dhcp snooping check dhcp-request enable
Function
The dhcp snooping check dhcp-request enable enables the device to check DHCP messages against the DHCP snooping binding table.
The undo dhcp snooping check dhcp-request enable disables the device from checking DHCP messages against the DHCP snooping binding table.
By default, the device does not check DHCP messages against the DHCP snooping binding table.
Format
In the system view:
dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
undo dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
In the VLAN view and interface view:
dhcp snooping check dhcp-request enable
undo dhcp snooping check dhcp-request enable
Parameters
| Parameter | Description | Value |
|---|---|---|
| vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> | Enables the device to check DHCP messages from a specified VLAN against the DHCP snooping binding table. | The value is an integer that ranges from 1 to 4094. |
Views
System view, VLAN view, GE interface view, XGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. The device forwards only DHCP messages that match binding entries. This prevents unauthorized users from sending bogus DHCP Request or Release messages to extend or release IP addresses.
The matching rules are as follows:
- When the device receives a DHCP Request message, it performs the
following operations:
- Checks whether the destination MAC address is all Fs. If so, the device considers the user to have gone online for the first time and directly forwards the message. If not, the device considers the user to have sent the DHCP Request message to renew the IP address lease and checks the DHCP Request message against the DHCP snooping binding table.
- Checks whether the CHADDR field in the DHCP Request message matches a DHCP snooping binding entry. If not, the device considers the user to have gone online for the first time and directly forwards the message. If so, the device checks whether the VLAN ID, IP address, and interface number of the message match DHCP snooping binding entries. If all these fields match a DHCP snooping binding entry, the device forwards the message; otherwise, the device discards the message.
- When receiving a DHCP Release message, the device checks whether the VLAN ID, IP address, MAC address, and interface number of the message match a dynamic DHCP snooping binding entry. If so, the device forwards the message; otherwise, the device discards the message.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable command.
Precautions
If you run the dhcp snooping check dhcp-request enable command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping check dhcp-request enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.
