Contents

DHCP snooping commands· 1

dhcp snooping alarm enable· 1

dhcp snooping alarm threshold· 2

dhcp snooping binding database filename· 3

dhcp snooping binding database update interval 4

dhcp snooping binding database update now· 5

dhcp snooping binding record· 5

dhcp snooping check giaddr 6

dhcp snooping check mac-address· 7

dhcp snooping check request-message· 7

dhcp snooping client-detect 8

dhcp snooping disable· 9

dhcp snooping enable· 9

dhcp snooping enable vlan· 10

dhcp snooping information circuit-id· 11

dhcp snooping information enable· 12

dhcp snooping information remote-id· 13

dhcp snooping information strategy· 14

dhcp snooping information vendor-specific· 15

dhcp snooping log enable· 16

dhcp snooping max-learning-num·· 17

dhcp snooping rate-limit 18

dhcp snooping trust 18

dhcp snooping trust interface· 19

display dhcp snooping binding· 20

display dhcp snooping binding database· 21

display dhcp snooping drni-statistics· 22

display dhcp snooping drni-status· 24

display dhcp snooping information· 25

display dhcp snooping packet statistics· 26

display dhcp snooping trust 27

reset dhcp snooping binding· 28

reset dhcp snooping drni-statistics· 28

reset dhcp snooping packet statistics· 29

 

DHCP snooping commands

DHCP snooping works between the DHCP client and the DHCP server or between the DHCP client and the relay agent. DHCP snooping does not work between the DHCP server and the DHCP relay agent.

dhcp snooping alarm enable

Use dhcp snooping alarm enable to enable the packet drop alarm.

Use undo dhcp snooping alarm enable to disable the packet drop alarm.

Syntax

dhcp snooping alarm { giaddr | mac-address | request-message } enable

undo dhcp snooping alarm { giaddr | mac-address | request-message } enable

Default

The packet drop alarm is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

giaddr: Specifies the giaddr field check in DHCP requests.

mac-address: Specifies MAC address check.

request-message: Specifies DHCP-REQUEST check.

Usage guidelines

After you enable the packet drop alarm for a feature, the device generates an alarm log when the number of packets dropped by this feature reaches the alarm threshold. The alarm log is sent to the information center. Then, the device clears the current packet drop statistics and counts packet drops again. You can set log message filtering and output rules by configuring the information center. For more information about the information center, see information center configuration in System Management Configuration Guide.

To set the alarm threshold, use the dhcp snooping alarm threshold command.

For this command to take effect, you must first execute the dhcp snooping log enable command to enable DHCP snooping logging.

Examples

# Enable the packet drop alarm for the giaddr field check in DHCP requests.

<Sysname> system-view

[Sysname] dhcp snooping alarm giaddr enable

Related commands

dhcp snooping alarm threshold

dhcp snooping check giaddr

dhcp snooping check mac-address

dhcp snooping check request-message

dhcp snooping log enable

dhcp snooping alarm threshold

Use dhcp snooping alarm threshold to set a packet drop alarm threshold.

Use undo dhcp snooping alarm threshold to restore the default.

Syntax

dhcp snooping alarm { giaddr | mac-address | request-message } threshold threshold

undo dhcp snooping alarm { giaddr | mac-address | request-message } threshold

Default

The packet drop alarm threshold is 100.

Views

System view

Predefined user roles

network-admin

Parameters

giaddr: Specifies the giaddr field check in DHCP requests.

mac-address: Specifies MAC address check.

request-message: Specifies the DHCP-REQUEST check.

threshold: Specifies the number of dropped packets that triggers a packet drop alarm. The value range is 1 to 1000.

Usage guidelines

The device generates an alarm log when the number of packets dropped due to the check failure reaches the alarm threshold. Then, the device clears the current packet drop statistics and counts packet drops again. If the number of packet drops reaches the alarm threshold again, the device generates a new alarm log.

Examples

# Set the packet alarm threshold to 2 for the giaddr field check in DHCP requests.

<Sysname> system-view

[Sysname] dhcp snooping alarm giaddr threshold 2

Related commands

dhcp snooping alarm enable

dhcp snooping check giaddr

dhcp snooping check mac-address

dhcp snooping check request-message

dhcp snooping binding database filename

Use dhcp snooping binding database filename to configure the DHCP snooping device to back up DHCP snooping entries to a file.

Use undo dhcp snooping binding database filename to restore the default.

Syntax

dhcp snooping binding database filename { filename | url url [ username username [ password { cipher | simple } string ] ] }

undo dhcp snooping binding database filename

Default

The DHCP snooping device does not back up DHCP snooping entries.

Views

System view

Predefined user roles

network-admin

Parameters

filename: Specifies the name of a local backup file. The value for this argument is a case-insensitive string of 1 to 255 characters. For information about the filename argument, see Fundamentals Configuration Guide.

url url: Specifies the URL of a remote backup file, a case-sensitive string of 1 to 255 characters. Do not include a username or password in the URL. Supported path format type varies by server.

username username: Specifies the username for accessing the URL of the remote backup file, a case-sensitive string of 1 to 32 characters. Do not specify this option if a username is not required for accessing the URL.

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters. Do not specify this argument if a password is not required for accessing the URL of the remote backup file.

Usage guidelines

This command automatically creates the file if you specify a nonexistent file.

With this command executed, the DHCP snooping device backs up DHCP snooping entries immediately and runs auto backup. The DHCP snooping device, by default, waits 300 seconds after a DHCP snooping entry change to update the backup file. To change the waiting period, use the dhcp snooping binding database update interval command. If no DHCP snooping entry changes, the backup file is not updated.

As a best practice, back up the DHCP snooping entries to a remote file. If you use the local storage medium, the frequent erasing and writing might damage the medium and then cause the DHCP snooping device to malfunction.

When the file is on a remote device, follow these restrictions and guidelines to specify the URL, username, and password:

·     If the file is on an FTP server, enter URL in the following format: ftp://server address:port/file path, where the port number is optional.

·     If the file is on a TFTP server, enter URL in the following format: tftp://server address:port/file path, where the port number is optional.

·     The username and password must be the same as those configured on the FTP server. If the server authenticates only the username, the password can be omitted.

·     If the IP address of the server is an IPv6 address, enclose the address in a pair of brackets, for example, ftp://[1::1]/database.dhcp.

·     You can also specify the DNS domain name for the server address field, for example, ftp://company/database.dhcp.

Examples

# Configure the DHCP snooping device to back up DHCP snooping entries to file database.dhcp.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename database.dhcp

# Configure the DHCP snooping device to back up DHCP snooping entries to file database.dhcp in the working directory of the FTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename url ftp://10.1.1.1/database.dhcp username 1 password simple 1

# Configure the DHCP snooping device to back up DHCP snooping entries to file database.dhcp in the working directory of the TFTP server at 10.1.1.1.

<Sysname> system-view

[Sysname] dhcp snooping binding database filename tftp://10.1.1.1/database.dhcp

Related commands

dhcp snooping binding database update interval

dhcp snooping binding database update interval

Use dhcp snooping binding database update interval to set the waiting time for the DHCP snooping device to update the backup file after a DHCP snooping entry change.

Use undo dhcp snooping binding database update interval to restore the default.

Syntax

dhcp snooping binding database update interval interval

undo dhcp snooping binding database update interval

Default

The DHCP snooping device waits 300 seconds to update the backup file after a DHCP snooping entry change. If no DHCP snooping entry changes, the backup file is not updated.

Views

System view

Predefined user roles

network-admin

Parameters

interval: Specifies the waiting time in seconds, in the range of 60 to 864000.

Usage guidelines

When a DHCP snooping entry is learned, updated, or removed, the waiting period starts. The DHCP snooping device updates the backup file when the waiting period is reached. All changed entries during the period will be saved to the backup file.

The waiting time takes effect only after you configure the DHCP snooping entry auto backup by using the dhcp snooping binding database filename command.

Examples

# Set the waiting time to 600 seconds for the DHCP snooping device to update the backup file.

<Sysname> system-view

[Sysname] dhcp snooping binding database update interval 600

Related commands

dhcp snooping binding database filename

dhcp snooping binding database update now

Use dhcp snooping binding database update now to manually save DHCP snooping entries to the backup file.

Syntax

dhcp snooping binding database update now

Views

System view

Predefined user roles

network-admin

Usage guidelines

Each time this command is executed, the DHCP snooping entries are saved to the backup file.

This command takes effect only after you configure the DHCP snooping auto backup by using the dhcp snooping binding database filename command.

Examples

# Manually save DHCP snooping entries to the backup file.

<Sysname> system-view

[Sysname] dhcp snooping binding database update now

Related commands

dhcp snooping binding database filename

dhcp snooping binding record

Use dhcp snooping binding record to enable recording of client information in DHCP snooping entries.

Use undo dhcp snooping binding record to disable recording of client information in DHCP snooping entries.

Syntax

dhcp snooping binding record

undo dhcp snooping binding record

Default

DHCP snooping does not record client information.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

VLAN view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCP snooping on the port directly connecting to the clients to record client information in DHCP snooping entries.

If you configure this command in a VSI view, this command takes effect on the ACs that are mapped to the VSI and the VXLAN tunnel interfaces that are assigned to the VSI.

Examples

# Enable the recording of client information in DHCP snooping entries on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping binding record

dhcp snooping check giaddr

Use dhcp snooping check giaddr to enable the giaddr field check in DHCP requests.

Use undo dhcp snooping check giaddr to disable the giaddr field check in DHCP requests.

Syntax

dhcp snooping check giaddr

undo dhcp snooping check giaddr

Default

The device does not check the giaddr field in DHCP requests.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

A DHCP snooping device functions between DHCP clients and a DHCP server, or between DHCP clients and a DHCP relay agent. The giaddr field in a DHCP request records the address information of the first relay agent that the request passes by. If the DHCP snooping devices receives a DHCP request where the giaddr field value is not 0, it indicates that the DHCP snooping device location is not correct. In this case, the DHCP snooping device cannot function correctly.

This feature enables the DHCP snooping device to examine the giaddr field value in received DHCP packets and drop them if the giaddr field value is not 0. When the number of dropped DHCP requests reaches or exceeds the alarm threshold, the device generates a log for administrators to adjust locations of the DHCP devices.

Examples

# Enable the giaddr field check in DHCP requests on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping check giaddr

Related commands

dhcp snooping alarm enable

dhcp snooping alarm threshold

dhcp snooping check mac-address

Use dhcp snooping check mac-address to enable MAC address check for DHCP snooping.

Use undo dhcp snooping check mac-address to disable MAC address check for DHCP snooping.

Syntax

dhcp snooping check mac-address

undo dhcp snooping check mac-address

Default

MAC address check for DHCP snooping is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

With MAC address check enabled, DHCP snooping compares the chaddr field of a received DHCP request with the source MAC address field in the frame header. If they are the same, DHCP snooping considers this request valid and forwards it to the DHCP server. If they are not the same, DHCP snooping discards the DHCP request.

Examples

# Enable MAC address check for DHCP snooping.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping check mac-address

dhcp snooping check request-message

Use dhcp snooping check request-message to enable DHCP-REQUEST check for DHCP snooping.

Use undo dhcp snooping check request-message to disable DHCP-REQUEST check for DHCP snooping.

Syntax

dhcp snooping check request-message

undo dhcp snooping check request-message

Default

DHCP-REQUEST check for DHCP snooping is disabled.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

DHCP-REQUEST packets include lease renewal packets, DHCP-DECLINE packets, and DHCP-RELEASE packets. This feature prevents unauthorized clients that forge DHCP-REQUEST packets from attacking the DHCP server.

With this feature enabled, DHCP snooping looks for a matching DHCP snooping entry for each received DHCP-REQUEST message.

·     If a match is found, DHCP snooping compares the entry with the message. If they have consistent information, DHCP snooping considers the packet valid and forwards it to the DHCP server. If they have different information, DHCP snooping considers the message invalid and discards it.

·     If no match is found, DHCP snooping forwards the message to the DHCP server.

Examples

# Enable DHCP-REQUEST check for DHCP snooping.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping check request-message

dhcp snooping client-detect

Use dhcp snooping client-detect to enable client offline detection.

Use undo dhcp snooping client-detect to disable client offline detection.

Syntax

dhcp snooping client-detect

undo dhcp snooping client-detect

Default

Client offline detection is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

When a DHCP client goes offline abnormally, it does not send a message to the DHCP server to release its IP address. As a result, the DHCP server is not aware of the offline event and cannot release the client lease timely.

With this feature enabled, the DHCP snooping device performs the following operations when the ARP entry of a client ages out:

1.     Deletes the DHCP snooping entry for the client.

2.     Sends a DHCP-RELEASE message to the DHCP server to inform the server to release the address lease of the client.

Examples

# Enable client offline detection.

<Sysname> system-view

[Sysname] dhcp snooping client-detect

dhcp snooping disable

Use dhcp snooping disable to disable DHCP snooping on an interface.

Use undo dhcp snooping disable to restore the default.

Syntax

dhcp snooping disable

undo dhcp snooping disable

Default

If you enable DHCP snooping globally or for a VLAN, DHCP snooping is enabled on all interfaces on the device or on all interfaces in the VLAN.

If you do not enable DHCP snooping globally or for a VLAN, DHCP snooping is disabled on all interfaces on the device or on all interfaces in the VLAN.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

This command allows you to narrow down the interface range where DHCP snooping takes effect. For example, to enable DHCP snooping globally except for a specific interface, you can enable DHCP snooping globally and execute this command on the target interface.

Examples

# Disable DHCP snooping on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping disable

dhcp snooping enable

Use dhcp snooping enable to enable DHCP snooping globally.

Use undo dhcp snooping enable to disable DHCP snooping globally.

Syntax

dhcp snooping enable

undo dhcp snooping enable

Default

DHCP snooping is disabled globally.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable DHCP snooping globally on the device, trusted ports forward responses from DHCP servers and untrusted ports discard responses. This mechanism ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

When DHCP snooping is disabled globally, all ports on the device can forward responses from DHCP servers.

Examples

# Enable DHCP snooping globally.

<Sysname> system-view

[Sysname] dhcp snooping enable

dhcp snooping enable vlan

Use dhcp snooping enable vlan to enable DHCP snooping for VLANs.

Use undo dhcp snooping enable vlan to disable DHCP snooping for VLANs.

Syntax

dhcp snooping enable vlan vlan-id-list

undo dhcp snooping enable vlan vlan-id-list

Default

DHCP snooping is disabled for all VLANs.

Views

System view

Predefined user roles

network-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. If you specify a VLAN range, the value for the vlan-id2 argument must be greater than the value for the vlan-id1 argument.

Usage guidelines

After you enable DHCP snooping for a VLAN, DHCP snooping untrusted ports in the VLAN discard incoming DHCP responses. This mechanism ensures that DHCP clients obtain IP addresses from authorized DHCP servers.

After you disable DHCP snooping for a VLAN, all interfaces in the VLAN can forward DHCP responses.

Examples

# Enable DHCP snooping for VLANs 5, 10 to 20, and 32.

<Sysname> system-view

[Sysname] dhcp snooping enable vlan 5 10 to 20 32

dhcp snooping information circuit-id

Use dhcp snooping information circuit-id to configure the padding mode and padding format for the Circuit ID sub-option.

Use undo dhcp snooping information circuit-id to restore the default.

Syntax

dhcp snooping information circuit-id { [ vlan vlan-id ] string circuit-id | { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } [ format { ascii | hex } ] }

undo dhcp snooping information circuit-id [ vlan vlan-id ]

Default

The padding mode is normal and the padding format is hex.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Circuit ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Circuit ID sub-option for packets received from the default VLAN.

string circuit-id: Specifies the string mode, in which the padding content for the Circuit ID sub-option is a case-sensitive string of 3 to 63 characters.

normal: Specifies the normal mode. The padding content includes the VLAN ID and interface number.

verbose: Specifies the verbose mode. The padding content includes the node identifier, interface information, and VLAN ID. The default node identifier is the MAC address of the access node. The default interface information consists of the Ethernet type (fixed to eth), chassis number, slot number, sub-slot number, and interface number.

node-identifier: Specifies the access node identifier.

·     mac: Uses the MAC address of the access node as the node identifier.

·     sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. The padding format for the device name is always ASCII regardless of the specified padding format. If this keyword is specified, do not include any spaces when you set the device name. Otherwise, the DHCP snooping device fails to add or replace Option 82.

·     user-defined node-identifier: Uses a case-sensitive string of 1 to 50 characters as the node identifier. The padding format for the specified character string is always ASCII regardless of the specified padding format.

format: Specifies the padding format for the Circuit ID sub-option.

ascii: Specifies the ASCII padding format.

hex: Specifies the hex padding format.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

The padding format for the string mode, the normal mode, or the verbose mode varies by command configuration. Table 1 shows how the padding format is determined for different modes.

Table 1 Padding format for different modes

Keyword (mode)	If no padding format is set	If the padding format is ascii	If the padding format is hex
string circuit-id	The padding format is always ASCII, and is not configurable.	N/A	N/A
normal	Hex.	ASCII.	Hex.
verbose	Hex for the VLAN ID. ASCII for the node identifier, Ethernet type, chassis number, slot number, sub-slot number, and interface number.	ASCII.	ASCII for the node identifier and Ethernet type. Hex for the chassis number, slot number, sub-slot number, interface number, and VLAN ID.

‌

Examples

# Configure verbose as the padding mode, device name as the node identifier, and ASCII as the padding format for the Circuit ID sub-option.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy replace

[Sysname-GigabitEthernet1/0/1] dhcp snooping information circuit-id verbose node-identifier sysname format ascii

Related commands

dhcp snooping information enable

dhcp snooping information strategy

display dhcp snooping information

dhcp snooping information enable

Use dhcp snooping information enable to enable DHCP snooping to support Option 82.

Use undo dhcp snooping information enable to disable this feature.

Syntax

dhcp snooping information enable

undo dhcp snooping information enable

Default

DHCP snooping does not support Option 82.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables DHCP snooping to add Option 82 into DHCP requests that do not contain Option 82 before forwarding the requests to the DHCP server. The content of Option 82 is determined by the dhcp snooping information circuit-id and dhcp snooping information remote-id commands. If the received DHCP request packets contain Option 82, DHCP snooping handles the packets according to the strategy configured by the dhcp snooping information strategy command.

Examples

# Enable DHCP snooping to support Option 82.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

Related commands

dhcp snooping information circuit-id

dhcp snooping information remote-id

dhcp snooping information strategy

dhcp snooping information remote-id

Use dhcp snooping information remote-id to configure the padding mode and padding format for the Remote ID sub-option.

Use undo dhcp snooping information remote-id to restore the default.

Syntax

dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] { string remote-id | sysname } }

undo dhcp snooping information remote-id [ vlan vlan-id ]

Default

The padding mode is normal and the padding format is hex.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Remote ID sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Remote ID sub-option for packets received from the default VLAN.

string remote-id: Specifies the string mode that uses a case-sensitive string of 1 to 63 characters as the content of the Remote ID sub-option.

sysname: Specifies the sysname mode that uses the device name as the Remote ID sub-option. You can configure the device name by using the sysname command in system view.

normal: Specifies the normal mode. The padding content is the MAC address of the receiving interface.

format: Specifies the padding format for the Remote ID sub-option. The default padding format is hex.

ascii: Specifies the ASCII padding format.

hex: Specifies the hex padding format.

Usage guidelines

DHCP snooping uses ASCII to pad the specified string or device name for the Remote ID sub-option. The padding format for the normal padding mode is determined by the command configuration.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Pad the Remote ID sub-option with a character string of device001.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy replace

[Sysname-GigabitEthernet1/0/1] dhcp snooping information remote-id string device001

Related commands

dhcp snooping information enable

dhcp snooping information strategy

display dhcp snooping information

dhcp snooping information strategy

Use dhcp snooping information strategy to configure the handling strategy for Option 82 in request messages.

Use undo dhcp snooping information strategy to restore the default.

Syntax

dhcp snooping information strategy { append | drop | keep | replace }

undo dhcp snooping information strategy

Default

The handling strategy for Option 82 in request messages is replace.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

append: Processes a DHCP message as follows:

·     If the DHCP message does not carry Option 82, the device forwards the message after adding the Option 82 according to the padding configuration.

·     If the DHCP message carries Option 82, the device processes the message as follows:

¡     Forwards the message after padding the Vendor-Specific sub-option with the content specified in the dhcp snooping information vendor-specific command.

¡     Forwards the message without changing Option 82 if the dhcp snooping information vendor-specific command is not configured.

drop: Drops DHCP messages that contain Option 82.

keep: Keeps the original Option 82 intact and forwards the DHCP messages.

replace: Replaces the Option 82 with the configured Option 82 before forwarding the DHCP messages. If the DHCP messages do not carry Option 82, the device adds Option 82 according to the padding configuration before forwarding the DHCP messages.

Usage guidelines

This command takes effect only on DHCP requests that contain Option 82. For DHCP requests that do not contain Option 82, the DHCP snooping device always adds Option 82 into the requests before forwarding them to the DHCP server.

If the handling strategy is replace, configure a padding mode and a padding format for Option 82. If the handling strategy is keep or drop, you do not need to configure a padding mode or padding format for Option 82.

Examples

# Specify the handling strategy for Option 82 in request messages as keep.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information strategy keep

Related commands

dhcp snooping information circuit-id

dhcp snooping information remote-id

dhcp snooping information vendor-specific

dhcp snooping information vendor-specific

Use dhcp snooping information vendor-specific to configure the padding mode for the Vendor-Specific sub-option.

Use undo dhcp snooping information vendor-specific to restore the default.

Syntax

dhcp snooping information vendor-specific [ vlan vlan-id ] bas [ node-identifier { mac | sysname | user-defined string } ]

undo dhcp snooping information vendor-specific [ vlan vlan-id ]

Default

The device does not pad the Vendor-Specific sub-option.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

vlan vlan-id: Pads the Vendor-Specific sub-option for packets received from the specified VLAN. If you do not specify a VLAN, the device pads the Vendor-Specific sub-option for all packets received on the interface.

bas: Specifies the bas mode to pad the Vendor-Specific sub-option.

node-identifier: Specifies the access node identifier. If you do not specify this keyword, the device pads the Vendor-Specific sub-option with the bridge MAC address of the access node as the node identifier. The padding format for the Vendor-Specific sub-option is ASCII.

·     mac: Uses the bridge MAC address of the access node as the node identifier.

·     sysname: Uses the device name as the node identifier. You can set the device name by using the sysname command in system view. If the sysname keyword is specified, do not include any spaces when you set the device name. Otherwise, the DHCP snooping device fails to add the Vendor-Specific sub-option. If the device name contains more than 50 characters, only the first 50 characters are padded.

·     user-defined string: Uses a case-sensitive string of 1 to 50 characters as the node identifier. Do not include any spaces in the string.

Usage guidelines

After you configure this command, the DHCP snooping device pads the Vendor-Specific sub-option after receiving a DHCP request. The device forwards the DHCP request without padding the Vendor-Specific sub-option if the length of Option 82 in the request reaches the upper limit.

Examples

# Pad the Vendor-Specific sub-option in bas mode with the device name as the node identifier.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping information enable

[Sysname-GigabitEthernet1/0/1] dhcp snooping information vendor-specific bas node-identifier sysname

Related commands

dhcp snooping information enable

dhcp snooping information strategy

dhcp snooping log enable

Use dhcp snooping log enable to enable DHCP snooping logging.

Use undo dhcp snooping log enable to disable DHCP snooping logging.

Syntax

dhcp snooping log enable

undo dhcp snooping log enable

Default

DHCP snooping logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the DHCP snooping device to generate DHCP snooping logs and send them to the information center. The information helps administrators locate and solve problems. For information about the log destination and output rule configuration in the information center, see System Management Configuration Guide.

As a best practice, disable this feature if the log generation affects the device performance.

Examples

# Enable DHCP snooping logging.

<Sysname> system-view

[Sysname] dhcp snooping log enable

dhcp snooping max-learning-num

Use dhcp snooping max-learning-num to set the maximum number of DHCP snooping entries that an interface can learn.

Use undo dhcp snooping max-learning-num to restore the default.

Syntax

dhcp snooping max-learning-num max-number

undo dhcp snooping max-learning-num

Default

The maximum number of DHCP snooping entries for an interface to learn is unlimited.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of DHCP snooping entries for an interface to learn. The value range varies by device model. The following compatibility matrixes show the value ranges for this argument:

 

Series	Models	Product codes	Value ranges
WX3500X series	WX3510X WX3520X WX3540X	EWP-WX3510X EWP-WX3520X EWP-WX3540X	EWP-WX3510X: 1 to 11520 EWP-WX3520X: 1 to 23040 EWP-WX3540X: 1 to 46080
WCG380 series	WCG382	EWP-WCG382	EWP-WCG382: 1 to 12288

 

Series	Models	Product codes	Value ranges
WX3800X series	WX3820X WX3840X	EWP-WX3820X EWP-WX3840X	EWP-WX3820X: 1 to 23040 EWP-WX3840X: 1 to 46080

 

Usage guidelines

When an interface learns the maximum number of DHCP snooping entries, the interface stops learning DHCP snooping entries. This does not affect the operating of the DHCP snooping feature.

Examples

# Allow Layer 3 Ethernet interface GigabitEthernet 1/0/1 to learn a maximum of 10 DHCP snooping entries.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping max-learning-num 10

dhcp snooping rate-limit

Use dhcp snooping rate-limit to enable DHCP snooping packet rate limit on an interface and set the limit value.

Use undo dhcp snooping rate-limit to disable DHCP snooping packet rate limit.

Syntax

dhcp snooping rate-limit rate

undo dhcp snooping rate-limit

Default

The DHCP snooping packet rate limit is disabled on an interface.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum rate in Kbps. The value range for this argument is 64 to 512.

Usage guidelines

This command takes effect only when DHCP snooping is enabled.

With the rate limit feature, the interface discards DHCP packets that exceed the maximum rate.

The rate configured on a Layer 2 aggregate interface applies to all members of the aggregate interface. If a member interface leaves the aggregation group, it uses the rate configured in its Ethernet interface view.

Examples

# Set the maximum rate to 64 Kbps at which Layer 2 Ethernet interface GigabitEthernet 1/0/1 can receive DHCP packets.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping rate-limit 64

dhcp snooping trust

Use dhcp snooping trust to configure a port as a trusted port.

Use undo dhcp snooping trust to restore the default state of a port.

Syntax

dhcp snooping trust

undo dhcp snooping trust

Default

After you enable DHCP snooping, all ports are untrusted.

Views

Layer 2 Ethernet interface/Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

Specify the ports facing the DHCP server as trusted ports and specify the other ports as untrusted ports so DHCP clients can obtain valid IP addresses.

Examples

# Specify Layer 3 Ethernet interface GigabitEthernet 1/0/1 as a trusted port.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dhcp snooping trust

Related commands

display dhcp snooping trust

dhcp snooping trust interface

Use dhcp snooping trust interface to configure an interface in a VLAN as a DHCP snooping trusted port.

Use undo dhcp snooping trust interface to configure an interface in a VLAN as a DHCP snooping untrusted port.

Syntax

dhcp snooping trust interface interface-type interface-number

undo dhcp snooping trust interface interface-type interface-number

Default

After you enable DHCP snooping for a VLAN, all interfaces in the VLAN are DHCP snooping untrusted ports.

Views

VLAN view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

In a VLAN, configure interfaces facing the DHCP server as trusted ports, and configure other interfaces as untrusted ports. The trusted ports forward response messages from the DHCP server to the clients. The untrusted ports connected to unauthorized DHCP servers discard incoming DHCP response messages.

You can execute this command multiple times in a VLAN to configure multiple trusted ports in the VLAN.

Make sure the specified interface is in the VLAN for which the dhcp snooping enable vlan command is configured.

Examples

# Configure GigabitEthernet 1/0/1 as a trusted port in VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-vlan 1] dhcp snooping trust interface gigabitethernet 1/0/1

Related commands

display dhcp snooping trust

display dhcp snooping binding

Use display dhcp snooping binding to display DHCP snooping entries.

Syntax

display dhcp snooping binding [ ip ip-address [ vlan vlan-id ] ] [ verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip ip-address: Displays the DHCP snooping entry for the specified IP address.

vlan vlan-id: Specifies the VLAN ID where the IP address resides.

verbose: Displays detailed DHCP snooping entry information. If you do not specify this keyword, the command displays brief DHCP snooping entry information.

Usage guidelines

If you do not specify any parameters, this command displays all DHCP snooping entries.

Examples

# Display summary information about all DHCP snooping entries.

<Sysname> display dhcp snooping binding

 2 DHCP snooping entries found

 IP address      MAC address    Lease        VLAN  SVLAN Interface

 =============== ============== ============ ===== ===== =================

 1.1.1.7         0000-0101-0107 16907533     2     3     GE1/0/1

 1.1.1.11        0000-0101-010b 16907537     2     3     GE1/0/3

# Display detailed information about all DHCP snooping entries.

<Sysname> display dhcp snooping binding verbose

 IP address: 1.1.1.7

 MAC address: 0000-0101-0107

 Lease: 16907553 seconds

 VLAN: 2

 SVLAN: 3

 Interface: GigabitEthernet1/0/1

 Parameter request list: 03 06 21

 Client identifier: aabb-aabb-aab1

 Authorized client identifier: ccdd-eeff

 

 IP address: 1.1.1.104

 MAC address: 0000-0101-010b

 Lease: 16907537 seconds

 VLAN: 2

 SVLAN: 3

 Interface: GigabitEthernet1/0/3

 Parameter request list: 37 0B 01 0F 03 06 2C 2E 2F 1F 21 F9 2B

 Client identifier: aabb-aabb-aab2

 Authorized client identifier: aabb-aabb-aab2

Table 2 Command output

Field	Description
DHCP snooping entries found	Number of DHCP snooping entries.
IP address	IP address assigned to the DHCP client.
MAC address	MAC address of the DHCP client.
Lease	Remaining lease duration in seconds.
VLAN	When the DHCP packet contains two VLAN tags, this field identifies the outer VLAN tag. Otherwise, it identifies the VLAN where the port connecting the DHCP client resides.
SVLAN	When the DHCP packet contains two VLAN tags, this field identifies the inner VLAN tag. Otherwise, it displays N/A.
Interface	Port connected to the DHCP client.
Parameter request list	Parameters that the DHCP client requests, in hexadecimal notation.
Client identifier	Client ID.
Authorized client identifier	Authorized client ID.

‌

Related commands

dhcp snooping enable

reset dhcp snooping binding

display dhcp snooping binding database

Use display dhcp snooping binding database to display information about DHCP snooping entry auto backup.

Syntax

display dhcp snooping binding database

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about DHCP snooping entry auto backup.

<Sysname> display dhcp snooping binding database

File name               :   database.dhcp

Username                :  

Password                :  

Update interval         :   600 seconds

Latest write time       :   Feb 27 18:48:04 2012

Status                  :   Last write succeeded.

Table 3 Command output

Field	Description
File name	Name of the DHCP snooping entry backup file.
Username	Username for accessing the URL of the remote backup file.
Password	Password for accessing the URL of the remote backup file. This field displays ****** if a password is configured.
Update interval	Waiting time in seconds after a DHCP snooping entry change for the DHCP snooping device to update the backup file.
Latest write time	Time of the latest update.
Status	Status of the update: ·     Writing—The backup file is being updated. ·     Last write succeeded—The backup file was successfully updated. ·     Last write failed—The backup file failed to be updated.

‌

display dhcp snooping drni-statistics

Use display dhcp snooping drni-statistics to display DRNI synchronization statistics for DHCP snooping entries.

Syntax

display dhcp snooping drni-statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command displays statistics about packets exchanged between DRNI primary and secondary devices for DHCP snooping entry synchronization, including synchronization times and the number of synchronized DHCP snooping entries.

Bringing up an IPP interface triggers entry synchronization from the primary device to the secondary device.

To determine whether DHCP snooping entries are correctly synchronized, compare the values in the in the Sync start number field and the Sync end number field:

·     If the two values are the same, DHCP snooping entries are correctly synchronized

·     If the two values are different, a synchronization error has occurred.

Examples

# Display DRNI synchronization statistics for DHCP snooping entries on the primary device.

<Sysname> display dhcp snooping drni-statistics

Send Statistics:

  Sync start number          : 1

  Binding valid records addr : 2

  Binding temp records addr  : 0

  Sync end number            : 1

 

  Sync start number          : 2

  Binding valid records addr : 2

  Binding temp records addr  : 0

  Sync end number            : 2

 

  Sync start number          : 3

  Binding valid records addr : 1

  Binding temp records addr  : 0

  Sync end number            : 3

# Display DRNI synchronization statistics for DHCP snooping entries on the secondary device.

<Sysname> display dhcp snooping drni-statistics

Recv Statistics:

  Sync start number          : 1

  Binding valid records addr : 2

  Binding temp records addr  : 0

  Sync end number            : 1

 

  Sync start number          : 2

  Binding valid records addr : 2

  Binding temp records addr  : 0

  Sync end number            : 2

 

  Sync start number          : 3

  Binding valid records addr : 1

  Binding temp records addr  : 0

  Sync end number            : 3

Table 4 Command output

Field	Description
Send Statistics	Statistics about sent packets.
Recv Statistics	Statistics about received packets.
Sync start number	Synchronization start number.
Binding valid records addr	Number of valid DHCP snooping entries that have been synchronized.
Binding temp records addr	Number of temporary DHCP snooping entries that have been synchronized.
Sync end number	Synchronization end number.

‌

Related commands

reset dhcp snooping drni-statistics

display dhcp snooping drni-status

Use display dhcp snooping drni-status to display DRNI status information.

Syntax

display dhcp snooping drni-status

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display DRNI status information.

<Sysname> display dhcp snooping drni-status

Drni role: Secondary

IPP/IPP index: Bridge-Aggregation3/1297

IPP State: UP

 

DR interface/DR group ID: Bridge-Aggregation4/4

Local DR interface state: UP

Peer DR interface state: UP

 

DR interface/DR group ID: Bridge-Aggregation5/5

Local DR interface state: UP

Peer DR interface state: UP

Table 5 Command output

Field	Description
Drni role	DRNI role: ·     Primary. ·     Secondary. If the device role is unknown, this field displays None.
IPP/IPP index	IPP interface name/IPP interface index.
IPP State	Physical status of the IPP interface, up or down.
DR interface/DR group ID	DR interface name/DR group ID.
Local DR interface state	Status of the local DR interface: ·     UP—The DR interface is up if it has Selected ports in its aggregation group. ·     DOWN—The DR interface is down if it does not have Selected ports in its aggregation group.
Peer DR interface state	Status of the peer DR interface: ·     UP—The DR interface is up if it has Selected ports in its aggregation group. ·     DOWN—The DR interface is down if it does not have Selected ports in its aggregation group.

‌

display dhcp snooping information

Use display dhcp snooping information to display Option 82 configuration on the DHCP snooping device.

Syntax

display dhcp snooping information { all | interface interface-type interface-number }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

all: Displays Option 82 configuration on all Layer 2 Ethernet interfaces.

interface interface-type interface-number: Specifies an interface by its type and number.

Examples

# Display Option 82 configuration on all interfaces.

<Sysname> display dhcp snooping information all

Interface: Bridge-Aggregation1

   Status: Disable

   Strategy: Drop

   Circuit ID:

     Padding format: User Defined

       User defined: abcd

     Format: ASCII

   Remote ID:

     Padding format: Normal

     Format: ASCII

   Vendor-specific:

     Padding format: BAS

     Node identifier: MAC

   VLAN 10:

     Circuit ID: abcd

     Remote ID: company

     Vendor-specific:

       Padding format: BAS

       Node identifier: User defined(abcd)

Table 6 Command output

Field	Description
Interface	Interface name.
Status	Option 82 status, Enable or Disable.
Strategy	Handling strategy for DHCP requests that contain Option 82, Drop, Keep, or Replace.
Circuit ID	Content of the Circuit ID sub-option.
Padding format	Padding format of Option 82: ·     For Circuit ID sub-option, the padding format can be Normal, User Defined, Verbose (sysname), Verbose (MAC), or Verbose (user defined). ·     For Remote ID sub-option, the padding format can be Normal, Sysname, or User Defined. ·     For Vendor-Specific sub-option, the padding format is BAS.
Node identifier	Access node identifier. ·     For the Circuit ID or Remote ID sub-option, this field displays the user-defined string. ·     For the Vendor-Specific sub-option, the node identifier can be MAC, Sysname, or User Defined(string), where string in the brackets indicates the user-defined node identifier.
User defined	Content of the user-defined sub-option.
Format	Code type of Option 82 sub-option: ·     For Circuit ID sub-option, the code type can be ASCII, Default, or Hex. ·     For Remote ID sub-option, the code type can be ASCII or Hex.
Remote ID	Content of the Remote ID sub-option.
Vendor-specific	Content of the Vendor-Specific sub-option. This field is displayed only when the Vendor-Specific sub-option is configured.
VLAN	Pads Circuit ID, Remote ID, and Vendor-Specific sub-options in the DHCP packets received in the specified VLAN.

‌

display dhcp snooping packet statistics

Use display dhcp snooping packet statistics to display DHCP packet statistics for DHCP snooping.

Syntax

display dhcp snooping packet statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display DHCP packet statistics for DHCP snooping.

<Sysname> display dhcp snooping packet statistics

 DHCP packets received                  : 100

 DHCP packets sent                      : 200

 Invalid DHCP packets dropped           : 0

Related commands

reset dhcp snooping packet statistics

display dhcp snooping trust

Use display dhcp snooping trust to display information about trusted ports.

Syntax

display dhcp snooping trust

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display information about trusted ports.

Interface                                          Trusted  VLAN

 ============================                       =======  ================

 GigabitEthernet1/0/1                               Trusted  -

 GigabitEthernet1/0/2                            -           100

 GigabitEthernet1/0/3                            -           100, 200

 VSI(Trust tunnel)                                  Trusted

 ============================                       ============

a                                                   Trusted

 Interface                     SrvID                Trusted

 ===================================                ============

 GigabitEthernet1/0/1          1                    Trusted

Table 7 Command output

Field	Description
Interface	Interface name.
VSI(Trust tunnel)	Name of the VSI to which the trusted VXLAN tunnel interface is assigned. This field is displayed after the dhcp snooping trust tunnel command is executed.
SrvID	ID of the Ethernet service instance to which the trusted port belongs.
Trusted	For a DHCP snooping trusted port configured in system view, this field displays Trusted. For a trusted port configured in VLAN view, this field displays a hyphen (-).
VLAN	VLANs to which the trusted port belongs. If a trusted port is configured after DHCP snooping is enabled globally, this field displays a hyphen (-).

‌

Related commands

dhcp snooping trust

dhcp snooping trust interface

reset dhcp snooping binding

Use reset dhcp snooping binding to clear DHCP snooping entries.

Syntax

reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] }

Views

User view

Predefined user roles

network-admin

Parameters

all: Clears all DHCP snooping entries.

ip ip-address: Clears the DHCP snooping entry for the specified IP address.

vlan vlan-id: Clears DHCP snooping entries for the specified VLAN. If you do not specify a VLAN, this command clears DHCP snooping entries for the default VLAN.

Examples

# Clear all DHCP snooping entries.

<Sysname> reset dhcp snooping binding all

Related commands

display dhcp snooping binding

reset dhcp snooping drni-statistics

Use reset dhcp snooping drni-statistics to clear DRNI synchronization statistics for DHCP snooping entries.

Syntax

reset dhcp snooping drni-statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear DRNI synchronization statistics for DHCP snooping entries.

<Sysname> reset dhcp snooping drni-statistics

Related commands

display dhcp snooping drni-statistics

reset dhcp snooping packet statistics

Use reset dhcp snooping packet statistics to clear DHCP packet statistics for DHCP snooping.

Syntax

reset dhcp snooping packet statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear DHCP packet statistics for DHCP snooping.

<Sysname> reset dhcp snooping packet statistics

Related commands

display dhcp snooping packet statistics