dhcp snooping strict-check mac-address

Function

The dhcp snooping strict-check mac-address command enables DHCP snooping to strictly check the MAC addresses of login users.

The undo dhcp snooping strict-check mac-address command disables the strict MAC address check function for DHCP snooping.

By default, the strict address check function of DHCP snooping is not enabled.

Format

dhcp snooping strict-check mac-address

undo dhcp snooping strict-check mac-address

Parameters

None

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
dhcp	write

Usage Guidelines

Usage Scenario

When the number of login users on a DHCP snooping device reaches the maximum number, check whether the IP address of DHCP ACK packets exists in the binding entries and determine whether the login users are new ones. If the IP address of ACK packets does not exist in binding entries, users are not allowed to go online. To lessen the impact on the DHCP server, DHCP snooping can be enabled to check the MAC addresses of login users. When the number of login users on a DHCP snooping device reaches the maximum, the DHCP snooping device needs to determine whether the login users can go online through Discover packets. If the MAC address of Discover packets does not exist in binding entries, the user is not allowed to go online.

Prerequisites

DHCP snooping has been enabled globally using the dhcp snooping enable command.

Configuration Impact

In the same broadcast domain, one IP address can be bound to only one MAC address. If different MAC addresses have applied for the same IP address in sequence, the latter ones are considered invalid, and corresponding users are not allowed to go online.

Example

# Enable DHCP snooping to strictly check the MAC addresses of login users.

<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] dhcp snooping strict-check mac-address