< Home

dhcp snooping sticky-mac (upgrade-compatible command)

Function

The dhcp snooping sticky-mac command enables the device to generate static MAC address entries based on dynamic DHCP snooping binding entries.

The undo dhcp snooping sticky-mac command disables the device from generating static MAC address entries based on dynamic DHCP snooping binding entries.

By default, the device is disabled to generate static MAC address entries based on dynamic DHCP snooping binding entries.

Format

dhcp snooping sticky-mac

undo dhcp snooping sticky-mac

Parameters

None

Views

Ethernet interface view, GE interface view, XGE interface view, port group view, Eth-trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Dynamic MAC address entries are learned and generated by the device, and static MAC address entries are configured by command lines. A MAC address entry consists of the MAC address, VLAN ID, and port number of a DHCP client. The device implements Layer 2 forwarding based on MAC address entries.

After the dhcp snooping sticky-mac command is executed on an interface, the device generates static MAC address entries (snooping type) of DHCP users on the interface based on the corresponding dynamic binding entries, clears all the dynamic MAC address entries on the interface, disables the interface to learn dynamic MAC address entries, and enables the device to match the source MAC address based on MAC address entries. Then only the message with the source MAC address matching the static MAC address entry can pass through the interface; otherwise, messages are discarded. Therefore, the administrator needs to manually configure static MAC address entries (the static type) for non-DHCP users on the interface so that messages sent from non-DHCP users can pass through; otherwise, DHCP messages are discarded. This prevents attacks from non-DHCP users.

  • If a DHCP snooping binding entry is updated, the corresponding static MAC address entry is automatically updated.

  • If you run the dhcp snooping sticky-mac command on the interface, DHCPv6 users cannot go online. Run the nd snooping enable command in the system view and interface view to enable ND snooping and the savi enable command in the system view to enable SAVI.

Prerequisites

DHCP snooping has been enabled on the device using the dhcp snooping enable command.

Precautions

The dhcp snooping sticky-mac command cannot be used with the following commands on an interface.

Command

Description

dot1x enable

Enables 802.1X authentication on an interface.

mac-authen

Enables MAC address authentication on an interface.

mac-address learning disable

Enables MAC address learning.

mac-limit

Sets the maximum number of MAC addresses to be learned.

port vlan-mapping vlan map-vlan

port vlan-mapping vlan inner-vlan

Enables VLAN mapping.

port-security enable

Enables port security.

Example

# Enable the device to generate static MAC address entries based on DHCP snooping binding entries on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] dhcp snooping sticky-mac
Parent Topic: DHCP Snooping Compatible Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >