dhcp snooping check enable (VLAN view)

Function

The dhcp snooping check enable command enables DHCP check for a VLAN.

The undo dhcp snooping check enable command disables DHCP check for a VLAN.

The dhcp snooping trusted interface command configures an interface in a VLAN as a trusted interface.

The undo dhcp snooping trusted interface command restores the default configuration.

By default, the function of DHCP check is disabled, after DHCP snooping is enabled, all interfaces are untrusted interfaces.

Format

dhcp { snooping { check { dhcp-request | ip | arp } enable | trusted } | check chaddr enable }

undo dhcp { snooping { check { dhcp-request | ip | arp } enable | trusted } | check chaddr enable }

Parameters

Parameter	Description	Value
dhcp-request	Indicates that DHCP request packets are matched against the binding table.	-
ip	Indicates that IP packets are matched against the binding table.	-
arp	Indicates that ARP packets are matched against the binding table.	-
chaddr	Indicates that the client hardware address (CHADDR) field value is matched against the MAC address in the Ethernet frame header.	-

Views

VLAN view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
dhcp	write

Usage Guidelines

Usage Scenario

You can configure the following check functions in DHCP snooping applications:

When the man-in-the-middle attack or IP/MAC address spoofing occurs, you can configure ARP or IP check to determine whether the source IP and MAC addresses in the ARP or IP packets match those in the DHCP snooping binding table.
When attacks using packets to request lease renewal occur, you can configure DHCP check to determine whether a DHCP request or release packet matches the binding table.
- For a DHCP request packet:
  1.Check whether the destination MAC address in the packet contains all Fs. If yes, the system considers the packet as a DHCP request packet broadcast by a user at the first login and allows the packet to pass. If not, the system considers the packet as a packet requesting lease renewal and checks the packet against the binding table.
  2.Check whether the CHADDR field value in the packet matches the binding table. If not, the system allows the packet to pass. If yes, check whether the VLAN, IP address, and interface information in the packet matches the binding table. If such information matches the binding table, the system allows the packet to pass. If such information mismatches the binding table, the system drops the packet.
- For a DHCP release packet, check whether the VLAN, IP address, MAC address, and interface information matches the binding table. If yes, the system allows the packet to pass. If not, the system drops the packet.

Prerequisites

DHCP snooping has been enabled globally by running the dhcp snooping enable command.

Precautions

After DHCP snooping is enabled, all interfaces are untrusted by default.

When DHCP snooping is disabled, all interfaces are trusted by default.

If an interface is changed from untrusted to trusted, the dynamic DHCP snooping binding table is deleted from the interface.

Example

# Enable ARP check for VLAN 10.

<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 10
[*HUAWEI-vlan10] dhcp snooping enable
[*HUAWEI-vlan10] dhcp snooping check arp enable

# Configure GE 0/1/0 in VLAN 100 as a trusted interface.

<HUAWEI> system-view
[~HUAWEI] dhcp snooping enable
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] quit
[*HUAWEI] interface GigabitEthernet 0/1/0
[*HUAWEI-GigabitEthernet0/1/0] portswitch
[*HUAWEI-GigabitEthernet0/1/0] port default vlan 100
[*HUAWEI-GigabitEthernet0/1/0] quit
[*HUAWEI] vlan 100
[*HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] dhcp snooping trusted interface GigabitEthernet 0/1/0