Syntax
dhcp-snooping
undo dhcp-snooping
View
System view
Parameters
None
Description
Use the dhcp-snooping command to
enable the DHCP snooping function.
Use the undo dhcp-snooping command
to disable the DHCP snooping function. After DHCP snooping is disabled, all the
ports can forward DHCP replies from the DHCP server without recording the
IP-to-MAC bindings of the DHCP clients.
By default, the DHCP snooping function is
disabled.
Note that:
l
You need to disable DHCP relay agent before
enabling DHCP snooping on the switch.
l
The clients connected to a DHCP snooping device
cannot obtain an IP address through BOOTP.
Related commands: display dhcp-snooping.
Examples
# Enter system view.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
# Enable the DHCP snooping function.
[Sysname] dhcp-snooping
1.1.2 dhcp-snooping information enable
Syntax
dhcp-snooping information enable
undo dhcp-snooping information enable
View
System view
Parameters
None
Description
Use the dhcp-snooping information enable
command to enable DHCP snooping Option 82.
Use the undo dhcp-snooping information
enable command to disable DHCP snooping Option 82.
DHCP snooping Option 82 is disabled by
default.
Note that: Enable DHCP snooping before
performing this configuration.
Examples
# Enable DHCP snooping Option 82.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp-snooping information
enable
Syntax
dhcp-snooping information format { hex | ascii }
View
System view
Parameters
hex:
Specifies the storage format of Option 82 as HEX (namely, hexadecimal string).
ascii:
Specifies the storage format of Option 82 as ASCII.
Description
Use the dhcp-snooping
information format command to configure the storage format of
non-user-defined Option 82 as HEX or ASCII.
By default,
the Option 82 is in HEX format.
The dhcp-snooping
information format command applies only to the default content of the
Option 82 field. If you have configured the circuit ID or remote ID sub-option,
the storage format of the sub-option is ASCII, instead of the one specified with
the dhcp-snooping information format command.
Examples
# Configure the storage format of Option 82
as ASCII.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp-snooping information
format ascii
Syntax
dhcp-snooping information packet-format { extended | standard }
View
System view
Parameters
extended:
Specifies the padding format for Option 82 as the extended format.
standard:
Specifies the padding format for Option 82 as the standard format.
Description
Use the dhcp-snooping information
packet-format command to configure the padding format for Option 82 as the
extended or standard one.
By default, the padding format for Option
82 is the extended one.
Examples
# Configure the padding format for Option
82 as the standard one.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp-snooping information
packet-format standard
Syntax
dhcp-snooping information remote-id { sysname | string string }
undo dhcp-snooping information remote-id
View
System view
Parameters
sysname:
Uses the system name (sysname) of the DHCP snooping device to pad the remote ID
sub-option in Option 82.
string:
Customized content of the remote ID sub-option, a string of 1 to 63 ASCII
characters.
Description
Use the dhcp-snooping information
remote-id command to configure the remote ID sub-option in Option 82.
Use the undo dhcp-snooping
information remote-id command to restore the default value of the remote ID
sub-option in Option 82.
By default, the remote ID sub-option in
Option 82 is the MAC address of the DHCP Snooping device that received the DHCP
client’s request.
Examples
# Configure the remote ID sub-option of
Option 82 as the system name (sysname) of the DHCP snooping device.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp-snooping information
remote-id sysname
Syntax
dhcp-snooping information strategy { drop | keep | replace }
undo dhcp-snooping information strategy
View
System view, Ethernet port view
Parameters
drop: If a
packet contains Option 82, DHCP snooping drops this packet.
keep: If a
packet contains Option 82, DHCP snooping keeps and forwards this packet.
replace: If
a packet contains Option 82, DHCP snooping replaces the original Option 82
field with the Option 82 field having the specified padding content and
forwards the packet.
Description
Use the dhcp-snooping information
strategy command in system view to configure a handling policy for DHCP requests
that contain Option 82 sent by the DHCP client.
Use the undo dhcp-snooping information
strategy command to restore the default handling policy.
Use the dhcp-snooping information
strategy command in Ethernet port view to configure a handling policy for
requests that contain Option 82 received on the current port.
Use the undo dhcp-snooping information
strategy command to restore the default handling policy.
By default, after DHCP-snooping Option 82
support is enabled, DHCP snooping replaces the Option 82 field in the requests
sent by the DHCP clients.
Caution:
l
Enable DHCP-snooping and DHCP-snooping Option 82
before performing this configuration.
l
If a handling policy is configured on a port,
this configuration overrides the globally configured handling policy for
requests received on this port, while the globally configured handling policy
applies on those ports where a handling policy is not natively configured.
Examples
# Configure the keep handling policy
for DHCP requests that contain Option 82 on the DHCP snooping device.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp-snooping information
strategy keep
Syntax
dhcp-snooping
information [ vlan vlan-id ] circuit-id
string string
undo
dhcp-snooping information { [ vlan vlan-id ] circuit-id
| circuit-id all }
View
Ethernet port view
Parameters
vlan vlan-id: Specifies a VLAN. DHCP packets from the VLAN are padded with the circuit ID sub-option.
string: Content
of the circuit ID sub-option, a string of 3 to 63 ASCII characters.
Description
Use the dhcp-snooping information vlan
circuit-id command to configure the content of the circuit ID field in
Option 82.
Use the undo dhcp-snooping
information circuit-id command to restore the default.
With vlan vlan-id specified, the customized
circuit ID sub-option applies only to the DHCP packets from the specified VLAN.
With no vlan vlan-id specified, the customized
circuit ID sub-option applies to all DHCP packets that pass through the current
port.
Use the undo dhcp-snooping information
vlan vlan-id circuit-id
command to restore the default circuit ID in DHCP packets from the specified
VLAN.
Use the undo dhcp-snooping information
circuit-id command to restore the default circuit ID for all DHCP
packets except those from the specified VLAN.
Use the undo dhcp-snooping information
circuit-id all command to restore the default circuit ID for all DHCP
packets.
By default, the circuit ID field in Option
82 contains the VLAN ID and index of the port that received the client’s request.
If you have configured a circuit ID with
the vlan vlan-id argument specified, and the other one without
the argument in Ethernet port view, the former circuit ID applies to the DHCP
messages from the specified VLAN, while the latter one applies to DHCP messages
from other VLANs.
Examples
# Set the circuit ID field in Option 82 of
the DHCP messages sent through Ethernet 1/0/1 to abc.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] dhcp-snooping
information circuit-id string abc
Syntax
dhcp-snooping information [ vlan vlan-id
] remote-id string string
undo dhcp-snooping information { [ vlan vlan-id ] remote-id | remote-id all }
View
Ethernet port view
Parameters
vlan vlan-id: Specifies the VLAN ID of the
remote ID to be customized.
string:
Customized content of the remote ID sub-option, a string of 3 to 63 ASCII
characters.
Description
Use the dhcp-snooping information vlan remote-id
command to configure the content of the remote ID in Option 82
Use the undo dhcp-snooping
information remote-id command to restore the default remote ID in Option
82.
With vlan vlan-id specified, the customized
remote ID sub-option applies only to the DHCP packets from the specified VLAN.
Without vlan vlan-id specified, the customized remote
ID sub-option applies to all DHCP packets that pass through the current port.
Use the undo dhcp-snooping information
vlan vlan-id remote-id
command to restore the default remote ID in DHCP packets from the specified
VLAN.
Use the undo dhcp-snooping information
remote-id command to restore the default remote ID in all DHCP packets
except those from the specified VLAN.
Use the undo dhcp-snooping information
remote-id all command to restore the default remote ID in all DHCP
packets.
By default, the remote ID sub-option in
Option 82 is the MAC address of the DHCP Snooping device that received the DHCP
client’s request.
If you have configured a remote ID with the
vlan vlan-id argument specified, and the other one without the
argument in Ethernet port view, the former remote ID applies to the DHCP
messages from the specified VLAN, while the latter one applies to DHCP messages
from other VLANs.
Examples
# Configure the remote ID of Option 82 in
DHCP packets to abc on the port Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] dhcp-snooping
information remote-id string abc
Syntax
dhcp-snooping trust
undo dhcp-snooping trust
View
Ethernet port view
Parameters
None
Description
Use the dhcp-snooping trust command
to set an Ethernet port to a DHCP-snooping trusted port.
Use the undo dhcp-snooping trust
command to restore an Ethernet port to a DHCP-snooping untrusted port.
By default, with the DHCP snooping enabled,
all the ports of a switch are untrusted ports.
Note that: After DHCP snooping is enabled,
you need to specify the port connected to a valid DHCP server as trusted to
ensure that DHCP clients can obtain valid IP addresses. The trusted port and
the ports connected to DHCP clients must be in the same VLAN.
Related commands: display dhcp-snooping
trust.
Examples
# Enter system view.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
# Set the Ethernet 1/0/1 port to a trusted
port.
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] dhcp-snooping
trust
Syntax
display
dhcp-snooping [ unit unit-id ]
View
Any view
Parameters
unit unit-id: Indicates the number of the device whose DHCP-snooping information
needs to be viewed, the value is 1.
Description
Use the display dhcp-snooping
command to display the user IP-MAC address mapping entries recorded by the DHCP
snooping function.
Related commands: dhcp-snooping.
Examples
# Display the user IP-MAC address mapping entries recorded by the
DHCP snooping function.
<Sysname> display dhcp-snooping
DHCP-Snooping is enabled.
The client binding table for all
untrusted ports.
Type : D--Dynamic , S--Static
Unit ID : 1
Type IP Address MAC
Address Lease VLAN Interface
==== =============== ===============
========= ==== =================
D 10.1.1.1
00e0-fc00-0006 200 1 Ethernet1/0/1
--- 1 dhcp-snooping item(s) of unit
1 found ---
Syntax
display dhcp-snooping trust
View
Any view
Parameters
None
Description
Use the display dhcp-snooping trust
command to display the (enabled/disabled) state of the DHCP snooping function
and the trusted ports.
Related commands: dhcp-snooping trust.
Examples
# Display the state of the DHCP snooping
function and the trusted ports.
<Sysname> display dhcp-snooping
trust
DHCP-Snooping is enabled.
DHCP-Snooping trust become
effective.
Interface Trusted
=====================
=================
Ethernet1/0/10 Trusted
The above display information indicates
that the DHCP snooping function is enabled, and the Ethernet 1/0/10 port is a
trusted port.
Syntax
display ip source static binding [ vlan vlan-id | interface interface-type
interface-number ]
View
Any view
Parameters
vlan-id: ID
of the VLAN whose IP static binding entries are to be displayed.
interface-type interface-number: Type and number of the port whose IP static binding entries are to
be displayed.
Description
Use the display ip source static binding
command to display the IP static binding entries configured. If you specify
a VLAN, all the IP static binding entries for the specified VLAN will be displayed.
If you specify a port, all the IP static binding entries for the specified port
will be displayed.
Examples
# Display all IP static binding entries
configured.
<Sysname> display ip source
static binding
Type IP Address MAC Address
Remaining VLAN Interface
lease
==== =============== ===============
========= ==== =================
S 192.168.0.25 0015-e20f-0101
infinite 1 Ethernet1/0/2
S 192.168.0.58 0001-e201-4f01
infinite 1 Ethernet1/0/3
S 192.168.0.101 000f-0101-0204
infinite 1 Ethernet1/0/2
S 192.168.0.122 000f-e20f-21a3
infinite 1 Ethernet1/0/3
S 192.168.0.144 0015-e943-712f
infinite 1 Ethernet1/0/2
--- 5 static binding item(s)
found ---
Syntax
ip check source ip-address [ mac-address ]
undo ip check source ip-address [ mac-address ]
View
Ethernet port view
Parameters
mac-address:
Enables IP filtering based on the source MAC address of the packets.
Description
Use the ip check source ip-address command
to enable the filtering of the IP packets received through the current port
based on the source IP address of the packets.
Use the undo ip check source ip-address command
to disable the filtering of the IP packets received through the current port
based on the source IP address of the packets.
Use the ip check source ip-address
mac-address command to enable the filtering of the IP packets received
through the current port based on the source IP address and source MAC address
of the packets.
Use the undo ip check source ip-address
mac-address command to disable the filtering of the IP packets received
through the current port based on the source IP address and source MAC address
of the packets.
By default, the filtering of the IP packets
received through a port based on the source IP address or source MAC address of
the packets is disabled.
Examples
# Enable the filtering of the IP packets
received through port Ethernet 1/0/11 based on the source IP address of the
packets.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/11
[Sysname-Ethernet1/0/11] ip check
source ip-address
Syntax
ip source static binding ip-address ip-address [ mac-address mac-address
]
undo ip source static binding ip-address
ip-address
View
Ethernet port view
Parameters
ip-address ip-address: Specifies the IP address to
be statically bound.
mac-address mac-address: Specifies the MAC address
to be statically bound.
Description
Use the ip source static binding
ip-address command to configure the static binding among source IP address,
source MAC address, and the port number so as to generate static binding
entries.
Use the undo ip source static binding
ip-address command to remove the static binding among source IP address,
source MAC address, and the port.
By default, no binding among source IP
address, source MAC address, and the port number is configured.
To create a static binding after IP
filtering is enabled with the mac-address keyword included on a port,
the mac-address argument must be specified; otherwise, the packets sent
from this IP address cannot pass the IP filtering.
Related commands: ip check source
ip-address.
Examples
# Configure static binding among source IP
address 1.1.1.1, source MAC address 0015-e20f-0101, and Ethernet 1/0/3.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Ethernet 1/0/3
[Sysname-Ethernet1/0/3] ip source
static binding ip-address 1.1.1.1 mac-address 0015-e20f-0101
Syntax
dhcp protective-down recover enable
undo dhcp protective-down recover enable
View
System view
Parameters
None
Description
Use the dhcp protective-down recover
enable command to enable port state auto-recovery on the switch.
Use the undo dhcp protective-down
recover enable command to disable port state auto-recovery.
With the port state auto-recovery function,
a port that is shut down because the DHCP traffic rate limit configured on it
is exceeded can automatically be brought up after a specified interval.
By default, the port state auto-recovery
function on the switch is disabled.
Examples
# Enable port state auto-recovery on the
switch.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp protective-down
recover enable
Syntax
dhcp protective-down recover interval
interval
undo dhcp protective-down recover
interval
View
System view
Parameters
interval:
Interval (in seconds) for a port disabled due to the DHCP traffic exceeding the
set threshold to be brought up again. This argument ranges from 10 to 86,400.
Description
Use the dhcp protective-down recover
interval command to set an auto recovery interval.
Use the undo dhcp protective-down
recover interval command to restore the default interval.
With the port state auto-recovery function
enabled on a switch, the auto recovery interval defaults to 300 seconds.
Note that:
l
Before configuring the port state auto-recovery
interval, you must enable port state auto-recovery on the switch first.
l
The new port state auto-recovery interval only
applies to the ports that are shut down after the dhcp protective-down recover
interval command is last executed.
Examples
# Set the port state auto-recovery interval
to 30 seconds.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] dhcp protective-down
recover enable
[Sysname] dhcp protective-down recover
interval 30
Syntax
dhcp rate-limit rate
undo dhcp rate-limit
View
Ethernet port view
Parameters
rate: Maximum
rate of DHCP traffic in pps. This argument ranges from 10 to 150.
Description
Use the dhcp rate-limit command to
configure the maximum rate of DHCP traffic for the port. When the number of DHCP
packets received on the port per second exceeds the specified threshold, the
switch will discard the exceeding DHCP packets.
Use the undo dhcp rate-limit command
to restore the default.
By default, after the DHCP traffic limit is
enabled, the maximum rate of DHCP traffic is 15 pps.
Note that:
You need to enable the function to limit
DHCP traffic (refer to the dhcp rate-limit enable command) for a port
before executing either of these two commands for the port.
Examples
# Configure the DHCP traffic threshold to
100 pps for port Ethernet 1/0/11.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface ethernet 1/0/11
[Sysname-Ethernet1/0/11] dhcp
rate-limit enable
[Sysname-Ethernet1/0/11] dhcp
rate-limit 100
Syntax
dhcp rate-limit enable
undo dhcp rate-limit enable
View
Ethernet port view
Parameters
None
Description
Use the dhcp rate-limit enable
command to enable the function to limit DHCP traffic for an Ethernet port. You
can use this command to limit the DHCP traffic passing through an Ethernet
port. When the number of DHCP packets received on the port per second exceeds
the specified threshold (the default value is 15 pps), the switch will discard
the exceeding DHCP packets.
Use the undo dhcp rate-limit enable
command to disable the function. You can use this command to relieve the DHCP
traffic limit configured on an Ethernet port.
By default, the function to limit DHCP
traffic is disabled on an Ethernet port. That is, DHCP traffic passing through
an Ethernet port is not limited.
Examples
# Enable the function to limit DHCP traffic
for Ethernet 1/0/11 port.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface ethernet 1/0/11
[Sysname-Ethernet1/0/11] dhcp
rate-limit enable
Syntax
display dhcp client [ verbose ]
View
Any view
Parameters
verbose:
Displays the detailed address allocation information.
Description
Use the display dhcp client command
to display the information about the address allocation of DHCP clients.
Note that S3100 series Ethernet switches
that operate as DHCP clients support a maximum lease duration of 24 days
currently.
Examples
# Display the information about the address
allocation of DHCP clients.
<Sysname> display dhcp client
verbose
DHCP client statistic information:
Vlan-interface1:
Current machine state: BOUND
Allocated IP: 192.168.0.2 255.255.255.0
Allocated lease: 86400 seconds, T1:
43200 seconds, T2: 75600 seconds
Lease from 2002.09.20 01:05:03 to
2002.09.21 01:05:03
Server IP: 192.168.0.1
Transaction ID = 0x3d8a7431
Default router: 192.168.0.1
Next timeout will happen after 0 days
11 hours 56 minutes 1 seconds.
Table 3-1 Description
on the fields of the display dhcp client command
|
Field
|
Description
|
|
Vlan-interface1
|
VLAN
interface operating as a DHCP client to obtain an IP address dynamically
|
|
Current
machine state
|
The state
of the client state machine
|
|
Allocated
IP
|
IP address
allocated to the DHCP client
|
|
lease
|
Lease
period
|
|
T1
|
Renewal
timer setting
|
|
T2
|
Rebinding
timer setting
|
|
Lease from….to….
|
The starting and end time of the lease
period
|
|
Server IP
|
IP address of the DHCP server selected
|
|
Transaction
ID
|
Transaction
ID
|
|
Default
router
|
Gateway
address
|
|
Next
timeout will happen after 0 days 11 hours 56 minutes 1 seconds.
|
The timer
expires in 11 hours, 56 minutes, and 1 second.
|
Syntax
ip address dhcp-alloc
undo ip address dhcp-alloc
View
VLAN interface view
Parameters
None
Description
Use the ip address dhcp-alloc
command to configure a VLAN interface to obtain an IP address through DHCP.
Use the undo ip address dhcp-alloc
command to cancel the configuration.
By default, a VLAN interface does not use
DHCP to obtain an IP address.
To improve security and avoid malicious attacks to the unused sockets,
S3100 Ethernet switches provide the following functions:
l
UDP ports 67 and 68 used by DHCP are enabled/disabled
only when DHCP is enabled/disabled.
The implementation
is as follows:
l
After the DHCP client is enabled by executing
the ip address dhcp-alloc command, UDP port 68 is enabled.
l
After the DHCP client is disabled by executing
the undo ip address dhcp-alloc command, UDP port 68 is disabled.
Examples
# Configure VLAN-interface 1 to obtain an
IP address through DHCP.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
dhcp-alloc
Syntax
display bootp client [ interface Vlan-interface vlan-id ]
View
Any view
Parameters
vlan-id: ID
of the VLAN interface.
Description
Use the display bootp client command
to display BOOTP client-related information, including the MAC address of the
BOOTP client and the IP address obtained.
Examples
# Display the BOOTP client-related
information.
<Sysname> display bootp client
interface Vlan-interface 1
Vlan-interface1:
Allocated IP: 192.168.0.2 255.255.255.0
Transaction ID = 0x3d8a7431
Mac Address 000f-e20a-c3ef
Default router: 192.168.0.1
Table 3-2 Description
on the fields of the display bootp client command
|
Field
|
Description
|
|
Vlan-interface1
|
VLAN-interface 1 is configured to obtain
an IP address through BOOTP.
|
|
Allocated IP
|
IP address allocated to the VLAN
interface
|
|
Transaction ID
|
Value of the XID field in BOOTP packets
|
|
Mac Address
|
MAC address of the BOOTP client
|
|
Default router
|
Default router
|
Syntax
ip address bootp-alloc
undo ip address bootp-alloc
View
VLAN interface view
Parameters
None
Description
Use the ip address bootp-alloc
command to configure a VLAN interface to obtain an IP address through BOOTP.
Use the undo ip address bootp-alloc
command to cancel the configuration.
By default, a VLAN interface does not use
BOOTP to obtain an IP address.
Related commands: display bootp client.
Examples
# Configure VLAN-interface 1 to obtain an
IP address through BOOTP.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface Vlan-interface 1
[Sysname-Vlan-interface1] ip address
bootp-alloc
