dhcp snooping check dhcp-request enable

Function

The dhcp snooping check dhcp-request enable enables the device to check DHCP messages against the DHCP snooping binding table.

The undo dhcp snooping check dhcp-request enable disables the device from checking DHCP messages against the DHCP snooping binding table.

By default, the device does not check DHCP messages against the DHCP snooping binding table.

Format

In the system view:

dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo dhcp snooping check dhcp-request enable vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

In the VLAN view and interface view:

dhcp snooping check dhcp-request enable

undo dhcp snooping check dhcp-request enable

Parameters

Parameter	Description	Value
vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>	Enables the device to check DHCP messages from a specified VLAN against the DHCP snooping binding table.	The value is an integer that ranges from 1 to 4094.

Views

System view, VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a DHCP snooping binding table is generated, the device checks DHCP Request and Release messages against the binding table. The device forwards only DHCP messages that match binding entries. This prevents unauthorized users from sending bogus DHCP Request or Release messages to extend or release IP addresses.

The matching rules are as follows:

When the device receives a DHCP Request message, it performs the following operations:
1. Checks whether the destination MAC address is all Fs. If so, the device considers the user to have gone online for the first time and directly forwards the message. If not, the device considers the user to have sent the DHCP Request message to renew the IP address lease and checks the DHCP Request message against the DHCP snooping binding table.
2. Checks whether the CHADDR field in the DHCP Request message matches a DHCP snooping binding entry. If not, the device considers the user to have gone online for the first time and directly forwards the message. If so, the device checks whether the VLAN ID, IP address, and interface number of the message match DHCP snooping binding entries. If all these fields match a DHCP snooping binding entry, the device forwards the message; otherwise, the device discards the message.
When receiving a DHCP Release message, the device checks whether the VLAN ID, IP address, MAC address, and interface number of the message match a dynamic DHCP snooping binding entry. If so, the device forwards the message; otherwise, the device discards the message.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

If you run the dhcp snooping check dhcp-request enable command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping check dhcp-request enable command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.

Example

# Enable the device to check DHCP messages against the DHCP snooping binding table in VLAN 10.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] vlan 10
[HUAWEI-vlan10] dhcp snooping enable
[HUAWEI-vlan10] dhcp snooping check dhcp-request enable