dhcp snooping check enable

Function

The dhcp snooping check enable command enables DHCP check.

The undo dhcp snooping check enable command disables DHCP check.

By default, this function is disabled.

Format

dhcp { snooping check { arp | ip | dhcp-request } | check chaddr } enable interface { interface-type interface-number | interface-name }

undo dhcp { snooping check { arp | ip | dhcp-request } | check chaddr } enable interface { interface-type interface-number | interface-name }

Parameters

Parameter Description Value
arp

Indicates that ARP packets are matched against the binding table.

-
ip

Indicates that IP packets are matched against the binding table.

-
dhcp-request

Indicates that DHCP request packets are matched against the binding table.

-
chaddr

Indicates that the client hardware address (CHADDR) field value is matched against the MAC address in the Ethernet frame header.

-
interface interface-name

Indicates the interface name.

-
interface interface-type interface-number

Indicates the interface type and interface number.

-

Views

VLAN view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

You can configure the following check functions in DHCP snooping applications:

  • When the man-in-the-middle attack or IP/MAC address spoofing occurs, you can configure ARP or IP check to determine whether the source IP and MAC addresses in the ARP or IP packets match those in the DHCP snooping binding table.
  • To enable the device to protect against DHCP exhaustion attacks, configure the device to check whether a received DHCP request packet or DHCP release packet matches an entry in the DHCP snooping binding table.
  • After receiving a DHCP request packet:
  1. The device checks whether the source MAC address is all Fs. If the source MAC address is all Fs, the device allows the packet to pass. If the source MAC address is not all Fs, the device considers the packet a packet for extending the IP address lease and checks whether the packet matches an entry in the DHCP snooping binding table.
  2. The device checks whether the CHADDR field in the packet matches an entry in the DHCP snooping binding table. If no matching entry exists, the device allows the packet to pass. If a matching entry exists, the device checks whether the VLAN ID, IP address, and interface information in the packet match an entry in the DHCP snooping binding table. If a matching entry exists, the device allows the packets to pass. If no matching entry exists, the device discards the packet.
  • For a DHCP release packet, check whether the VLAN, IP address, MAC address, and interface information matches the binding table. If yes, the system allows the packet to pass. If not, the system drops the packet.

Prerequisites

DHCP snooping has been enabled globally by running the dhcp snooping enable command.

Example

# Enable ARP check for VLAN 10.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 10
[*HUAWEI-vlan10] dhcp snooping enable
[*HUAWEI-vlan10] dhcp snooping check arp enable
Parent Topic: DHCP Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >