OcNOS-RON : System Management Guide : System Management Command Reference : DHCP Snooping Commands
DHCP Snooping Commands
This chapter provides a description of the syntax and examples DHCP snooping. It includes the following commands:
clear ip dhcp snooping binding
Use this command to remove all entries from the binding table.
Command Syntax
clear ip dhcp snooping (source|) binding bridge <1-32>
Parameters
<1-32>
Bridge number
source
IP source guard
Default
No default value is specified.
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#clear ip dhcp snooping binding bridge 1
debug ip dhcp snooping
Use this command to enable the debugging DHCP snooping.
Use the no parameter to disable the debug options.
Command Syntax
debug ip dhcp snooping (event|rx|tx|packet|all)
no debug ip dhcp snooping (event|rx|tx|packet|all)
Parameters
event
Enable event debugging
rx
Enable receive debugging
tx
Enable transmit debugging
packet
Enable packet debugging
all
Enable all debugging
Default
By default all debugging options are disabled.
Command Mode
Exec mode and configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#debug ip dhcp snooping all
#no debug ip dhcp snooping packet
ip dhcp packet strict-validation
Use this command to enable strict validation of DHCP packets. Strict validation of the DHCP packet checks that the DHCP option field in the packet is valid including the magic cookie value in the first four bytes of the options field. The device drops the packet if validation fails.
Use the no parameter to disable strict validation.
Command Syntax
ip dhcp packet strict-validation bridge <1-32>
no ip dhcp packet strict-validation bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default strict validation of the DHCP packets is disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#config termminal
(config)#ip dhcp packet strict-validation bridge 1
(config)#no ip dhcp packet strict-validation bridge 1
ip dhcp snooping
Use this command to enable DHCP snooping on the bridge level.
Use the no parameter to remove the entire DHCP snooping configuration.
Command Syntax
ip dhcp snooping bridge <1-32>
no ip dhcp snooping bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default dhcp snooping will be disabled on the bridge.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#ip dhcp snooping bridge 1
(config)#no ip dhcp snooping bridge 1
 
ip dhcp snooping binding
Use this command to create a static binding entry in the binding table. All the DHCP responses will be validated against the static entries. If the response does not match the entry in the binding table, the response packet is dropped.
Use the no parameter to remove an entry from the binding table.
Command Syntax
ip dhcp snooping binding bridge <1-32> XXXX.XXXX.XXXX <1-4094> (ipv4 A.B.C.D | ipv6 X:X::X:X) IFNAME
no ip dhcp snooping binding bridge <1-32> XXXX.XXXX.XXXX <1-4094> (ipv4 | ipv6 )
Parameters
<1-32>
Bridge number
XXXX.XXXX.XXXX
MAC address
<1-4094>
VLAN identifier
A.B.C.D
IPv4 address
X:X::X:X
IPv6 address
IFNAME
Interface name
Default
By default binding table will not have any entry
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#ip dhcp snooping binding bridge 1 0001.0002.0003 2 ipv4 12.0.0.1 xe1
(config)#no ip dhcp snooping binding bridge 1 0001.0002.0003 2 ipv4
ip dhcp snooping database
Use this command to write the entries in the binding table to persistent storage.
Command Syntax
ip dhcp snooping database bridge <1-32>
Parameters
<1-32>
Bridge number
Default
No default value is specified.
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#ip dhcp snooping database bridge 1
ip dhcp snooping information option
Use this command to insert option 82 information into DHCP packets.
Use the no parameter to disable inserting option 82.
Command Syntax
ip dhcp snooping information option bridge <1-32>
no ip dhcp snooping information option bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default address option 82 information insertion is disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#ip dhcp snooping information option bridge 1
(config)#no ip dhcp snooping information option bridge 1
ip dhcp snooping ratelimit
Use this command to limit the rate of DHCP packets per second.
Use the no parameter to set the rate limit to its default value (100 pps).
Command Syntax
ip dhcp snooping ratelimit RATELIMIT bridge <1-32>
no ip dhcp snooping ratelimit bridge <1-32>
Parameters
RATELIMIT
Packets per second <0-2048>
<1-32>
Bridge number
Default
The default rate limit value is 100 packets per second.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#ip dhcp snooping ratelimit 2000 bridge 1
(config)#no ip dhcp snooping ratelimit bridge 1
ip dhcp snooping trust
Use this command to mark an interface as trusted. All DHCP servers must be connected to the trusted interface.
Use the no parameter to remove an interface from the list of trusted interfaces.
Command Syntax
ip dhcp snooping trust
no ip dhcp snooping trust
Parameters
None
Default
By default all interfaces are untrusted.
Command Mode
Interface mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#interface xe1
(config-if)#ip dhcp snooping trust
(config-if)#no ip dhcp snooping trust
ip dhcp snooping verify mac-address
Use this command to enable the DHCP snooping MAC address verification. If the device receives a DHCP request packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, the device drops the packet.
Use the no parameter to disable the address verification.
Command Syntax
ip dhcp snooping verify mac-address bridge <1-32>
no ip dhcp snooping verify mac-address bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default address verification is disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#ip dhcp snooping verify mac-address bridge 1
(config)#no ip dhcp snooping verify mac-address bridge 1
ip dhcp snooping vlan
Use this command to enable DHCP snooping for the given VLAN.
Use the no parameter to disable the DHCP snooping on the VLAN.
Command Syntax
ip dhcp snooping vlan VLAN_RANGE2 bridge <1-32>
no ip dhcp snooping vlan VLAN_RANGE2 bridge <1-32>
Parameters
VLAN_RANGE2
VLAN identifier <1-4094>
<1-32>
Bridge number
Default
By default DHCP snooping will be disabled on all the vlans
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#configure terminal
(config)#ip dhcp snooping vlan 10 bridge 1
(config)#no ip dhcp snooping vlan 10 bridge 1
 
 
renew ip dhcp snooping binding database
Use this command to populate the binding table by fetching the binding entries from persistent storage.
Command Syntax
renew ip dhcp snooping (source|) binding database bridge <1-32>
Parameters
<1-32>
Bridge number
source
IP source guard
Default
No default value is specified.
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#renew ip dhcp snooping binding database bridge 1
 
show debugging ip dhcp snooping
Use this command to display the enabled debugging options.
Command Syntax
show debugging ip dhcp snooping
Parameters
None
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show debugging ip dhcp snooping
DHCP snoop debugging status:
DHCP snoop event debugging is on
DHCP snoop tx debugging is on
 
show ip dhcp snooping
Use this command to display the DHCP configuration, including trusted ports, rate limit, configured VLAN, active VLAN, and strict validation status.
Command Syntax
show ip dhcp snooping bridge <1-32>
Parameters
<1-32>
Bridge number
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#sh ip dhcp snooping bridge 1
 
Bridge Group : 1
DHCP snooping is : Enabled
DHCP snooping option82 is : Disabled
Verification of hwaddr field is : Disabled
Rate limit(pps) : 100
 
DHCP snooping trust is configured on the following Interfaces
 
Interface Trusted
--------------- -------
xe1/4 Yes
 
DHCP snooping IP Source Guard is configured on the following Interfaces
 
Interface Source Guard
--------------- ------------
 
show ip dhcp snooping arp-inspection statistics
Use this command to display the dhcp snooping dynamic ARP inspection statistics information.
Command Syntax
show ip dhcp snooping arp-inspection statistics bridge <1-32>
Parameters
<1-32>
Bridge number
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show ip dhcp snooping arp-inspection statistics bridge 1
 
bridge forwarded dai dropped
------ --------- -----------
1 0 0
Table 7-11 explains the show command output fields.
 
Table 7-11: show ip dhcp snooping arp-inspection statistics output
Field
Description
bridge
The bridge identifier (number) on which snooping is being used.
forward
Number of packets forwarded to neighbor.
dai dropped
Number of packets that have been dropped because they did not pass dynamic arp inspection (DAI).
show ip dhcp snooping binding
Use this command to display the dhcp snooping binding table.
Command Syntax
show ip dhcp snooping (source|) binding bridge <1-32>
Parameters
<1-32>
Bridge number
source
DHCP snooping IP source guard
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#show ip dhcp snooping binding bridge 1
 
Total number of static IPV4 entries : 1
Total number of dynamic IPV4 entries : 0
Total number of static IPV6 entries : 0
Total number of dynamic IPV6 entries : 0
 
MacAddress IpAddress Lease(sec) Type VLAN Interface
-------------- ------------- ---------- ----------- ---- ----------
0001.0002.0003 12.0.0.1 0 static 2 xe2
Table 7-12 explains the show command output fields.
 
Table 7-12: show ip dhcp snooping binding output details 
Entry
Description
Total number of static IPV4 entries
Number of static IPV4 entries in the interface.
Total number of dynamic IPV4 entries
Number of dynamic IPV4 entries in the interface.
Total number of static IPV6 entries
Number of static IPV6 entries in the interface.
Total number of dynamic IPV6 entries
Number of dynamic IPV6 entries in the interface.
Mac Address
MAC address forwards the packet into a given dhcp instance.
IP Address
IP address of the peer device.
Lease (sec)
The DHCP lease time in seconds provided to untrusted IP addresses.
Type
Configured either statically or dynamically by the DHCP server.
VLAN
Identifier of the number.
Interface
Interface is being snooped.