dhcp snooping alarm enable

Function

The dhcp snooping alarm enable command enables alarm for discarded DHCP messages.

The undo dhcp snooping alarm enable command disables alarm for discarded DHCP messages.

By default, the alarm function for discarded DHCP messages is disabled.

Format

dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable [ threshold threshold ]

undo dhcp snooping alarm { dhcp-request | dhcp-chaddr | dhcp-reply } enable [ threshold ]

dhcp snooping alarm dhcpv6-request enable

undo dhcp snooping alarm dhcpv6-request enable

Parameters

Parameter	Description	Value
dhcp-request	Generates an alarm when the number of DHCPv4 Request messages discarded because they do not match DHCP snooping binding entries reaches the threshold.	-
dhcp-chaddr	Generates an alarm when the number of DHCPv4 request messages discarded because the CHADDR field in the DHCP messages does not match the source MAC address in the data frame header reaches the threshold.	-
dhcp-reply	Generates an alarm when the number of DHCPv4 Response messages discarded by untrusted interfaces reaches the threshold.	-
dhcpv6-request	Generates an alarm when the number of DHCPv6 Request messages discarded because they do not match DHCP snooping binding entries reaches the threshold.	-
threshold threshold	Specifies the alarm threshold. When the number of discarded DHCPv4 messages reaches the threshold, an alarm is generated.	The value is an integer that ranges from 1 to 1000.

Views

Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the alarm function is enabled, alarm messages are displayed if DHCP attacks occur and the number of discarded attack messages reaches the threshold. The minimum interval for sending alarm messages is 1 minute. You can run the dhcp snooping alarm threshold command to set the alarm threshold.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

By default, a device does not check messages received by the clients. Therefore, to make the command take effect, ensure the following is ready:

The device has been enabled to check DHCP messages against the binding entries using the dhcp snooping check dhcp-request enable command before the dhcp snooping alarm [ dhcp-request | dhcpv6-request ] enable command is run.
The device has been enabled to check whether the CHADDR field is the same as the source MAC address in the header of a DHCPv4 Request message using the dhcp snooping check dhcp-chaddr enable command before the dhcp snooping alarm dhcp-chaddr enable command is run.

To ensure that alarms can be properly reported, you need to run the snmp-agent trap enable feature-name dhcp command to enable the DHCP module to report the corresponding alarm. You can check whether the DHCP module is enabled to report the corresponding alarm using the display snmp-agent trap feature-name dhcp all command.

Example

# On GE0/0/1, enable DHCP snooping, enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address in the Ethernet frame header, and enable alarm for the DHCP messages discarded because the CHADDR field in the DHCP message does not match the source MAC address.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable