The dhcp snooping check dhcp-chaddr enable command enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.
The undo dhcp snooping check dhcp-chaddr enable command disables the device from checking whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.
By default, the device does not check whether the CHADDR field is the same as the source MAC address in the header of a DHCP Request message.
In the system view:
dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
undo dhcp snooping check dhcp-chaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
In the VLAN view and interface view:
dhcp snooping check dhcp-chaddr enable
undo dhcp snooping check dhcp-chaddr enable
| Parameter | Description | Value |
|---|---|---|
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> |
Enables the device to check whether the CHADDR field matches the source MAC address in the header of a DHCP Request message.
|
The value is an integer that ranges from 1 to 4094. |
System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view
Usage Scenario
In normal situations, the CHADDR field in a DHCP Request message matches the MAC address of the DHCP client that sends the message. The DHCP server identifies the client MAC address based on the CHADDR field in the DHCP Request message. If attackers continuously apply for IP addresses by changing the CHADDR field in the DHCP Request message, addresses in the address pool on the DHCP server may be exhausted. As a result, authorized users cannot obtain IP addresses.
Prerequisites
DHCP snooping has been enabled on the device using the dhcp snooping enable command.
Precautions
If you run the dhcp snooping check dhcp-chaddr enable command in the VLAN view, the command takes effect on all the DHCP messages in the specified VLAN received by all the interfaces on the device. If you run the dhcp snooping check dhcp-chaddr enable command in the interface view, the command takes effect for all the DHCP messages received on the interface.
# Enable the device to check whether the CHADDR field in the DHCP message matches the source MAC address on GE0/0/1.
<HUAWEI> system-view [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable [HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable