dhcp snooping trusted
Function
The dhcp snooping trusted command configures an interface as a trusted interface.
The undo dhcp snooping trusted command configures an interface as an untrusted interface.
By default, all interfaces are untrusted interfaces.
Format
In the VLAN view:
dhcp snooping trusted interface interface-type interface-number
undo dhcp snooping trusted interface interface-type interface-number
In the interface view and BD view:
dhcp snooping trusted
undo dhcp snooping trusted
Only the S5720-HI, S5730-HI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S5732-H, S5731-S, S5731S-S, S5731S-H, and S5731-H can be configured in the BD view.
Parameters
| Parameter | Description | Value |
|---|---|---|
interface interface-type interface-number |
Specifies the type and number of an interface in a VLAN.
|
- |
Views
VLAN view, Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, BD view
Usage Guidelines
Usage Scenario
To enable DHCP clients to obtain IP addresses from authorized DHCP servers, DHCP snooping supports the trusted interface and untrusted interfaces. The trusted interface forwards DHCP messages while untrusted interfaces discard received DHCP ACK messages and DHCP Offer messages.
An interface directly or indirectly connected to the DHCP server trusted by the administrator needs to be configured as the trusted interface, and other interfaces are configured as untrusted interfaces. This ensures that DHCP clients obtain IP addresses from authorized DHCP servers.
Prerequisites
In the system view, run the dhcp snooping enable command to enable DHCP snooping.
Precautions
If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the device will not consider DHCP packets received by this interface as attack packets or perform attack defense operations on the DHCP packets received by this interface.
If you run the dhcp snooping trusted command in the VLAN view, the command takes effect for all the DHCP messages received from the specified VLAN. If you run the dhcp snooping trusted command in the interface view, the command takes effect for all the DHCP messages received on the specified interface.
You are advised not to configured more than 15 trusted ports in a VLAN.
Example
# Configure GE0/0/1 in VLAN 100 as the trusted interface.
<HUAWEI> system-view [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping trusted interface gigabitethernet 0/0/1
# Configure GE0/0/1 as the trusted interface.
<HUAWEI> system-view [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted