dhcp snooping database authentication-mode

Function

The dhcp snooping database authentication-mode command configures the integrity check mode for a binding table file.

The undo dhcp snooping database authentication-mode command restores the integrity check mode of a binding table file to check.

By default, the integrity check mode of a binding table file is check.

Format

dhcp snooping database authentication-mode { check | no-check | force-check }

undo dhcp snooping database authentication-mode [ check | no-check | force-check ]

Parameters

Parameter Description Value
check

Indicates the check mode. If the file is a historical version file that does not carry the file integrity check code, the data is directly restored. If the file is a new version file that carries the file integrity check code, the file integrity check is performed before the data is restored.

-
no-check

Indicates the non-check mode. That is, file integrity check is not performed, and data is directly restored.

-
force-check

Indicates the forcible check mode. If the file is a historical version file that does not carry the file integrity check code, the data is not restored. If the file is a new version file that carries the file integrity check code, the file integrity check is performed before the data is restored.

-

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

To prevent data loss caused by device faults, you can enable automatic backup of the DHCP snooping binding table. The system then generates a backup file. To prevent the backup file from being tampered with, an encrypted file integrity check code is added to the backup file. After the device restarts and before the system restores the binding table from the backup file, the system decrypts the file integrity check code and verifies the file integrity based on the decrypted file integrity check code. If the verification is successful, the data is restored. If the verification fails, the data is discarded and a log is recorded.

  • If you need to manually modify the backup file content, run the dhcp snooping database authentication-mode no-check command to set the file integrity authentication mode to non-check before the restart.
  • The root keys for decrypting and encrypting the file integrity check code must be the same. If the root keys are different, the decryption fails. The root keys of different devices are different. If you need to use the backup files generated on other devices to restore data, run the dhcp snooping database authentication-mode no-check command to set the file integrity authentication mode to non-check before the restart.
  • To be compatible with earlier versions, a device can be restarted to restore data from an earlier version file that does not carry the file integrity check code. To prevent data tampering based on historical version files, you can run the dhcp snooping database authentication-mode force-check command to set the file integrity authentication mode to forcible check before the restart.

Prerequisites

DHCP snooping has been enabled globally using the dhcp snooping enable command.

Precautions

  • After the dhcp snooping database authentication-mode force-check command is run, historical version files that do not carry the file integrity check code cannot be restored. Therefore, exercise caution when running this command.
  • If the backup DHCP snooping binding table file fails the verification, the file is renamed .fail and saved.

Example

# Set the file integrity check mode to no check.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping database authentication-mode no-check
Parent Topic: DHCP Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >