dhcp snooping check dhcp-giaddr enable

Function

The dhcp snooping check dhcp-giaddr enable command enables the device to check whether the GIADDR field in DHCP messages is 0.

The undo dhcp snooping check dhcp-giaddr enable command disables the device from checking whether the GIADDR field in DHCP messages is 0.

By default, the device does not check whether the GIADDR field in DHCP messages is 0.

Format

In the system view:

dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check dhcp-giaddr enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view and interface view:

dhcp snooping check dhcp-giaddr enable

undo dhcp snooping check dhcp-giaddr enable

Parameters

Parameter	Description	Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>	Enables the device to check whether the GIADDR field in DHCP messages sent from a specified VLAN is 0. vlan-id1 specifies the first VLAN ID. to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.	The value is an integer that ranges from 1 to 4094.

Parameter

Description

Value

vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

Enables the device to check whether the GIADDR field in DHCP messages sent from a specified VLAN is 0.

vlan-id1 specifies the first VLAN ID.
to vlan-id2 specifies the last VLAN ID. vlan-id2 must be larger than vlan-id1.

The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To ensure that the device obtains parameters such as MAC addresses for generating a binding table, DHCP snooping needs to be applied to Layer 2 access devices or the first DHCP relay agent from the device. Therefore, the GIADDR field in the DHCP messages received by the DHCP snooping-enabled device is 0. If the GIADDR field is not 0, the message is unauthorized and then discarded. This function is recommended if DHCP snooping is enabled on the DHCP relay agent.

In normal situations, the GIADDR field in DHCP messages sent by user PCs is 0. If the GIADDR field is not 0, the DHCP server cannot correctly allocate IP addresses. To prevent attackers from applying IP addresses with the DHCP messages containing a non-0 GIADDR field, you are advised to configure this function.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check dhcp-giaddr enable command in the VLAN view, the command takes effect on all the DHCP messages from the specified VLAN. If you run the dhcp snooping check dhcp-giaddr enable command in the interface view, the command takes effect on all the DHCP messages received by the specified interface.

Example

# Enable the device to check whether the GIADDR field in DHCP messages from VLAN1 10 is 0.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping check dhcp-giaddr enable

# Enable the device to check whether the GIADDR field in DHCP messages received on GE0/0/1 is 0.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable