname. The values of the S-VLAN and C-VLAN are integers containing four characters. If the length is fewer than four characters, the value is prefixed with 0s. For example, if the outer VLAN value in the DHCPv6 packets received by the device is 11, the inner VLAN value is 22, the inbound interface is VLANIF100, and the device MAC address is 6afe-870b-0000, the Interface-ID generated during the system parsing process is 0011.0022.6afe870b0000:vlanif100.

-
user-defined text
Specifies a user-defined format as the Interface-ID format. A user-defined format can be:
  • Format defined by keywords: The Interface-ID is defined based on the keywords supported by the user-defined format. For example, if the name of the device to which the users are connected and the outer VLAN to which the users belong need to be recorded, the user-defined format can be %sysname %svlan. If the device name is HUAWEI and the S-VLAN is 100, the user location information recorded by the Interface-ID is HUAWEI 100.

    For description of the keywords supported by the user-defined format, see Table 14-59.

  • Format defined by common character strings: The Interface-ID is directly defined as a character string. For example, if all users on an interface are located in the office building named N8, the Interface-ID can be directly defined as N8.

  • Mixed format: The Interface-ID is defined by both the keywords and common character strings. For example, the Interface-ID can be defined as %sysname N8.

The value is a string of case-sensitive characters without spaces. The character string contains 1 to 251 characters, excluding the quotation marks.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Interface-ID records user access information such as the inbound interfaces of the DHCPv6 packets sent from the clients to the device. The device functions as a DHCPv6 relay or lightweight DHCPv6 relay agent (LDRA). When receiving the request packets sent from the DHCPv6 clients and forwarding the packets to the DHCPv6 server, the device can insert the Interface-ID to the packets to identify the DHCPv6 client location information. The location information can be used by the DHCPv6 server to assign IPv6 addresses and network parameters. You can run the dhcpv6 interface-id format command to configure the format of the Interface-ID inserted into DHCPv6 packets.

Table 14-59  Description of the keywords supported by the user-defined format

Keyword

Description

duid

Specifies the client ID, including information such as the client MAC address.

sysname

Specifies the device name of the client.

portname

Specifies the name of the inbound interface that receives the DHCPv6 packets sent from the client to the device.

porttype

Specifies the type of the inbound interface that receives the DHCPv6 packets sent from the client to the device. The interface type is specified when the NAS interface is configured in certain scenarios.

iftype

Specifies the type of the inbound interface that receives the DHCPv6 packets sent from the client to the device. The interface type is usually GE.

mac

Specifies the device MAC address.

slot

Specifies the slot number of the DHCPv6 packet sent from the client to the device.

subslot

Specifies the sub-slot number of the DHCPv6 packet sent from the client to the device.

port

Specifies the port number of the DHCPv6 packet sent from the client to the device.

svlan

Specifies the outer VLAN of the DHCPv6 packet sent by the client.

cvlan

Specifies the inner VLAN of the DHCPv6 packet sent by the client.

length

Specifies the total length of the keywords following the length keyword. The length of the length keyword is excluded.

Prerequisites

DHCP has been enabled globally using the dhcp enable command.

Precautions

  • The user-defined format content must be specified between the double quotation marks (""). For example, to configure the user-defined format content as mac, run the dhcpv6 interface-id format user-defined "%mac" command.

  • Separators that cannot be digits must be added between the keywords in the user-defined format. Otherwise, the keywords cannot be parsed.

  • The symbol % must be prefixed to the keywords in the user-defined format to differentiate them from common character strings. If a digit exists before the symbol % and keyword, the digit refers to the number of characters in the keyword.

  • The self-defined content is encapsulated in ASCII format. In addition to the preceding precautions, note the following rules:

    • The symbol \ is an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents the character \.
    • An ASCII character string can contain Arabic numerals, uppercase letters, lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - = \ [ ] { } ; : ' " / ? . , < > `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.

Example

# Configure a user-defined format as the format of the Interface-ID in DHCPv6 packets and the device MAC address as the encapsulated content.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcpv6 interface-id format user-defined "%mac"

dhcpv6 option18 format

Function

The dhcpv6 option18 format command configures the format of the Option 18 field in a DHCPv6 message.

The undo dhcpv6 option18 format command restores the default format of the Option 18 field in a DHCPv6 message.

By default, the format of the Option 18 field is not configured in a DHCPv6 message.

Format

dhcpv6 option18 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format user-defined text

undo dhcpv6 option18 { [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format | format all }

Parameters

Parameter Description Value
user-defined text Indicates the user-defined format of the Option 18 field.

The value is a string of 1 to 251 characters.

The details about the user-defined format string are provided in the Usage Guidelines.

vlan vlan-id

Specifies the outer VLAN ID.

NOTE:
  • If a VLAN is specified, only the format of the Option 18 field in DHCPv6 messages that belong to this VLAN is configured. If no VLAN is specified, the format of the Option 18 field in all DHCPv6 messages received by the interface is configured.
  • If the format of the Option 18 field is configured on an interface and the VLAN to which it belongs, the configuration on the interface takes effect.
  • This parameter is not supported in the VLAN view.

The value is an integer that ranges from 1 to 4094.

ce-vlan ce-vlan-id
Specifies the inner VLAN ID.
NOTE:
This parameter is not supported in the VLAN view.

The value is an integer that ranges from 1 to 4094.

all

Deletes all formats of the Option 18 field.

-

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After the dhcpv6 option18 { insert | rebuild } enable command is executed to enable the device to insert the Option 18 field to a DHCPv6 message, you can run the dhcpv6 option18 format command to configure the format of the Option 18 field in a DHCPv6 message.

You can use the following keywords to define the Option 18 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, GE1/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 18 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in an ASCII string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain Arabic numerals, uppercase letters, lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - = \ [ ] { } ; : ' " / ? . , < > `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 18 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example

# Configure the format of the Option 18 field in a DHCPv6 message in VLAN 10.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 option18 format user-defined "%length %svlan %5slot %3subslot %8port"

# Configure the format of the Option 18 field in a DHCPv6 message on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcpv6 option18 format user-defined "%length %svlan %5slot %3subslot %8port"

dhcpv6 option37 format

Function

The dhcpv6 option37 format command configures the format of the Option 37 field in a DHCPv6 message.

The undo dhcpv6 option37 format command restores the default format of the Option 37 field in a DHCPv6 message.

By default, the format of the Option 37 field is not configured in a DHCPv6 message.

Format

dhcpv6 option37 [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format user-defined text

undo dhcpv6 option37 { [ vlan vlan-id ] [ ce-vlan ce-vlan-id ] format | format all }

Parameters

Parameter Description Value
user-defined text Indicates the user-defined format of the Option 37 field.

The value is a string of 1 to 247 characters.

The details about the user-defined format string are provided in the Usage Guidelines.

vlan vlan-id

Specifies the outer VLAN ID.

NOTE:
  • If a VLAN is specified, only the format of the Option 37 field in DHCPv6 messages that belong to this VLAN is configured. If no VLAN is specified, the format of the Option 37 field in all DHCPv6 messages received by the interface is configured.
  • If the format of the Option 37 field is configured on an interface and the VLAN to which it belongs, the configuration on the interface takes effect.
  • This parameter is not supported in the VLAN view.

The value is an integer that ranges from 1 to 4094.

ce-vlan ce-vlan-id
Specifies the inner VLAN ID.
NOTE:
This parameter is not supported in the VLAN view.

The value is an integer that ranges from 1 to 4094.

all

Deletes all formats of the Option 37 field.

-

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

After the dhcpv6 option37 { insert | rebuild } enable command is executed to enable the device to insert the Option 37 field to a DHCPv6 message, you can run the dhcpv6 option37 format command to configure the format of the Option 37 field in a DHCPv6 message.

You can use the following keywords to define the Option 37 field. The format string can use the hexadecimal notation, ASCII format, or combination of the two formats.
  • sysname: indicates the ID of the access point. This keyword is valid only in ASCII format.
  • portname: indicates the name of a port, for example, GE1/0/1. This keyword is valid only in ASCII format.
  • porttype: indicates the type of a port. This keyword is a character string or in hexadecimal notation. For example, if the value is Ethernet in ASCII format, it is 15 in hexadecimal notation.
  • iftype: indicates the type of an interface, which can be eth or trunk. This keyword is valid only in ASCII format.
  • mac: indicates the MAC address of a port. In ASCII format, the value is in the format of H-H-H; in hexadecimal notation, the value is a number of six bytes.
  • slot: indicates the slot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • subslot: indicates the subslot ID. This keyword is valid in ASCII format or in hexadecimal notation.
  • port: indicates the port number. This keyword is valid in ASCII format or in hexadecimal notation.
  • svlan: indicates the outer VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • cvlan: specifies the inner VLAN ID. The value ranges from 1 to 4094. If this field is not required, this field is 0. This keyword is valid in ASCII format or in hexadecimal notation.
  • length: indicates the total length of the keywords following the keyword length.
  • n: indicates the value of the keyword svlan or cvlan if the SVLAN or CVLAN does not exist. The keyword n is on the left of the keyword svlan or cvlan. If the corresponding VLAN does not exist, the default value of the keyword svlan or cvlan is 4096 in ASCII format and is all Fs in hexadecimal notation. If the n keyword is added to the left of the keyword svlan or cvlan, the keyword svlan or cvlan is 0. This keyword is valid in ASCII format or in hexadecimal notation.
NOTE:

Delimiters must be added between keywords; otherwise, the device cannot parse the keywords. The delimiters cannot be numbers.

The symbols used in the format string are as follows:
  • The symbol % followed by a keyword indicates the format of the keyword.
  • A number to the left of the symbol % indicates the length of the keyword following the symbol %. In an ASCII character string, %05 has the same meaning as %05d in the C language. In a hexadecimal character string, the number indicates the keyword length in bits.
  • The symbol [] indicates an optional keyword. Each pair of brackets can contain only one keyword, svlan or cvlan. The keyword in the symbol [] is added to the Option 37 field only if the corresponding VLAN ID exists. To facilitate syntax check, the system does not support nesting of symbols [].
  • The symbol \ indicates an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents \.
  • The contents in quotation marks (" ") are encapsulated in an ASCII string, and the contents outside the quotation marks are encapsulated in hexadecimal notation.
  • Other symbols are processed as common characters. The rules for setting the format string in ASCII format or hexadecimal notation are as follows:
    • An ASCII character string can contain Arabic numerals, uppercase letters, lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - = \ [ ] { } ; : ' " / ? . , < > `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.
    • A hexadecimal notation string can contain numerals, spaces, and % + keywords.
    • In a hexadecimal notation string, numbers are encapsulated in the Option 37 field in hexadecimal notation. A number from 0 to 255 occupies 1 byte; a number from 256 to 65535 occupies 2 bytes; a number from 65536 to 4294967295 occupies 4 bytes. Numbers larger than 4294967295 are not supported. Multiple numbers must be separated by spaces; otherwise, they are considered as one number.
    • All the spaces in a hexadecimal character string are ignored.
    • By default, the slot ID, subslot ID, port number, and VLAN ID in a hexadecimal character string occupy 2 bytes; the field length occupies 1 byte.
    • If the length of each keyword in a hexadecimal character string is specified, the total length of the hexadecimal character string must be a multiple of 8. If the length of a specified keyword is longer than 32 bits, the first 32 bits of the keyword are the actual keyword value, and other bits are set to 0.
    • A hexadecimal notation string can contain only the keywords whose values are numbers. Other keywords, such as port name, cannot be added to the hexadecimal notation string.
    • If a string is not contained in quotation marks, it is encapsulated in hexadecimal notation. To encapsulate the string in the ASCII format, use a pair of quotation marks to contain the string. For example, the slot ID is 3, and the port number is 4. If the string is in the %slot %port format, the value of the encapsulated string is a hexadecimal number 00030004. If the string is in the "%slot %port" format, the value of the encapsulated string is 3 4.
    • A format string can contain both hexadecimal strings and ASCII strings, for example, %slot %port "%sysname %portname:%svlan.%cvlan."

Example

# Configure the format of the Option 37 field in a DHCPv6 message in VLAN 10.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 option37 format user-defined "%length %svlan %5slot %3subslot %8port"

# Configure the format of the Option 37 field in a DHCPv6 message on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcpv6 option37 format user-defined "%length %svlan %5slot %3subslot %8port"

dhcpv6 { option18 | option37 } enable

Function

The dhcpv6 { option18 | option37 } enable command enables the device to insert the Option 18 or Option 37 field to a DHCPv6 message.

The undo dhcpv6 { option18 | option37 } enable command disables the device from inserting the Option 18 or Option 37 field to a DHCPv6 message.

By default, the device does not insert the Option 18 or Option 37 field to a DHCPv6 message.

Format

dhcpv6 { option18 | option37 } { insert | rebuild } enable

undo dhcpv6 { option18 | option37 } { insert | rebuild } enable

Parameters

Parameter

Description

Value

insert

Enables the device to insert the Option 18 or Option 37 field to a DHCPv6 message.

-

rebuild

Enables the device to forcibly insert the Option 18 or Option 37 field to a DHCPv6 message.

-

Views

VLAN view, Ethernet interface view, GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The function of the Option 18 and Option 37 field is similar to the function of the Option 82 field (see the dhcp option82 enable command). The Option 18 field contains the port number of a client and the Option 37 field contains the MAC address of the client. A device inserts the Option 18 or Option 37 field to a DHCPv6 Request message to notify the DHCP server of the DHCPv6 client location. The DHCP server can properly assign an IP address and other configurations to the DHCPv6 client, ensuring DHCP client security.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcpv6 { option18 | option37 } enable command in the VLAN view, the command takes effect for all the DHCPv6 messages received from the specified VLAN. If you run the dhcpv6 { option18 | option37 } enable command in the interface view, the command takes effect for all the DHCPv6 messages received on the specified interface.

Example

# Insert the Option 37 field to DHCPv6 Request messages sent by GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet1/0/1] dhcpv6 option37 insert enable
Related Topics

dhcpv6 remote-id format

Function

The dhcpv6 remote-id format command sets the format of the Remote-ID in DHCPv6 messages.

The undo dhcpv6 remote-id format command restores the default format of the Remote-ID in DHCPv6 messages.

By default, the default format of the Remote-ID in DHCPv6 messages is used.

Format

dhcpv6 remote-id format { default | user-defined text }

undo dhcpv6 remote-id format

Parameters

Parameter

Description

Value

default

Indicates to adopt the default format of the remote ID. The default format of the remote ID is %duid %portname:%04svlan.%04cvlan, where the values of the outer VLAN ID and inner VLAN ID are integers and composed of four characters. If the length is shorter than four characters, 0s are prefixed to the value. For example, if the outer VLAN value in the DHCPv6 packets received by the device is 11, the inner VLAN value is 22, the inbound interface is GE1/0/1, and the client DUID is 0003000180FB063545B3, the Remote-ID option generated during the system parsing process is 0003000180FB063545B3 GigabitEthernet 1/0/1:0011.0022.

-

user-defined text

Specifies a user-defined format as the Remote-ID format. A user-defined format can be:
  • Format defined by keywords: The Remote-ID is defined based on the keywords supported by the user-defined format. For example, if the name of the device to which the users are connected and the outer VLAN to which the users belong need to be recorded, the user-defined format can be %sysname %svlan. If the device name is HUAWEI and the S-VLAN is 100, the user location information recorded by the Remote-ID is HUAWEI 100.

    For description of the keywords supported by the user-defined format, see Table 14-60.

  • Format defined by common character strings: The Remote-ID is directly defined as a character string. For example, if all users on an interface are located in the office building named N8, the Remote-ID can be directly defined as N8.

  • Mixed format: The Remote-ID is defined by both the keywords and common character strings. For example, the Remote-ID can be defined as %sysname N8.

The value is a string of 3 to 247 case-sensitive characters with spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

The Remote-ID records user access information such as the DUID of the DHCPv6 packets sent from the clients to the device. The device functions as a DHCPv6 relay or lightweight DHCPfv6 relay agent (LDRA). When receiving the request packets sent from the DHCPv6 clients and forwarding the packets to the DHCPv6 server, the device can insert the Remote-ID to the packets to identify the DHCPv6 client location information. The location information can be used by the DHCPv6 server to assign IPv6 addresses and network parameters. You can run the dhcpv6 remote-id format command to configure the format of the Remote-ID inserted into DHCPv6 packets.

Table 14-60  Description of the keywords supported by the user-defined format

Keyword

Description

duid

Specifies the client ID, including information such as the client MAC address.

sysname

Specifies the device name of the client.

portname

Specifies the name of the inbound interface that receives the DHCPv6 packets sent from the client to the device.

porttype

Specifies the type of the inbound interface that receives the DHCPv6 packets sent from the client to the device. The interface type is specified when the NAS interface is configured in certain scenarios.

iftype

Specifies the type of the inbound interface that receives the DHCPv6 packets sent from the client to the device. The interface type is usually GE.

mac

Specifies the device MAC address.

slot

Specifies the slot number of the DHCPv6 packet sent from the client to the device.

subslot

Specifies the sub-slot number of the DHCPv6 packet sent from the client to the device.

port

Specifies the port number of the DHCPv6 packet sent from the client to the device.

svlan

Specifies the outer VLAN of the DHCPv6 packet sent by the client.

cvlan

Specifies the inner VLAN of the DHCPv6 packet sent by the client.

length

Specifies the total length of the keywords following the length keyword. The length of the length keyword is excluded.

Follow-up Procedure

When the device functions as a DHCPv6 relay, you must run the dhcpv6 remote-id insert enable or dhcpv6 remote-id rebuild enable command to enable the function of inserting the Remote-ID into DHCPv6 relay packets after running the dhcpv6 remote-id format command to configure the Remote-ID format in DHCPv6 packets.

NOTE:

When the device functions as an LDRA, the Remote-ID is inserted into DHCPv6 relay packets by default and the function does not need to be enabled.

Precautions

  • The user-defined format content must be specified between the double quotation marks (""). For example, to configure the user-defined format content as mac, run the dhcpv6 interface-id format user-defined "%mac" command.

  • Separators that cannot be digits must be added between the keywords in the user-defined format. Otherwise, the keywords cannot be parsed.

  • The symbol % must be prefixed to the keywords in the user-defined format to differentiate them from common character strings. If a digit exists before the symbol % and keyword, the digit refers to the number of characters in the keyword.

  • The self-defined content is encapsulated in ASCII format. In addition to the preceding precautions, note the following rules:

    • The symbol \ is an escape character. The symbols %, \, and [] following the escape character indicate themselves. For example, \\ represents the character \.
    • An ASCII character string can contain Arabic numerals, uppercase letters, lowercase letters, and the following symbols: ! @ # $ % ^ & * ( ) _ + | - = \ [ ] { } ; : ' " / ? . , < > `.
    • By default, the length of each keyword in an ASCII character string is the actual length of the keyword.

Example

# Set the customized format for the remote ID carried in DHCPv6 messages and encapsulate the MAC address of the device into the remote ID.

<HUAWEI> system-view
[HUAWEI] dhcpv6 remote-id format user-defined "%mac"

dhcpv6 snooping relay-information enable

Function

The dhcpv6 snooping relay-information enable command enables Lightweight DHCPv6 Relay Agent (LDRA) for DHCPv6 snooping.

The undo dhcpv6 snooping relay-information enable command disables LDRA.

By default, LDRA is disabled for DHCPv6 snooping.

Format

dhcpv6 snooping relay-information enable [ trust ]

undo dhcpv6 snooping relay-information enable [ trust ]

Parameters

Parameter Description Value
trust

Configures the device to trust the received Relay-Forward messages.

If this parameter is not specified, the device does not trust the received Relay-Forward messages.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Use Scenario

In some scenarios, for example, interfaces in the same VLAN have different network access rights and QoS requirements, the DHCPv6 server must be able to detect user access locations, and assign corresponding access control and QoS policies. The DHCPv6 relay agent is usually configured on the gateway. The relay agent can record user access locations; however, if access devices are located between the relay agent and users, the relay agent cannot detect the access locations of users.

LDRA can meet the requirements of these scenarios. LDRA is configured on the user-side access device. The LDRA-enabled device can forward user access locations (such as the network-side interfaces on clients) to the DHCPv6 server. The DHCPv6 server delivers policies to users accordingly.

This command enables LDRA for DHCPv6 snooping and configures the handling methods for received Relay-Forward messages:
  • Trust: The device forwards the received Relay-Forward messages to the DHCPv6 server. This method is usually used when multiple LDRA-enabled devices are directly connected. If the downstream LDRA-enabled device trusts the Relay-Forward messages from the upstream LDRA-enabled device, this method can be used.
  • Untrust: The device discards the received Relay-Forward messages. This method is usually used when an LDRA-enabled device directly connects to users, and the users may send invalid Relay-Forward messages.

Prerequisites

DHCP snooping has been enabled using the dhcp snooping enable command.

Precautions

The LDRA function only records the client location information and forwards the information to the DHCPv6 server. The differentiated policies for IP address allocation, accounting, access control, and QoS are configured on the DHCPv6 server.

Example

# Enable LDRA for DHCPv6 snooping in VLAN10.

<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcpv6 snooping relay-information enable

display dhcp option82 configuration

Function

The display dhcp option82 configuration command displays the DHCP Option 82 configuration.

Format

display dhcp option82 configuration [ vlan vlan-id | interface interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the DHCP Option 82 configuration in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number

Displays the DHCP Option 82 configuration on a specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The Option 82 field records the location of a DHCP client. A device inserts the Option 82 field to a DHCP Request message to notify the DHCP server of the DHCP client location. The DHCP server can properly assign an IP address and other configurations to the DHCP client, ensuring DHCP client security.

After the Option 82 field is inserted to a DHCP message, run the display dhcp option82 configuration command to display the DHCP Option 82 configuration.

Example

# Display all the DHCP Option82 configurations.

<HUAWEI> display dhcp option82 configuration
#                                                                               
dhcp option82 vendor-specific format vendor-sub-option 1 ascii 22               
#                                                                               
interface GigabitEthernet1/0/1                                                 
 dhcp option82 subscriber-id format ascii 222                                   
 dhcp option82 insert enable                                                    
 dhcp option82 encapsulation circuit-id                                 
 dhcp option82 append vendor-specific                                           
 dhcp option82 circuit-id format common                                         
# 
Table 14-61  Description of the display dhcp option82 configuration command output

Item

Description

interface ifn

Option 82 configuration on interface ifn.

dhcp option82 vendor-specific format vendor-sub-option i ascii text1

The Sub9 of the old format is inserted into the Option 82 field of DHCP messages.

To specify the parameter, run the dhcp option82 vendor-specific format command.

dhcp option82 subscriber-id format ascii text2

The Sub6 suboption is inserted into the Option 82 field of DHCP messages.

To specify the parameter, run the dhcp option82 subscriber-id format command.

dhcp option82 insert enable

The function of inserting Option 82 to DHCP messages is enabled and the insertion method is configured:

  • dhcp option82 rebuild enable: Rebuild mode
  • dhcp option82 insert enable: Insert mode

To specify the parameter, run the dhcp option82 enable command.

dhcp option82 encapsulation circuit-id The suboption inserted into the Option 82 field of DHCP messages is configured.

To specify the parameter, run the dhcp option82 encapsulation command.

dhcp option82 append vendor-specific

The Sub9 of the new format is inserted into the Option 82 field of DHCP messages.

To specify the parameter, run the dhcp option82 append vendor-specific command.

dhcp option82 circuit-id format common Format of the circuit-id suboption.

To specify the parameter, run the dhcp option82 format command.

display dhcp snooping

Function

The display dhcp snooping command displays DHCP snooping running information.

Format

display dhcp snooping [ interface interface-type interface-number | vlan vlan-id ]

Parameters

Parameter Description Value
interface interface-type interface-number Displays DHCP snooping running information on a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-
vlan vlan-id Displays DHCP snooping running information in a specified VLAN. The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display dhcp snooping command displays DHCP snooping running information. If no interface or VLAN is specified, global DHCP snooping running information is displayed. If an interface or a VLAN ID is specified, DHCP snooping running information about the interface or VLAN is displayed.

Example

# Display global DHCP snooping running information.

<HUAWEI> display dhcp snooping 
 DHCP snooping global running information   :                                     
 DHCPv4 snooping                            : Enable                              
 DHCPv6 snooping                            : Enable                              
 Static user max number                     : 1024                                
 Current static user number                 : 1                                   
 Dhcp user max number                       : 100               
 Current dhcp user number                   : 0                                   
 Arp dhcp-snooping detect                   : Disable  (default)                  
 Alarm threshold                            : 100      (default)                  
 Check dhcp-rate                            : Disable  (default)                  
 Dhcp-rate limit(pps)                       : 100      (default)                  
 Alarm dhcp-rate                            : Disable  (default)                  
 Alarm dhcp-rate threshold                  : 100      (default)                  
 Discarded dhcp packets for rate limit      : 0                                   
 Bind-table autosave                        : Disable  (default)                      
 Offline remove mac-address                 : Disable  (default)                  
 Client position transfer allowed           : Enable   (default)                  
                                                                                
 DHCP snooping running information for interface GigabitEthernet1/0/1   :               
 DHCP snooping                              : Enable                  
 Trusted interface                          : No                                  
 Dhcp user max number                       : 100               
 Current dhcp user number                   : 0                                   
 Check dhcp-giaddr                          : Enable                              
 Check dhcp-chaddr                          : Disable  (default)                  
 Alarm dhcp-chaddr                          : Disable  (default)                  
 Check dhcp-request                         : Disable  (default)                  
 Alarm dhcp-request                         : Disable  (default)                  
 Check dhcp-rate                            : Enable                              
 Dhcp-rate limit(pps)                       : 100                                 
 Alarm dhcp-rate                            : Enable                              
 Alarm dhcp-rate threshold                  : 100                                 
 Discarded dhcp packets for rate limit      : 0                                   
 Alarm dhcp-reply                           : Disable  (default)                  
Table 14-62  Description of the display dhcp snooping command output

Item

Description

DHCPv4 snooping

Whether DHCPv4 snooping is enabled globally.

To enable DHCP snooping, run the dhcp snooping enable command.

DHCPv6 snooping

Whether DHCPv6 snooping is enabled globally.

To enable DHCP snooping, run the dhcp snooping enable command.

DHCP snooping

Whether DHCP snooping is enabled on the interface or in the VLAN.

To enable DHCP snooping, run the dhcp snooping enable command.

Static user max number

Maximum number of static users.

Current static user number

Number of current static users.

Dhcp user max number

Maximum number of DHCP snooping users.

To set the maximum number of DHCP snooping users, run the dhcp snooping max-user-number command.

Current dhcp user number

Number of current DHCP snooping users.

Arp dhcp-snooping detect

Whether association between ARP and DHCP snooping is enabled.

To enable association between ARP and DHCP snooping, run the arp dhcp-snooping-detect enable command.

Alarm threshold

Global alarm threshold for the number of discarded DHCP snooping messages.

To set the global alarm threshold for the number of discarded DHCP snooping messages, run the dhcp snooping alarm threshold command.

Check dhcp-rate

Whether a device is enabled to check the rate of sending DHCP messages.

To enable the device to check the rate of sending DHCP messages, run the dhcp snooping check dhcp-rate enable command.

Dhcp-rate limit(pps)

Rate limit of DHCP messages, in pps.

To set the rate limit of DHCP messages, run the dhcp snooping check dhcp-rate command.

Alarm dhcp-rate

Whether trap for checking the rate of sending DHCP messages to the processing unit is enabled.

To enable trap for checking the rate of sending DHCP messages to the processing unit, run the dhcp snooping alarm dhcp-rate enable command.

Alarm dhcp-rate threshold

Alarm threshold for the number of discarded DHCP messages. An alarm is generated if the number of discarded DHCP messages reaches the alarm threshold.

To set the alarm threshold for the number of discarded DHCP messages, run the dhcp snooping alarm dhcp-rate threshold command.

Discarded dhcp messages for rate limit

Number of discarded DHCP messages whose rate exceeds the rate limit.

Bind-table autosave

Whether a device is enabled to save the DHCP Snooping binding table.

To enable the device to save the binding table, run the dhcp snooping user-bind autosave command.

Offline remove mac-address

Whether a device is enabled to delete MAC addresses of offline users.

To enable the device to delete MAC addresses of offline users, run the dhcp snooping user-offline remove mac-address command.

Client position transfer allowed

Whether location transition is enabled for DHCP snooping users.

To enable location transition for DHCP snooping users, run the dhcp snooping user-transfer enable command.

Trusted interface

Whether an interface is a trusted interface.

To configure an interface as a trusted interface, run the dhcp snooping trusted command.

Check dhcp-giaddr

Whether a device is enabled to check the GIADDR field in a DHCP Request message.

To enable the device to check the GIADDR field in a DHCP Request message, run the dhcp snooping check dhcp-giaddr enable command.

Check dhcp-chaddr

Whether a device is enabled to check whether the CHADDR field in a DHCP Request message matches the source MAC address in the Ethernet frame header.

To enable the device to check whether the CHADDR field in a DHCP Request message matches the source MAC address in the Ethernet frame header, run the dhcp snooping check dhcp-chaddr enable command.

Alarm dhcp-chaddr

Whether a device is enabled to generate an alarm when the number of discarded DHCP Request messages with the CHADDR field different from the source MAC address in the Ethernet frame header exceeds the alarm threshold.

To enable the device to generate an alarm when the number of discarded DHCP Request messages with the CHADDR field different from the source MAC address in the Ethernet frame header exceeds the alarm threshold, run the dhcp snooping alarm enable command.

Check dhcp-request

Whether an interface is enabled to check DHCP Request messages.

To enable the interface to check DHCP Request messages, run the dhcp snooping check dhcp-request enable command.

Alarm dhcp-request

Whether a device is enabled to generate an alarm when the number of DHCP Request messages discarded within a specified period reaches the alarm threshold.

To enable the device to generate an alarm when the number of DHCP Request messages discarded within a specified period reaches the alarm threshold, run the dhcp snooping alarm enable command.

Alarm dhcp-reply

Whether a device is enabled to generate an alarm when an interface discards a DHCP Reply message from an untrusted interface.

To enable the device to generate an alarm when an interface discards a DHCP Reply message from an untrusted interface, run the dhcp snooping alarm enable command.

display dhcp snooping configuration

Function

The display dhcp snooping configuration command displays the DHCP snooping configuration.

Format

display dhcp snooping configuration [ vlan vlan-id | interface interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the DHCP snooping configuration in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number
Displays the DHCP snooping configuration on a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.
-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping configuration is complete, run the display dhcp snooping configuration command to view the DHCP snooping configuration. If no VLAN or interface is specified, all the DHCP snooping configurations are displayed. If a VLAN or an interface is specified, only the DHCP snooping configuration in the VLAN or on the interface is displayed.

Example

# Display all the DHCP snooping configurations.

<HUAWEI> display dhcp snooping configuration
#
dhcp snooping enable
#
vlan 3
 dhcp snooping enable
 dhcp snooping check dhcp-giaddr enable
#
interface GigabitEthernet1/0/1
 dhcp snooping enable
#                 

display dhcp snooping statistics

Function

The display dhcp snooping statistics command displays statistics on the received DHCP messages.

Format

display dhcp snooping statistics

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can use the display dhcp snooping statistics command to view statistics on the received DHCP messages of all types.

Example

# Display statistics on the received DHCP messages.

<HUAWEI> display dhcp snooping statistics 
 DHCP Snooping Statistics:                                                      
                                                                                
 Client Request:                                                                 
  Dhcp Discover:                  0                                             
  Dhcp Request:                   0                                             
  Dhcp Decline:                   0                                             
  Dhcp Release:                   0                                             
  Dhcp Inform:                    0                                             
 Server Reply:                                                                  
  Dhcp Offer:                     0                                             
  Dhcp Ack:                       0                                             
  Dhcp Nak:                       0                                             
 Drop Packet:                                                                   
  Dropped by mac-address check:   0                                             
  Dropped by untrust reply:       0                                             
  Dropped by request conflict:    0 
  Dropped by untrust relay-forw:  0   
 Delete DHCP snooping table:                      
  Receive release packet:         0                         
  Receive decline packet:         0                            
  Lease expired:                  0                               
  User command:                   0                            
  Client transferes:              0                          
  Interface down:                 0                  
  Arp detect:                     0         
  Ucm notify:                     0
Table 14-63  Description of the display dhcp snooping statistics command output

Item

Description

Client Request

Number of packets sent by DHCP clients, including:

  • Number of DHCP Discover packets
  • Number of DHCP Request packets
  • Number of DHCP Decline packets
  • Number of DHCP Release packets
  • Number of DHCP Inform packets

Server Reply

Number of packets sent by the DHCP server, including:

  • Number of DHCP Offer packets
  • Number of DHCP ACK packets
  • Number of DHCP NAK packets

Drop Packet

Number of discarded packets.

Dropped by mac-address check

Number of discarded DHCP messages whose MAC address is different from the CHADDR value.

Dropped by untrust reply

Number of untrusted reply packets that are discarded.

Dropped by request conflict

Number of packets that are discarded because the client and server MAC addresses conflict.

Dropped by untrust relay-forw

Number of untrusted Relay-Forward packets that are discarded.

Delete DHCP snooping table

Number of DHCP snooping binding entries deleted by the device.

Receive release packet

Number of DHCP snooping binding entries deleted by the device after the device receives DHCP release packets.

Receive decline packet

Number of DHCP snooping binding entries deleted by the device after the device receives DHCP decline packets.

Lease expired

Number of DHCP snooping entries deleted by the device because of lease expiry.

User command

Number of DHCP snooping binding entries deleted by using commands.

Client transferes

Number of DHCP snooping binding entries deleted because the client connects to another interface on the device.

Interface down

Number of DHCP snooping binding entries deleted because the port is shut down.

Arp detect

Number of DHCP snooping binding entries deleted due to ARP detection.

Ucm notify

Number of times the Ucm module requests DHCP snooping to delete user binding entries.

Related Topics

display dhcp snooping user-bind

Function

The display dhcp snooping user-bind command displays the DHCP snooping binding table.

Format

display dhcp snooping user-bind { { interface interface-type interface-number | ip-address ip-address | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays the binding entry mapping a specified interface.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ip-address ip-address

Displays the binding entry mapping a specified IP address.

The value is in dotted decimal notation.

mac-address mac-address

Displays the binding entry mapping a specified MAC address.

The value is in the format of H-H-H, in which H is a hexadecimal number of 4 digits.

vlan vlan-id

Displays the binding entry mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping is enabled, the device generates a DHCP snooping binding table. A binding entry contains the MAC address, IP address, number of the interface connected to the DHCP client, and VLAN ID on the interface. You can run the display dhcp snooping user-bind command to view the DHCP snooping binding table.

Example

# Display information about the DHCP snooping binding table.

  • Display all binding entries.

    <HUAWEI> display dhcp snooping user-bind all
    DHCP Dynamic Bind-table:
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping 
    IP Address       MAC Address     VSI/VLAN(O/I/P) Interface      Lease           
    --------------------------------------------------------------------------------
    10.1.28.141      78ac-d4b5-b858  10  /--  /--    GE1/0/1       2008.10.17-07:31
    --------------------------------------------------------------------------------
    Print count:           1          Total count:           1 
  • Display detailed information about binding entries.
    <HUAWEI> display dhcp snooping user-bind all verbose
    DHCP Dynamic Bind-table:                                                        
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
    --------------------------------------------------------------------------------
     IP Address  : 10.10.21.254                                                     
     MAC Address : 0200-0000-00e8                                                   
     VSI         : --                                                               
     VLAN(O/I/P) : 10  /--  /--                                                     
     Interface   : GE1/0/1                                                         
     Renew time  : 2017.03.07-11:32                                                 
     Expire time : 2017.03.08-11:32                                                 
     Gateway     : 10.10.21.1                                                       
     Server-ip   : 10.10.21.1                                                       
    --------------------------------------------------------------------------------
    Print count:           1          Total count:           1 
Table 14-64  Description of the display dhcp snooping user-bind command output

Item

Description

DHCP Dynamic Bind-table

DHCP snooping binding entries.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: Vlan-mapping

IP Address

User IP address.

MAC Address

User MAC address.

VSI

Name of the VPN instance that the online user belongs to.

VLAN(O/I/P)

Outer VLAN ID, inner VLAN ID, or VLAN mapping information of the online user.

Interface

User access interface.

Renew time

Address renew time.

Expire time

Aging time of entries.

Gateway

Gateway address.

Server-ip

IP addresses of the DHCP server.

display dhcpv6 snooping user-bind

Function

The display dhcpv6 snooping user-bind command displays the DHCPv6 snooping binding table.

Format

display dhcpv6 snooping user-bind { { interface interface-type interface-number | ipv6-address { ipv6-address | all } | mac-address mac-address | vlan vlan-id } * | all } [ verbose ]

display dhcpv6 snooping user-bind ipv6-prefix { prefix/prefix-length | all } [ verbose ]

Parameters

Parameter

Description

Value

interface interface-type interface-number

Displays the binding entry mapping a specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

ipv6-address ipv6-address

Displays the binding entry mapping a specified IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

mac-address mac-address

Displays the binding entry mapping a specified MAC address.

The value is in hexadecimal notation.

vlan vlan-id

Displays the binding entry mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

ipv6-prefix

Displays an IPv6 suffix binding entry.

-

prefix/prefix-length

Displays the binding entry mapping a specified IPv6 prefix.

prefix is a 32-digit hexadecimal number, in the format of X:X::X:X.

prefix-length is an integer that ranges from 1 to 128.

all

Displays all entries in the binding table.

-

verbose

Displays detailed information about the binding table.

If the parameter is not specified, brief information about the binding table is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After DHCP snooping is enabled, the device generates a DHCP snooping binding table by listening to DHCP Request messages and Reply messages. A binding entry contains the MAC address, IP address, number of the interface connected to the DHCP client, and VLAN ID. You can run the display dhcpv6 snooping user-bind command to view the DHCPv6 snooping binding table.

If prefix delegation (PD) users exist on the network, the device generates an IPv6 prefix binding entry. The display dhcpv6 snooping user-bind ipv6-prefix command displays IPv6 prefix binding entries.

Example

# Display the DHCPv6 binding table.

  • Display all the dynamic binding entries.

    <HUAWEI> display dhcpv6 snooping user-bind all
    DHCPV6 Dynamic Bind-table:                                                      
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                              
    IP Address                      MAC Address     VSI/VLAN(O/I/P) Lease           
    --------------------------------------------------------------------------------
    FC00:1::1                       00d5-0191-02de  500 /--  /--    2008.10.01-00:26
    --------------------------------------------------------------------------------
    print count:           1          total count:           1                      
  • Display detailed information about the DHCPv6 binding table.

    <HUAWEI> display dhcpv6 snooping user-bind all verbose
    DHCPV6 Dynamic Bind-table:                                                      
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
    --------------------------------------------------------------------------------
     IP Address  : FC00:1::1                                                          
     MAC Address : 00d5-0191-02de                                                   
     VSI         : --                                                               
     VLAN(O/I/P) : 500 /--  /--                                                     
     Interface   : GE1/0/1                                                         
     Lease       : 2008.10.01-00:27                                                 
     IPSG Status : ineffective                                                      
     User State  : BOUND                                                            
    --------------------------------------------------------------------------------
    print count:           1          total count:           1                      
# Display the IPv6 prefix binding table.
  • Display all binding entries.
    <HUAWEI> display dhcpv6 snooping user-bind ipv6-prefix all
    PD Dynamic Bind-table:                                                          
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping                              
    IPv6 Prefix                     MAC Address     VSI/VLAN(O/I/P) Lease           
    --------------------------------------------------------------------------------
    FC00:2::/36                     00d5-0191-02de  500 /--  /--    2008.10.03-00:30
    --------------------------------------------------------------------------------
    print count:           1          total count:           1                      
  • Display detailed information about IPv6 suffix binding entries.
    <HUAWEI> display dhcpv6 snooping user-bind ipv6-prefix all verbose
    PD Dynamic Bind-table:                                                          
    Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
    --------------------------------------------------------------------------------
     IP Address  : FC00:2::/36                                                        
     MAC Address : 00d5-0191-02de                                                   
     VSI         : --                                                               
     VLAN(O/I/P) : 500 /--  /--                                                     
     Interface   : GE1/0/1                                                         
     Lease       : 2008.10.03-00:30                                                 
     User State  : BOUND                                                            
    --------------------------------------------------------------------------------
    print count:           1          total count:           1                      
Table 14-65  Description of the display dhcpv6 snooping user-bind command output

Item

Description

DHCPV6 Dynamic Bind-table

DHCPv6 Snooping dynamic binding table.

PD Dynamic Bind-table

IPv6 prefix binding table.

Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping

VLAN ID.
  • O: Outer VLAN
  • I: Inner VLAN
  • P: VLAN mapping

IP Address

User IPv6 address.

IPv6 Prefix

User IPv6 prefix.

MAC Address

User MAC address.

VSI

Name of the VPN instance that the online user belongs to.

VLAN(O/I/P)

Outer VLAN ID, inner VLAN ID, or VLAN mapping information of the online user.

Interface

User access interface.

Lease

Time when the lease of the IP address used by the user expires.

IPSG Status

Whether the binding table is effective for IP packet checking after IP packet checking is enabled. The value can be:
  • effective
  • ineffective

This field is invalid if IP packet checking is not enabled.

User State

Status of a DHCPv6 snooping binding entry is as follows:
  • START
  • DETECTION
  • BOUND
  • LIVE

reset dhcp snooping statistics

Function

The reset dhcp snooping statistics command clears DHCP snooping statistic.

Format

reset dhcp snooping statistics { global | interface interface-type interface-number [ vlan vlan-id ] | vlan vlan-id [ interface interface-type interface-number ] }

Parameters

Parameter Description Value
global Clears DHCP Snooping statistics on the globally.

-

interface interface-type interface-number Clears DHCP Snooping statistics on the specified interface.
  • interface-type specifies the interface type.
  • interface-number specifies the interface number.

-

vlan vlan-id Clears DHCP Snooping statistics in a specified VLAN. vlan-id specifies the ID of the VLAN. vlan-id is an integer that ranges from 1 to 4094.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, if statistics are collected, you can run the reset dhcp snooping statistics command to clear the statistics.

Precautions

If both interface and vlan are specified, the specified interface must belong to the specified VLAN. The reset dhcp snooping statistics command clears DHCP Snooping statistics in the specified VLAN that the interface belongs to.

Example

# Clear DHCP Snooping statistics on GE1/0/1.

<HUAWEI> reset dhcp snooping statistics interface gigabitethernet 1/0/1

reset dhcp snooping user-bind

Function

The reset dhcp snooping user-bind command clears DHCP snooping binding entries.

Format

reset dhcp snooping user-bind [ vlan vlan-id | interface interface-type interface-number ] * [ ipv4 | ipv6 ]

reset dhcp snooping user-bind [ ip-address [ ip-address ] | ipv6-address [ ipv6-address ] | vpls vpls-name ]

reset dhcp snooping user-bind [ ipv6-prefix [ prefix/prefix-length ] ]

Parameters

Parameter Description Value
vlan vlan-id

Clears DHCP snooping binding entries mapping a specified VLAN ID.

The value is an integer that ranges from 1 to 4094.

interface interface-type interface-number
Clears DHCP snooping binding entries mapping a specified interface.
  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

-

ipv4 or ip-address

Clears DHCP snooping binding entries mapping IPv4 addresses.

-

ipv6-address, ipv6 or ipv6-prefix
Clears DHCP snooping binding entries mapping IPv6 addresses or IPv6 prefixes.
  • ipv6 indicates that DHCP snooping binding entries mapping IPv6 addresses or IPv6 prefixes are cleared.
  • ipv6-address indicates that DHCP snooping binding entries mapping IPv6 addresses are cleared.
  • ipv6-prefix indicates that DHCP snooping binding entries mapping IPv6 prefixes are cleared.

-

ip-address

Clears DHCP snooping binding entries mapping a specified IPv4 address.

The value is in dotted decimal notation.

ipv6-address

Clears DHCP snooping binding entries mapping a specified IPv6 address.

The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.

prefix/prefix-length
Clears DHCP snooping binding entries mapping a specified IPv6 prefix.
  • prefix specifies the IPv6 prefix.

  • prefix-length specifies the IPv6 prefix length.

prefix is a 32-digit hexadecimal characters in the format of X:X::X:X. prefix-length is an integer that ranges from 1 to 128.
vpls vpls-name

Clears DHCP snooping binding entries mapping a specified VPLS name.

The value must be an existing VPLS name.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After DHCP snooping is enabled, the mapping DHCP snooping binding entries are generated after DHCP users log in. The reset dhcp snooping user-bind command clears binding entries mapping a specified parameter. If no parameter is specified, all the binding entries are cleared.

Precautions

If both interface interface-type interface-number and vlan vlan-id are configured, the interface specified by interface interface-type interface-number must have been added to the VLAN specified by vlan vlan-id. In this case, the command clears the DHCP snooping binding entries on a specified interface belonging to a certain VLAN.

Example

# Clear DHCP snooping binding entries in VLAN 100.

<HUAWEI> reset dhcp snooping user-bind vlan 100
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 26599

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next