dhcp check chaddr enable

Function

The dhcp snooping check enable command enables DHCP check.

The undo dhcp snooping check enable command disables DHCP check.

The dhcp snooping alarm threshold command configures an alarm threshold for the number of dropped ARP packets, IP packets, DHCP reply packets (received on the untrusted interface), and DHCP request packets in a VLAN. In addition, you can configure the percentage threshold for the maximum number of DHCP snooping users.

The undo dhcp snooping alarm threshold command restores the default setting.

The dhcp check chaddr enable command enables CHADDR field check for the VLAN.

The undo dhcp check chaddr enable command disables CHADDR field check for the VLAN.

By default:

  • The function of DHCP check is disabled.
  • The alarm threshold for the number of dropped packets in a VLAN is a global alarm threshold (which is 100 by default and can be configured manually).
  • The percentage threshold for the maximum number of DHCP snooping users in a VLAN is 100%.

Format

dhcp { { snooping check { dhcp-request | arp | ip } } enable | snooping alarm { { dhcp-chaddr | dhcp-request | dhcp-reply | arp | ip } { enable | threshold threshold-value } | user-limit { enable | threshold threshold-value } } }

dhcp check chaddr enable

undo dhcp { { snooping check { dhcp-request | arp | ip } } enable | snooping alarm { dhcp-chaddr | dhcp-request | dhcp-reply | arp | ip | user-limit } { enable | threshold } }

undo dhcp check chaddr enable

Parameters

Parameter Description Value
dhcp-request

dhcp-request following snooping alarm specifies the alarm threshold for the number of discarded DHCP Request messages for extending IP address leases that do not match the DHCP snooping binding table.

-
arp

arp following snooping alarm specifies the alarm threshold for the number of discarded ARP packets that do not match the binding table.

-
ip

Specifies the alarm threshold for the IP packets that do not match the binding table.

-
dhcp-chaddr

Indicates the alarm threshold for the number of dropped DHCP packets with the client hardware address (CHADDR) field value mismatching the source MAC address in the Ethernet frame header.

-
dhcp-reply

Indicates the alarm threshold for discarded DHCP reply packets received on untrusted interfaces.

-
threshold threshold-value

Specifies the alarm threshold.

The alarm threshold for the number of dropped packets on a Layer 3 interface ranges from 1 to 1000. The default value is 100. The percentage threshold for the maximum number of DHCP snooping users ranges from 1 to 100. The default value is 100.
user-limit

Indicates the alarm threshold for the maximum DHCP snooping users.

-
chaddr

Indicates the source MAC address of DHCP packets. Checks whether the CHADDR field value in a DHCP packet matches the MAC address in the packet header.

-

Views

100GE interface view, 10GE interface view, 40GE interface view, Eth-Trunk interface view, FlexE sub-interface view, GE optical interface view, GE electrical interface view, Sub-interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

You can configure the following check functions in DHCP snooping applications:

  • When the man-in-the-middle attack or IP/MAC address spoofing occurs, you can configure ARP or IP check to determine whether the source IP and MAC addresses in the ARP or IP packets match those in the DHCP snooping binding table.
  • To enable the device to protect against DHCP exhaustion attacks, configure the device to check whether a received DHCP request packet or DHCP release packet matches an entry in the DHCP snooping binding table.
  • After receiving a DHCP request packet:

    1.The device checks whether the source MAC address is all Fs. If the source MAC address is all Fs, the device allows the packet to pass. If the source MAC address is not all Fs, the device considers the packet a packet for extending the IP address lease and checks whether the packet matches an entry in the DHCP snooping binding table.

    2.The device checks whether the CHADDR field in the packet matches an entry in the DHCP snooping binding table. If no matching entry exists, the device allows the packet to pass. If a matching entry exists, the device checks whether the VLAN ID, IP address, and interface information in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device allows the packets to pass. If no matching entry exists, the device discards the packet.
  • After receiving a DHCP release packet, the device checks whether the VLAN ID, IP address, MAC address, and interface information in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device allows the packet to pass. If no matching entry exists, the device discards the packet.

    To configure the alarm function for the number of dropped packets and restrict the maximum number of users, run the dhcp snooping alarm threshold command.

    The configuration of the alarm threshold for dropped packets in a VLAN can be one of the following situations:
  • If no alarm threshold is configured for the VLAN, the globally configured default value is used as the alarm threshold of the VLAN. You can change the default value by configuring an alarm threshold globally.
  • If an alarm threshold is configured for a VLAN, the configured threshold takes effect.

Prerequisites

  • DHCP snooping has been enabled globally using the dhcp snooping enable command.

    The alarm function has been enabled using the dhcp snooping alarm enable command.
  • The maximum number of users has been configured using the dhcp snooping max-user-number (interface view) command.

Precautions

If the maximum number of DHCP snooping users is set to n and the percentage threshold for the maximum number of DHCP snooping users is set to m, when the number of users in the VLAN reaches n×m, an alarm is generated. When the number of users in the VLAN reaches n×m+1, however, no more alarm is generated. Only when the user lease expires or users proactively release IP addresses, the number of users in the VLAN falls below nxm. When the number of users reaches nxm again, an alarm is generated.

You can change the current percentage threshold by configuring a new value. Only the current setting takes effect.

Example

# Enable CHADDR check on GE 0/1/24.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] interface GigabitEthernet 0/1/24
[*HUAWEI-GigabitEthernet0/1/24] dhcp snooping enable
[*HUAWEI-GigabitEthernet0/1/24] dhcp check chaddr enable
# Set the percentage threshold for the maximum number of DHCP snooping users on GE 0/1/25 to 50%.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] interface GigabitEthernet 0/1/25
[*HUAWEI-GigabitEthernet0/1/25] dhcp snooping enable
[*HUAWEI-GigabitEthernet0/1/25] dhcp snooping max-user-number 3000
[*HUAWEI-GigabitEthernet0/1/25] dhcp snooping alarm user-limit enable
[*HUAWEI-GigabitEthernet0/1/25] dhcp snooping alarm user-limit threshold 50
Parent Topic: DHCP Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >