dhcp snooping alarm enable interface

Function

The dhcp snooping alarm enable interface command enables the alarm function when the number of discarded ARP packets, IP packets, DHCP Reply packets (discarded on an untrusted interface), DHCP Request packets, or DHCP users reaches the alarm threshold.

The undo dhcp snooping alarm enable interface command disables the alarm function.

By default, DHCP snooping alarm is disabled on an interface.

Format

dhcp snooping alarm { arp | ip | dhcp-request | dhcp-chaddr | dhcp-reply | user-limit } enable interface { interface-type interface-number | interface-name }

undo dhcp snooping alarm { arp | ip | dhcp-request | dhcp-chaddr | dhcp-reply | user-limit } enable interface { interface-type interface-number | interface-name }

Parameters

Parameter Description Value
arp

Indicates that an alarm is generated when the number of dropped ARP packets reaches the threshold.

-
ip

Indicates that an alarm is generated when the number of dropped IP packets reaches the threshold.

-
dhcp-request

Indicates that an alarm is generated when the number of dropped DHCP request packets reaches the threshold.

-
dhcp-chaddr

Indicates that an alarm is generated when the number of dropped DHCP request packets reaches the alarm threshold. The DHCP request packets are dropped when the client hardware address (CHADDR) field does not match the source MAC address in the Ethernet frame header.

-
dhcp-reply

Indicates that an alarm is generated when the number of dropped DHCP Offer, ACK, or NAK packets on the untrusted interface reaches the threshold.

-
user-limit

Indicates that an alarm is generated when the number of DHCP snooping users exceeds the threshold.

-
interface interface-type interface-number

Specifies the interface on which an alarm is generated. This parameter applies only to the VLAN view.

-

Views

VLAN view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
dhcp write

Usage Guidelines

Usage Scenario

You can configure the following check functions in DHCP snooping applications:

  • ARP check: The ARP packets mismatching information in the binding table are dropped.
  • CHADDR field check: The DHCP packets with the CHADDR field value mismatching the MAC address in the packet header are dropped.
  • DHCP reply check on the untrusted interface: The DHCP reply packets received on the untrusted interface are dropped.
  • Check for packets requesting lease renewal: The packets that request lease renewal but mismatch information in the binding table are dropped.
  • IP check: The IP packets mismatching information in the binding table are dropped.
  • User number check: The maximum number of users is restricted.

    After these check functions are enabled, you can configure the alarm function so that an alarm is generated and sent to the NMS when the number of dropped packets or the user number exceeds the threshold.

Prerequisites

  • For CHADDR field check and binding table check, DHCP check has been enabled using the dhcp snooping check enable command.
  • For DHCP reply check on the untrusted interface, the trusted interface has been configured using the dhcp snooping trusted or dhcp snooping trusted interface command.
  • DHCP snooping has been enabled globally using the dhcp snooping enable command.
  • For CHADDR field check, IP check, ARP check, and check for packets requesting lease renewal, and binding table check, DHCP check has been enabled using the dhcp snooping check enable command.
  • For user number check:
  • The maximum number of users has been configured using the dhcp snooping max-user-number (interface view) command.
  • The maximum number of users has been configured using the dhcp snooping max-user-number (VLAN view) command.

Follow-up Procedure

Run the dhcp snooping alarm threshold command to configure an alarm threshold.

Example

# Enable the alarm function for the scenario in which the number of dropped ARP packets reaches the threshold.
<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] commit
[~HUAWEI-vlan100] q
[~HUAWEI] interface GigabitEthernet 0/1/0
[~HUAWEI-GigabitEthernet0/1/0] portswitch
[*HUAWEI-GigabitEthernet0/1/0] port link-type access
[*HUAWEI-GigabitEthernet0/1/0] port default vlan 100
[*HUAWEI-GigabitEthernet0/1/0] commit
[~HUAWEI-GigabitEthernet0/1/0] q
[~HUAWEI] dhcp snooping enable
[~HUAWEI] vlan 100
[~HUAWEI-vlan100] dhcp snooping enable
[*HUAWEI-vlan100] dhcp snooping alarm arp enable interface GigabitEthernet 0/1/0
Parent Topic: DHCP Snooping Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >