DHCP Snooping Commands

OcNOS-RON : System Management Guide : System Management Command Reference : DHCP Snooping Commands

This chapter provides a description of the syntax and examples DHCP snooping. It includes the following commands:

• clear ip dhcp snooping binding

• debug ip dhcp snooping

• ip dhcp packet strict-validation

• ip dhcp snooping

• ip dhcp snooping binding

• ip dhcp snooping database

• ip dhcp snooping information option

• ip dhcp snooping ratelimit

• ip dhcp snooping trust

• ip dhcp snooping verify mac-address

• ip dhcp snooping vlan

• renew ip dhcp snooping binding database

• show debugging ip dhcp snooping

• show ip dhcp snooping

• show ip dhcp snooping arp-inspection statistics

• show ip dhcp snooping binding

clear ip dhcp snooping binding

Use this command to remove all entries from the binding table.

Command Syntax

clear ip dhcp snooping (source|) binding bridge <1-32>

Parameters

<1-32>

Bridge number

source

IP source guard

Default

No default value is specified.

Command Mode

Privileged Exec Mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#clear ip dhcp snooping binding bridge 1

debug ip dhcp snooping

Use this command to enable the debugging DHCP snooping.

Use the no parameter to disable the debug options.

Command Syntax

debug ip dhcp snooping (event|rx|tx|packet|all)

no debug ip dhcp snooping (event|rx|tx|packet|all)

Parameters

event

Enable event debugging

Enable receive debugging

Enable transmit debugging

packet

Enable packet debugging

all

Enable all debugging

Default

By default all debugging options are disabled.

Command Mode

Exec mode and configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#debug ip dhcp snooping all

#no debug ip dhcp snooping packet

ip dhcp packet strict-validation

Use this command to enable strict validation of DHCP packets. Strict validation of the DHCP packet checks that the DHCP option field in the packet is valid including the magic cookie value in the first four bytes of the options field. The device drops the packet if validation fails.

Use the no parameter to disable strict validation.

Command Syntax

ip dhcp packet strict-validation bridge <1-32>

no ip dhcp packet strict-validation bridge <1-32>

Parameters

<1-32>

Bridge number

Default

By default strict validation of the DHCP packets is disabled.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#config termminal

(config)#ip dhcp packet strict-validation bridge 1

(config)#no ip dhcp packet strict-validation bridge 1

ip dhcp snooping

Use this command to enable DHCP snooping on the bridge level.

Use the no parameter to remove the entire DHCP snooping configuration.

Command Syntax

ip dhcp snooping bridge <1-32>

no ip dhcp snooping bridge <1-32>

Parameters

<1-32>

Bridge number

Default

By default dhcp snooping will be disabled on the bridge.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#ip dhcp snooping bridge 1

(config)#no ip dhcp snooping bridge 1

ip dhcp snooping binding

Use this command to create a static binding entry in the binding table. All the DHCP responses will be validated against the static entries. If the response does not match the entry in the binding table, the response packet is dropped.

Use the no parameter to remove an entry from the binding table.

Command Syntax

ip dhcp snooping binding bridge <1-32> XXXX.XXXX.XXXX <1-4094> (ipv4 A.B.C.D | ipv6 X:X::X:X) IFNAME

no ip dhcp snooping binding bridge <1-32> XXXX.XXXX.XXXX <1-4094> (ipv4 | ipv6 )

Parameters

<1-32>

Bridge number

XXXX.XXXX.XXXX

MAC address

<1-4094>

VLAN identifier

A.B.C.D

IPv4 address

X:X::X:X

IPv6 address

IFNAME

Interface name

Default

By default binding table will not have any entry

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#ip dhcp snooping binding bridge 1 0001.0002.0003 2 ipv4 12.0.0.1 xe1

(config)#no ip dhcp snooping binding bridge 1 0001.0002.0003 2 ipv4

ip dhcp snooping database

Use this command to write the entries in the binding table to persistent storage.

Command Syntax

ip dhcp snooping database bridge <1-32>

Parameters

<1-32>

Bridge number

Default

No default value is specified.

Command Mode

Privileged Exec Mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#ip dhcp snooping database bridge 1

ip dhcp snooping information option

Use this command to insert option 82 information into DHCP packets.

Use the no parameter to disable inserting option 82.

Command Syntax

ip dhcp snooping information option bridge <1-32>

no ip dhcp snooping information option bridge <1-32>

Parameters

<1-32>

Bridge number

Default

By default address option 82 information insertion is disabled.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#ip dhcp snooping information option bridge 1

(config)#no ip dhcp snooping information option bridge 1

ip dhcp snooping ratelimit

Use this command to limit the rate of DHCP packets per second.

Use the no parameter to set the rate limit to its default value (100 pps).

Command Syntax

ip dhcp snooping ratelimit RATELIMIT bridge <1-32>

no ip dhcp snooping ratelimit bridge <1-32>

Parameters

RATELIMIT

Packets per second <0-2048>

<1-32>

Bridge number

Default

The default rate limit value is 100 packets per second.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#ip dhcp snooping ratelimit 2000 bridge 1

(config)#no ip dhcp snooping ratelimit bridge 1

ip dhcp snooping trust

Use this command to mark an interface as trusted. All DHCP servers must be connected to the trusted interface.

Use the no parameter to remove an interface from the list of trusted interfaces.

Command Syntax

ip dhcp snooping trust

no ip dhcp snooping trust

Parameters

None

Default

By default all interfaces are untrusted.

Command Mode

Interface mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#interface xe1

(config-if)#ip dhcp snooping trust

(config-if)#no ip dhcp snooping trust

ip dhcp snooping verify mac-address

Use this command to enable the DHCP snooping MAC address verification. If the device receives a DHCP request packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, the device drops the packet.

Use the no parameter to disable the address verification.

Command Syntax

ip dhcp snooping verify mac-address bridge <1-32>

no ip dhcp snooping verify mac-address bridge <1-32>

Parameters

<1-32>

Bridge number

Default

By default address verification is disabled.

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#ip dhcp snooping verify mac-address bridge 1

(config)#no ip dhcp snooping verify mac-address bridge 1

ip dhcp snooping vlan

Use this command to enable DHCP snooping for the given VLAN.

Use the no parameter to disable the DHCP snooping on the VLAN.

Command Syntax

ip dhcp snooping vlan VLAN_RANGE2 bridge <1-32>

no ip dhcp snooping vlan VLAN_RANGE2 bridge <1-32>

Parameters

VLAN_RANGE2

VLAN identifier <1-4094>

<1-32>

Bridge number

Default

By default DHCP snooping will be disabled on all the vlans

Command Mode

Configure mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#configure terminal

(config)#ip dhcp snooping vlan 10 bridge 1

(config)#no ip dhcp snooping vlan 10 bridge 1

renew ip dhcp snooping binding database

Use this command to populate the binding table by fetching the binding entries from persistent storage.

Command Syntax

renew ip dhcp snooping (source|) binding database bridge <1-32>

Parameters

<1-32>

Bridge number

source

IP source guard

Default

No default value is specified.

Command Mode

Privileged Exec Mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#renew ip dhcp snooping binding database bridge 1

show debugging ip dhcp snooping

Use this command to display the enabled debugging options.

Command Syntax

show debugging ip dhcp snooping

Parameters

None

Command Mode

Privileged Exec Mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show debugging ip dhcp snooping

DHCP snoop debugging status:

DHCP snoop event debugging is on

DHCP snoop tx debugging is on

show ip dhcp snooping

Use this command to display the DHCP configuration, including trusted ports, rate limit, configured VLAN, active VLAN, and strict validation status.

Command Syntax

show ip dhcp snooping bridge <1-32>

Parameters

<1-32>

Bridge number

Command Mode

Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#sh ip dhcp snooping bridge 1

Bridge Group : 1

DHCP snooping is : Enabled

DHCP snooping option82 is : Disabled

Verification of hwaddr field is : Disabled

Rate limit(pps) : 100

DHCP snooping trust is configured on the following Interfaces

Interface Trusted

--------------- -------

xe1/4 Yes

DHCP snooping IP Source Guard is configured on the following Interfaces

Interface Source Guard

--------------- ------------

show ip dhcp snooping arp-inspection statistics

Use this command to display the dhcp snooping dynamic ARP inspection statistics information.

Command Syntax

show ip dhcp snooping arp-inspection statistics bridge <1-32>

Parameters

<1-32>

Bridge number

Command Mode

Privileged Exec Mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show ip dhcp snooping arp-inspection statistics bridge 1

bridge forwarded dai dropped

------ --------- -----------

1 0 0

Table 7-11 explains the show command output fields.

Table 7-11: show ip dhcp snooping arp-inspection statistics output
Field	Description
bridge	The bridge identifier (number) on which snooping is being used.
forward	Number of packets forwarded to neighbor.
dai dropped	Number of packets that have been dropped because they did not pass dynamic arp inspection (DAI).

show ip dhcp snooping binding

Use this command to display the dhcp snooping binding table.

Command Syntax

show ip dhcp snooping (source|) binding bridge <1-32>

Parameters

<1-32>

Bridge number

source

DHCP snooping IP source guard

Command Mode

Privileged Exec Mode and Exec mode

Applicability

This command was introduced before OcNOS version 1.3.

Example

#show ip dhcp snooping binding bridge 1

Total number of static IPV4 entries : 1

Total number of dynamic IPV4 entries : 0

Total number of static IPV6 entries : 0

Total number of dynamic IPV6 entries : 0

MacAddress IpAddress Lease(sec) Type VLAN Interface

-------------- ------------- ---------- ----------- ---- ----------

0001.0002.0003 12.0.0.1 0 static 2 xe2

Table 7-12 explains the show command output fields.

Table 7-12: show ip dhcp snooping binding output details
Entry	Description
Total number of static IPV4 entries	Number of static IPV4 entries in the interface.
Total number of dynamic IPV4 entries	Number of dynamic IPV4 entries in the interface.
Total number of static IPV6 entries	Number of static IPV6 entries in the interface.
Total number of dynamic IPV6 entries	Number of dynamic IPV6 entries in the interface.
Mac Address	MAC address forwards the packet into a given dhcp instance.
IP Address	IP address of the peer device.
Lease (sec)	The DHCP lease time in seconds provided to untrusted IP addresses.
Type	Configured either statically or dynamically by the DHCP server.
VLAN	Identifier of the number.
Interface	Interface is being snooped.