dhcp snooping alarm (VLAN view)

Function

The dhcp snooping alarm threshold command configures an alarm threshold for the number of dropped ARP packets, IP packets, DHCP reply packets (received on the untrusted interface), and DHCP request packets in a VLAN. In addition, you can configure the percentage threshold for the maximum number of DHCP snooping users.

The undo dhcp snooping alarm threshold command restores the default setting.

The dhcp snooping alarm enable command enables the alarm function for the scenario in which the number of dropped ARP packets, IP packets, DHCP reply packets (dropped on the untrusted interface), and DHCP request packets reaches the threshold or the user number reaches the threshold.

The undo dhcp snooping alarm enable command disables DHCP snooping alarm on an interface.

By default:

  • DHCP snooping alarm is disabled on an interface.
  • The alarm threshold for the number of dropped packets in a VLAN is a global alarm threshold (which is 100 by default and can be configured manually).
  • The percentage threshold for the maximum number of DHCP snooping users in a VLAN is 100%.

Format

dhcp snooping alarm { { ip | arp | dhcp-chaddr | dhcp-request | dhcp-reply } { enable | threshold threshold } | user-limit { enable | threshold user-threshold } }

undo dhcp snooping alarm { ip | arp | dhcp-chaddr | dhcp-request | dhcp-reply | user-limit } enable

undo dhcp snooping alarm { ip | arp | dhcp-chaddr | dhcp-request | dhcp-reply | user-limit } threshold

Parameters

Parameter Description Value
ip

Indicates the alarm threshold for the number of dropped IP packets.

-
arp

Indicates the alarm threshold for the number of dropped ARP packets.

-
dhcp-chaddr

Indicates the alarm threshold for the number of dropped DHCP packets with the client hardware address (CHADDR) field value mismatching the source MAC address in the Ethernet frame header.

-
dhcp-request

Indicates the alarm threshold for the number of dropped DHCP request packets.

-
dhcp-reply

Indicates the alarm threshold for the number of dropped DHCP reply packets on an untrusted interface. The DHCP reply packets include DHCP Offer, ACK, and NAK packets.

-
threshold threshold

Specifies an alarm threshold.

The alarm threshold for the number of discarded packets in a VLAN ranges from 1 to 1000. The default value is 100.
threshold user-threshold

Specifies an alarm threshold, in percentage.

The percentage threshold at which the maximum number of DHCP snooping users triggers an alarm ranges from 1 to 100. The default value is 100.
user-limit

Indicates the percentage threshold for the maximum number of DHCP snooping users.

-

Views

VLAN view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

In the VLAN view, this command is only used to configure the alarm threshold for the maximum number of dropped packets in a VLAN and the percentage threshold for the maximum number of DHCP snooping users.

The configuration of the alarm threshold for dropped packets in a VLAN can be one of the following situations:

  • If no alarm threshold is configured for the VLAN, the globally configured default value is used as the alarm threshold of the VLAN. You can change the default value by configuring an alarm threshold globally.
  • If an alarm threshold is configured for a VLAN, the configured threshold takes effect.

    Before configuring the percentage threshold for the maximum number of DHCP snooping users in the VLAN view, run the following commands:
  • Run the dhcp snooping enable command in the system view to enable DHCP snooping globally.
  • Run the dhcp snooping max-user-number(VLAN view) command in the VLAN view to configure the maximum number of DHCP snooping users.
  • Run the dhcp snooping alarm enable command in the VLAN view to enable DHCP snooping alarm.

    If the maximum number of DHCP snooping users is set to n and the percentage threshold for the maximum number of DHCP snooping users is set to m, when the number of users in the VLAN reaches n×m, an alarm is generated. When the number of users in the VLAN reaches n×m+1, however, no more alarm is generated. Only when the user lease expires or users proactively release IP addresses, the number of users in the VLAN falls below nxm. When the number of users reaches nxm again, an alarm is generated.

    You can change the current percentage threshold by configuring a new value. Only the current setting takes effect.

    You can configure the following check functions in DHCP snooping applications:
  • ARP check: The ARP packets mismatching information in the binding table are dropped.
  • CHADDR field check: The DHCP packets with the CHADDR field value mismatching the MAC address in the packet header are dropped.
  • DHCP reply check on the untrusted interface: The DHCP reply packets received on the untrusted interface are dropped.
  • Check for packets requesting lease renewal: The packets that request lease renewal but mismatch information in the binding table are dropped.
  • IP check: The IP packets mismatching information in the binding table are dropped.
  • User number check: The maximum number of users is restricted.

    After these check functions are enabled, you can configure the alarm function so that an alarm is generated and sent to the NMS when the number of dropped packets or the user number exceeds the threshold.

Prerequisites

  • For CHADDR field check and binding table check, DHCP check has been enabled using the dhcp snooping check enable command.
  • For DHCP reply check on the untrusted interface, the trusted interface has been configured using the dhcp snooping trusted or dhcp snooping trusted interface command.
  • DHCP snooping has been enabled globally using the dhcp snooping enable command.
  • For CHADDR field check, IP check, ARP check, and check for packets requesting lease renewal, and binding table check, DHCP check has been enabled using the dhcp snooping check enable command.
  • For user number check:
    • The maximum number of users has been configured using the dhcp snooping max-user-number (interface view) command.
    • The maximum number of users has been configured using the dhcp snooping max-user-number (VLAN view) command.

Precautions

When an interface is added to a VLAN not using default, trunk, VLAN-stacking, or VLAN-mapping mode, delete the configured alarm threshold in the VLAN and interface views.

Example

# Set the percentage threshold for the maximum number of DHCP snooping users on GE 0/1/6 in VLAN 100 to 50%.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] quit
[*HUAWEI] interface GigabitEthernet 0/1/6
[*HUAWEI-GigabitEthernet0/1/6] portswitch
[*HUAWEI-GigabitEthernet0/1/6] port default vlan 100
[*HUAWEI-GigabitEthernet0/1/6] quit
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping max-user-number 3000 interface GigabitEthernet 0/1/6
[*HUAWEI-vlan100] dhcp snooping alarm user-limit enable
[*HUAWEI-vlan100] dhcp snooping alarm user-limit threshold 50 interface GigabitEthernet 0/1/6
# Set the alarm threshold for the number of dropped ARP packets in VLAN 100 to 200.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] dhcp snooping alarm arp threshold 200
# Set the percentage threshold for the maximum number of DHCP snooping users in VLAN 100 to 50%.
<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] dhcp snooping max-user-number 3000
[*HUAWEI-vlan100] dhcp snooping alarm user-limit enable
[*HUAWEI-vlan100] dhcp snooping alarm user-limit threshold 50
Parent Topic: DHCP Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >