Contents

DHCP snooping commands· 1

dhcp snooping binding database filename· 1

dhcp snooping binding database update interval 2

dhcp snooping binding database update now· 3

dhcp snooping binding record· 3

dhcp snooping check mac-address· 4

dhcp snooping check request-message· 5

dhcp snooping deny· 5

dhcp snooping disable· 6

dhcp snooping enable· 7

dhcp snooping enable vlan· 7

dhcp snooping information circuit-id· 8

dhcp snooping information enable· 10

dhcp snooping information remote-id· 10

dhcp snooping information strategy· 12

dhcp snooping information vendor-specific· 13

dhcp snooping log enable· 14

dhcp snooping max-learning-num·· 14

dhcp snooping rate-limit 15

dhcp snooping trust 16

dhcp snooping trust interface· 16

dhcp snooping trust tunnel 17

display dhcp snooping binding· 18

display dhcp snooping binding database· 19

display dhcp snooping information· 20

display dhcp snooping packet statistics· 21

display dhcp snooping trust 22

reset dhcp snooping binding· 23

reset dhcp snooping packet statistics· 23

 

DHCP snooping commands

DHCP snooping works between the DHCP client and the DHCP server or between the DHCP client and the relay agent. DHCP snooping does not work between the DHCP server and the DHCP relay agent.

dhcp snooping binding database filename

Use dhcp snooping binding database filename to configure the DHCP snooping device to back up DHCP snooping entries to a file.

Use undo dhcp snooping binding database filename to restore the default.

Syntax

dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

undo dhcp snooping binding database filename

Default

The DHCP snooping device does not back up DHCP snooping entries.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file, a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. Supported path format type varies by server.

username username: Specifies the username for accessing the URL of the remote backup file, a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.

Usage guidelines

This command automatically creates the file if you specify a nonexistent file.

With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup. The DHCP snooping device, by default, waits 300 seconds after a DHCP snooping entry change to update the backup file. To change the waiting period, use the dhcp snooping binding database update interval command. If no DHCP snooping entry changes, the backup file is not updated.

As a best practice, back up the DHCP snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCP snooping device to malfunction.

When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

·     If the file is on an FTP server, enter URL in the following format: ftp://server address:port/file path, where the port number is optional.

·     If the file is on a TFTP server, enter URL in the following format: tftp://server address:port/file path, where the port number is optional.

·     The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.

·     If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

·     You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCP snooping device to back up DHCP snooping entries to file database.dhcp.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename database.dhcp

# Configure the DHCP snooping device to back up DHCP snooping entries to file database.dhcp in the working directory of the FTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename url ftp://10.1.1.1/database.dhcp username 1 password simple 1

# Configure the DHCP snooping device to back up DHCP snooping entries to file database.dhcp in the working directory of the TFTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename tftp://10.1.1.1/database.dhcp

Related commands

dhcp snooping binding database update interval

dhcp snooping binding database update interval

Use dhcp snooping binding database update interval to set the waiting time for the DHCP snooping device to update the backup file after a DHCP snooping entry change.

Use undo dhcp snooping binding database update interval to restore the default.

Syntax

dhcp snooping binding database update interval interval

undo dhcp snooping binding database update interval

Default

The DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the waiting time in seconds, in the range of 60 to 864000.

Usage guidelines

When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the waiting period is reached. All changed entries during the period will be saved to the backup file.

The waiting time takes effect only after you configure the DHCP snooping entry auto backup by using the dhcp snooping binding database filename command.

Examples

# Set the waiting time to 600 seconds for the DHCP snooping device to update the backup file.

<Sysname> system-view

[Sysname] dhcp snooping binding database update interval 600

Related commands

dhcp snooping binding database filename

dhcp snooping binding database update now

Use dhcp snooping binding database update now to manually save DHCP snooping entries to the backup file.

Syntax

dhcp snooping binding database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

Each time this command is executed, the DHCP snooping entries are saved to the backup file.

This command takes effect only after you configure the DHCP snooping auto backup by using the dhcp snooping binding database filename command.

Examples

# Manually save DHCP snooping entries to the backup file.

<Sysname> system-view

[Sysname] dhcp snooping binding database update now

Related commands

dhcp snooping binding database filename

dhcp snooping binding record

Use dhcp snooping binding record to enable recording of client information in DHCP snooping entries.

Use undo dhcp snooping binding record to disable recording of client information in DHCP snooping entries.

Syntax

dhcp snooping binding record

undo dhcp snooping binding record

Default

DHCP snooping does not record client information.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

VLAN view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCP snooping on the port directly connecting to the clients to record client information in DHCP snooping entries.

Examples

# Enable the recording of client information in DHCP snooping entries on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping binding record

dhcp snooping check mac-address

Use dhcp snooping check mac-address to enable MAC address check for DHCP snooping.

Use undo dhcp snooping check mac-address to disable MAC address check for DHCP snooping.

Syntax

dhcp snooping check mac-address

undo dhcp snooping check mac-address

Default

MAC address check for DHCP snooping is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Layer 3 Ethernet interface/Layer 3 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

With MAC address check enabled, DHCP snooping compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, DHCP snooping considers this request valid and forwards it to the DHCP server. If they are not the same, DHCP snooping discards the DHCP request.

Examples

# Enable MAC address check for DHCP snooping.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping check mac-address

dhcp snooping check request-message

Use dhcp snooping check request-message to enable DHCP-REQUEST check for DHCP snooping.

Use undo dhcp snooping check request-message to disable DHCP-REQUEST check for DHCP snooping.

Syntax

dhcp snooping check request-message

undo dhcp snooping check request-message

Default

DHCP-REQUEST check for DHCP snooping is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

DHCP-REQUEST packets include lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents unauthorized clients that forge DHCP-REQUEST packets from attacking the DHCP server.

With this feature enabled, DHCP snooping looks for a matching DHCP snooping entry for each received DHCP-REQUEST message.

·     If a match is found, DHCP snooping compares the entry with the message. If they have consistent information, DHCP snooping considers the packet valid and forwards it to the DHCP server. If they have different information, DHCP snooping considers the message invalid and discards it.

·     If no match is found, DHCP snooping forwards the message to the DHCP server.

Examples

# Enable DHCP-REQUEST check for DHCP snooping.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping check request-message

dhcp snooping deny

Use dhcp snooping deny to configure a port as DHCP packet blocking port.

Use undo dhcp snooping deny to restore the default.

Syntax

dhcp snooping deny

undo dhcp snooping deny

Default

A port does not block DHCP requests.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION: To avoid IP address acquisition failure, configure a port to block DHCP packets only if no DHCP clients are attached to it.

 

To enable a port on the snooping device to drop all incoming DHCP requests, configure that port as a DHCP packet blocking port.

Examples

# Configure HundredGigE 1/0/1 as a DHCP packet blocking port.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping deny

dhcp snooping disable

Use dhcp snooping disable to disable DHCP snooping on an interface.

Use undo dhcp snooping disable to restore the default.

Syntax

dhcp snooping disable

undo dhcp snooping disable

Default

If you enable DHCP snooping globally or for a VLAN, DHCP snooping is enabled on all interfaces on the device or on all interfaces in the VLAN.

If you do not enable DHCP snooping globally or for a VLAN, DHCP snooping is disabled on all interfaces on the device or on all interfaces in the VLAN.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This command allows you to narrow down the interface range where DHCP snooping takes effect. For example, to enable DHCP snooping globally except for a specific interface, you can enable DHCP snooping globally and execute this command on the target interface.

Examples

# Disable DHCP snooping on HundredGigE 1/0/1.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping disable

dhcp snooping enable

Use dhcp snooping enable to enable DHCP snooping globally.

Use undo dhcp snooping enable to disable DHCP snooping globally.

Syntax

dhcp snooping enable

undo dhcp snooping enable

Default

DHCP snooping is disabled globally.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable DHCP snooping globally on the device, trusted ports forward responses from DHCP servers and untrusted ports discard responses. This mechanism ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

When DHCP snooping is disabled globally, all ports on the device can forward responses from DHCP servers.

Examples

# Enable DHCP snooping globally.

<Sysname> system-view

[Sysname] dhcp snooping enable

dhcp snooping enable vlan

Use dhcp snooping enable vlan to enable DHCP snooping for VLANs.

Use undo dhcp snooping enable vlan to disable DHCP snooping for VLANs.

Syntax

dhcp snooping enable vlan vlan-id-list

undo dhcp snooping enable vlan vlan-id-list

Default

DHCP snooping is disabled for all VLANs.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.

Usage guidelines

After you enable DHCP snooping for a VLAN, DHCP snooping untrusted ports in the VLAN discard incoming DHCP responses. This mechanism ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

After you disable DHCP snooping for a VLAN, all interfaces in the VLAN can forward DHCP responses.

Examples

# Enable DHCP snooping for VLANs 5, 10 to 20, and 32.

<Sysname> system-view

[Sysname] dhcp snooping enable vlan 5 10 to 20 32

dhcp snooping information circuit-id

Use dhcp snooping information circuit-id to configure the padding mode and padding format for the Circuit ID sub-option.

Use undo dhcp snooping information circuit-id to restore the default.

Syntax

dhcp snooping information circuit-id { bas | [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }

undo dhcp snooping information circuit-id [ vlan vlan-id ]

Default

The padding mode is normal and the padding format is hex.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

bas: Specifies the bas mode to pad the Circuit ID sub-option with the device name and interface information, including the MAC address of the interface. This keyword is supported only on ONU interfaces.

vlan vlan-id: Pads the Circuit ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Circuit ID sub-option for packets received from the default VLAN.

string circuit-id: Specifies the string mode, in which the padding content for the Circuit ID sub-option is a case-sensitive string of 3 to 63 characters.

normal: Specifies the normal mode. The padding content includes the VLAN ID and interface number.

verbose: Specifies the verbose mode. The padding content includes the node identifier, interface information, and VLAN ID. The default node identifier is the MAC address of the access node. The default interface information consists of the Ethernet type (fixed to eth), chassis number, slot number, sub-slot number, and interface number.

node-identifier: Specifies the access node identifier.

·     mac: Uses the MAC address of the access node as the node identifier.

·     sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. The padding format for the device name is always ASCII regardless of the specified padding format. If this keyword is specified, do not include any spaces when you set the device name. Otherwise, the DHCP snooping device fails to add or replace Option 82.

·     user-defined node-identifier: Uses a case-sensitive string of 1 to 50 characters as the node identifier. The padding format for the specified character string is always ASCII regardless of the specified padding format.

format: Specifies the padding format for the Circuit ID sub-option.

ascii: Specifies the ASCII padding format.

hex: Specifies the hex padding format.

Usage guidelines

The Circuit ID sub-option cannot carry information about interface splitting or subinterfaces. For more information about interface splitting and subinterfaces, see ethernet configuration in Interface Configuration Guide.

If you execute this command multiple times, the most recent configuration takes effect.

The padding format for the string mode, the normal mode, or the verbose mode varies by command configuration. Table 1 shows how the padding format is determined for different modes.

Table 1 Padding format for different modes

Keyword (mode)	If no padding format is set	If the padding format is ascii	If the padding format is hex
string circuit-id	The padding format is always ASCII, and is not configurable.	N/A	N/A
normal	Hex.	ASCII.	Hex.
verbose	Hex for the VLAN ID. ASCII for the node identifier, Ethernet type, chassis number, slot number, sub-slot number, and interface number.	ASCII.	ASCII for the node identifier and Ethernet type. Hex for the chassis number, slot number, sub-slot number, interface number, and VLAN ID.

 

Examples

# Configure verbose as the padding mode, device name as the node identifier, and ASCII as the padding format for the Circuit ID sub-option.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping information enable

[Sysname-HundredGigE1/0/1] dhcp snooping information strategy replace

[Sysname-HundredGigE1/0/1] dhcp snooping information circuit-id verbose node-identifier sysname format ascii

Related commands

dhcp snooping information enable

dhcp snooping information strategy

display dhcp snooping information

dhcp snooping information enable

Use dhcp snooping information enable to enable DHCP snooping to support Option 82.

Use undo dhcp snooping information enable to disable this feature.

Syntax

dhcp snooping information enable

undo dhcp snooping information enable

Default

DHCP snooping does not support Option 82.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCP snooping to add Option 82 into DHCP requests that do not contain Option 82 before forwarding the requests to the DHCP server. The content of Option 82 is determined by the dhcp snooping information circuit-id and dhcp snooping information remote-id commands. If the received DHCP request packets contain Option 82, DHCP snooping handles the packets according to the strategy configured by the dhcp snooping information strategy command.

Examples

# Enable DHCP snooping to support Option 82.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping information enable

Related commands

dhcp snooping information circuit-id

dhcp snooping information remote-id

dhcp snooping information strategy

dhcp snooping information remote-id

Use dhcp snooping information remote-id to configure the padding mode and padding format for the Remote ID sub-option.

Use undo dhcp snooping information remote-id to restore the default.

Syntax

dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] { string remote-id | sysname } }

undo dhcp snooping information remote-id [ vlan vlan-id ]

Default

The padding mode is normal and the padding format is hex.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Remote ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Remote ID sub-option for packets received from the default VLAN.

string remote-id: Specifies the string mode that uses a case-sensitive string of 1 to 63 characters as the content of the Remote ID sub-option.

sysname: Specifies the sysname mode that uses the device name as the Remote ID sub-option. You can configure the device name by using the sysname command in system view.

normal: Specifies the normal mode. The padding content is the MAC address of the receiving interface.

format: Specifies the padding format for the Remote ID sub-option. The default padding format is hex.

ascii: Specifies the ASCII padding format.

hex: Specifies the hex padding format.

Usage guidelines

DHCP snooping uses ASCII to pad the specified string or device name for the Remote ID sub-option. The padding format for the normal padding mode is determined by the command configuration.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Pad the Remote ID sub-option with a character string of device001.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping information enable

[Sysname-HundredGigE1/0/1] dhcp snooping information strategy replace

[Sysname-HundredGigE1/0/1] dhcp snooping information remote-id string device001

Related commands

dhcp snooping information enable

dhcp snooping information strategy

display dhcp snooping information

dhcp snooping information strategy

Use dhcp snooping information strategy to configure the handling strategy for Option 82 in request messages.

Use undo dhcp snooping information strategy to restore the default.

Syntax

dhcp snooping information strategy { append | drop | keep | replace }

undo dhcp snooping information strategy

Default

The handling strategy for Option 82 in request messages is replace.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

append: Processes a DHCP message as follows:

·     If the DHCP message does not carry Option 82, the device forwards the message after adding the Option 82 according to the padding configuration.

·     If the DHCP message carries Option 82, the device processes the message as follows:

¡     Forwards the message after padding the Vendor-Specific sub-option with the content specified in the dhcp snooping information vendor-specific command.

¡     Forwards the message without changing Option 82 if the dhcp snooping information vendor-specific command is not configured.

drop: Drops DHCP messages that contain Option 82.

keep: Keeps the original Option 82 intact and forwards the DHCP messages.

replace: Replaces the Option 82 with the configured Option 82 before forwarding the DHCP messages. If the DHCP messages do not carry Option 82, the device adds Option 82 according to the padding configuration before forwarding the DHCP messages.

Usage guidelines

This command takes effect only on DHCP requests that contain Option 82. For DHCP requests that do not contain Option 82, the DHCP snooping device always adds Option 82 into the requests before forwarding them to the DHCP server.

If the handling strategy is replace, configure a padding mode and a padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure a padding mode or padding format for Option 82.

Examples

# Specify the handling strategy for Option 82 in request messages as keep.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping information enable

[Sysname-HundredGigE1/0/1] dhcp snooping information strategy keep

Related commands

dhcp snooping information circuit-id

dhcp snooping information remote-id

dhcp snooping information vendor-specific

dhcp snooping information vendor-specific

Use dhcp snooping information vendor-specific to configure the padding mode for the Vendor-Specific sub-option.

Use undo dhcp snooping information vendor-specific to restore the default.

Syntax

dhcp snooping information vendor-specific [ vlan vlan-id ] bas [ node-identifier { mac | sysname | user-defined string } ]

undo dhcp snooping information vendor-specific [ vlan vlan-id ]

Default

The device does not pad the Vendor-Specific sub-option.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Vendor-Specific sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Vendor-Specific sub-option for all packets received on the interface.

bas: Specifies the bas mode to pad the Vendor-Specific sub-option.

node-identifier: Specifies the access node identifier. If you do not specify this keyword, the device pads the Vendor-Specific sub-option with the bridge MAC address of the access node as the node identifier. The padding format for the Vendor-Specific sub-option is ASCII.

·     mac: Uses the bridge MAC address of the access node as the node identifier.

·     sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. If the sysname keyword is specified, do not include any spaces when you set the device name. Otherwise, the DHCP snooping device fails to add the Vendor-Specific sub-option. If the device name contains more than 50 characters, only the first 50 characters are padded.

·     user-defined string: Uses a case-sensitive string of 1 to 50 characters as the node identifier. Do not include any spaces in the string.

Usage guidelines

After you configure this command, the DHCP snooping device pads the Vendor-Specific sub-option after receiving a DHCP request. The device forwards the DHCP request without padding the Vendor-Specific sub-option if the length of Option 82 in the request reaches the upper limit.

Examples

# Pad the Vendor-Specific sub-option in bas mode with the device name as the node identifier.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping information enable

[Sysname-HundredGigE1/0/1] dhcp snooping information vendor-specific bas node-identifier sysname

Related commands

dhcp snooping information enable

dhcp snooping information strategy

dhcp snooping log enable

Use dhcp snooping log enable to enable DHCP snooping logging.

Use undo dhcp snooping log enable to disable DHCP snooping logging.

Syntax

dhcp snooping log enable

undo dhcp snooping log enable

Default

DHCP snooping logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see System Management Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

Examples

# Enable DHCP snooping logging.

<Sysname> system-view

[Sysname] dhcp snooping log enable

dhcp snooping max-learning-num

Use dhcp snooping max-learning-num to set the maximum number of DHCP snooping entries that an interface can learn.

Use undo dhcp snooping max-learning-num to restore the default.

Syntax

dhcp snooping max-learning-num max-number

undo dhcp snooping max-learning-num

Default

The maximum number of DHCP snooping entries for an interface to learn is unlimited.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Layer 3 Ethernet interface/Layer 3 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of DHCP snooping entries for an interface to learn. The value range for this argument is 1 to4294967295.

Usage guidelines

When an interface learns the maximum number of DHCP snooping entries, the interface stops learning DHCP snooping entries. This does not affect the operating of the DHCP snooping feature.

Examples

# Allow Layer 2 Ethernet interface HundredGigE 1/0/1 to learn a maximum of 10 DHCP snooping entries.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping max-learning-num 10

dhcp snooping rate-limit

Use dhcp snooping rate-limit to enable DHCP snooping packet rate limit on an interface and set the limit value.

Use undo dhcp snooping rate-limit to disable DHCP snooping packet rate limit.

Syntax

dhcp snooping rate-limit rate

undo dhcp snooping rate-limit

Default

The DHCP snooping packet rate limit is disabled on an interface.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum rate in Kbps. The value range for this argument is 64 to 512.

Usage guidelines

This command takes effect only when DHCP snooping is enabled.

With the rate limit feature, the interface discards DHCP packets that exceed the maximum rate.

The rate configured on a Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate configured in its Ethernet interface view.

The maximum rate that takes effect can only be an integer multiple of a certain value because of the chip capability. Here is an example. The device-supported maximum rate is an integer multiple of eight. If you set the maximum rate to 67, the value 64 or 72 takes effect.

Examples

# Set the maximum rate to 64 Kbps at which Layer 2 Ethernet interface HundredGigE 1/0/1 can receive DHCP packets.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping rate-limit 64

dhcp snooping trust

Use dhcp snooping trust to configure a port as a trusted port.

Use undo dhcp snooping trust to restore the default state of a port.

Syntax

dhcp snooping trust

undo dhcp snooping trust

Default

After you enable DHCP snooping, all ports are untrusted.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Layer 3 Ethernet interface/Layer 3 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Specify the ports facing the DHCP server as trusted ports and specify the other ports as untrusted ports so DHCP clients can obtain valid IP addresses.

Examples

# Specify Layer 2 Ethernet interface HundredGigE 1/0/1 as a trusted port.

<Sysname> system-view

[Sysname] interface hundredgige 1/0/1

[Sysname-HundredGigE1/0/1] dhcp snooping trust

Related commands

display dhcp snooping trust

dhcp snooping trust interface

Use dhcp snooping trust interface to configure an interface in a VLAN as a DHCP snooping trusted port.

Use undo dhcp snooping trust interface to configure an interface in a VLAN as a DHCP snooping untrusted port.

Syntax

dhcp snooping trust interface interface-type interface-number

undo dhcp snooping trust interface interface-type interface-number

Default

After you enable DHCP snooping for a VLAN, all interfaces in the VLAN are DHCP snooping untrusted ports.

Views

VLAN view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

In a VLAN, configure interfaces facing the DHCP server as trusted ports, and configure other interfaces as untrusted ports. The trusted ports forward response messages from the DHCP server to the clients. The untrusted ports connected to unauthorized DHCP servers discard incoming DHCP response messages.

You can execute this command multiple times in a VLAN to configure multiple trusted ports in the VLAN.

Make sure the specified interface is in the VLAN for which the dhcp snooping enable vlan command is configured.

Examples

# Configure HundredGigE 1/0/1 as a trusted port in VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-vlan 1] dhcp snooping trust interface hundredgige 1/0/1

Related commands

display dhcp snooping trust

dhcp snooping trust tunnel

Use dhcp snooping trust tunnel to configure tunnel interfaces assigned to a VSI as trusted interfaces.

Use undo dhcp snooping trust tunnel to restore the default.

Syntax

dhcp snooping trust tunnel

undo dhcp snooping trust tunnel

Default

After you enable DHCP snooping, all tunnel interfaces are untrusted.

Views

VSI view

Predefined user roles

network-admin

Examples

# Configure the tunnel interfaces as trusted in the VSI a.

<Sysname> system-view

[Sysname] vsi a

[Sysname-vsi-a] dhcp snooping trust tunnel

display dhcp snooping binding

Use display dhcp snooping binding to display DHCP snooping entries.

Syntax

display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Displays the DHCP snooping entry for the specified IP address.

vlan vlan-id: Specifies the VLAN ID where the IP address resides.

verbose: Displays detailed DHCP snooping entry information. If you do not specify this keyword, the command displays brief DHCP snooping entry information.

Usage guidelines

If you do not specify any parameters, this command displays all DHCP snooping entries.

Examples

# Display summary information about all DHCP snooping entries.

<Sysname> display dhcp snooping binding

 2 DHCP snooping entries found

 IP address      MAC address    Lease        VLAN  SVLAN Interface

 =============== ============== ============ ===== ===== =================

 1.1.1.7         0000-0101-0107 16907533     2     3     HGE1/0/1

 1.1.1.11        0000-0101-010b 16907537     2     3     HGE1/0/3

# Display detailed information about all DHCP snooping entries.

<Sysname> display dhcp snooping binding verbose

 IP address: 1.1.1.7

 MAC address: 0000-0101-0107

 Lease: 16907553 seconds

 VLAN: 2

 SVLAN: 3

 Interface: HundredGigE1/0/1

 Parameter request list: 03 06 21

 

 IP address: 1.1.1.104

 MAC address: 0000-0101-010b

 Lease: 16907537 seconds

 VLAN: 2

 SVLAN: 3

 Interface: HundredGigE1/0/3

 Parameter request list: 37 0B 01 0F 03 06 2C 2E 2F 1F 21 F9 2B

Table 2 Command output

Field	Description
DHCP snooping entries found	Number of DHCP snooping entries.
IP address	IP address assigned to the DHCP client.
MAC address	MAC address of the DHCP client.
Lease	Remaining lease duration in seconds.
VLAN	When both DHCP snooping and QinQ are enabled or the DHCP packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCP client resides.
SVLAN	When both DHCP snooping and QinQ are enabled or the DHCP packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A.
Interface	Port connected to the DHCP client.
Parameter request list	Parameters that the DHCP client requests, in hexadecimal notation.

 

Related commands

dhcp snooping enable

reset dhcp snooping binding

display dhcp snooping binding database

Use display dhcp snooping binding database to display information about DHCP snooping entry auto backup.

Syntax

display dhcp snooping binding database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCP snooping entry auto backup.

<Sysname> display dhcp snooping binding database

File name               :   database.dhcp

Username                :  

Password                :  

Update interval         :   600 seconds

Latest write time       :   Feb 27 18:48:04 2012

Status                  :   Last write succeeded.

Table 3 Command output

Field	Description
File name	Name of the DHCP snooping entry backup file.
Username	Username for accessing the URL of the remote backup file.
Password	Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured.
Update interval	Waiting time in seconds after a DHCP snooping entry change for the DHCP snooping device to update the backup file.
Latest write time	Time of the latest update.
Status	Status of the update: ·     Writing—The backup file is being updated. ·     Last write succeeded—The backup file was successfully updated. ·     Last write failed—The backup file failed to be updated.

 

display dhcp snooping information

Use display dhcp snooping information to display Option 82 configuration on the DHCP snooping device.

Syntax

display dhcp snooping information { all | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays Option 82 configuration on all Layer 2 Ethernet interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display Option 82 configuration on all interfaces.

<Sysname> display dhcp snooping information all

Interface: Bridge-Aggregation1

   Status: Disable

   Strategy: Drop

   Circuit ID:

     Padding format: User Defined

       User defined: abcd

     Format: ASCII

   Remote ID:

     Padding format: Normal

     Format: ASCII

   Vendor-specific:

     Padding format: BAS

     Node identifier: MAC

   VLAN 10:

     Circuit ID: abcd

     Remote ID: company

     Vendor-specific:

       Padding format: BAS

       Node identifier: User defined(abcd)

Table 4 Command output

Field	Description
Interface	Interface name.
Status	Option 82 status, Enable or Disable.
Strategy	Handling strategy for DHCP requests that contain Option 82, Drop, Keep, or Replace.
Circuit ID	Content of the Circuit ID sub-option.
Padding format	Padding format of Option 82: ·     For Circuit ID sub-option, the padding format can be Normal, User Defined, Verbose (sysname), Verbose (MAC), or Verbose (user defined). ·     For Remote ID sub-option, the padding format can be Normal, Sysname, or User Defined. ·     For Vendor-Specific sub-option, the padding format is BAS.
Node identifier	Access node identifier. ·     For the Circuit ID or Remote ID sub-option, this field displays the user-defined string. ·     For the Vendor-Specific sub-option, the node identifier can be MAC, Sysname, or User Defined(string), where string in the brackets indicates the user-defined node identifier.
User defined	Content of the user-defined sub-option.
Format	Code type of Option 82 sub-option: ·     For Circuit ID sub-option, the code type can be ASCII, Default, or Hex. ·     For Remote ID sub-option, the code type can be ASCII or Hex.
Remote ID	Content of the Remote ID sub-option.
Vendor-specific	Content of the Vendor-Specific sub-option. This field is displayed only when the Vendor-Specific sub-option is configured.
VLAN	Pads Circuit ID, Remote ID, and Vendor-Specific sub-options in the DHCP packets received in the specified VLAN.

 

display dhcp snooping packet statistics

Use display dhcp snooping packet statistics to display DHCP packet statistics for DHCP snooping.

Syntax

display dhcp snooping packet statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command displays DHCP packet statistics for the active MPU.

Examples

# Display DHCP packet statistics for DHCP snooping.

<Sysname> display dhcp snooping packet statistics

 DHCP packets received                  : 100

 DHCP packets sent                      : 200

 Invalid DHCP packets dropped           : 0

Related commands

reset dhcp snooping packet statistics

display dhcp snooping trust

Use display dhcp snooping trust to display information about trusted ports.

Syntax

display dhcp snooping trust

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about trusted ports.

<Sysname> display dhcp snooping trust

 DHCP snooping is enabled.

 Interface                                       Trusted          VLAN

 =========================                       ============     =======

 HunredGigE1/0/1                                 Trusted

HundredGigE1/0/2                                -                100

HundredGigE1/0/3                                -                100, 200

Table 5 Command output

Field	Description
Interface	Interface name.
Trusted	For a DHCP snooping trusted port configured in system view, this field displays Trusted. For a trusted port configured in VLAN view, this field displays a hyphen (-).
VLAN	VLANs in which the port is configured as trusted. If a trusted port is configured after DHCP snooping is enabled globally, this field displays a hyphen (-).

Related commands

dhcp snooping trust

dhcp snooping trust interface

reset dhcp snooping binding

Use reset dhcp snooping binding to clear DHCP snooping entries.

Syntax

reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all DHCP snooping entries.

ip ip-address: Clears the DHCP snooping entry for the specified IP address.

vlan vlan-id: Clears DHCP snooping entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCP snooping entries for the default VLAN.

Usage guidelines

This command applies to all slots on a distributed device.

Examples

# Clear all DHCP snooping entries.

<Sysname> reset dhcp snooping binding all

Related commands

display dhcp snooping binding

reset dhcp snooping packet statistics

Use reset dhcp snooping packet statistics to clear DHCP packet statistics for DHCP snooping.

Syntax

reset dhcp snooping packet statistics [ slot slot-number ]

Views

User view

Predefined user roles

network-admin

Parameters

slot slot-number: Specifies a card by the slot number. If you do not specify a card, this command clears DHCP packet statistics for the active MPU.

Examples

# Clear DHCP packet statistics for DHCP snooping.

<Sysname> reset dhcp snooping packet statistics

Related commands

display dhcp snooping packet statistics