OcNOS SP : System Management Guide : Security Management Command Reference : DHCP Snooping Commands
DHCP Snooping Commands
This chapter describe the commands for DHCP snooping.
debug ip dhcp snooping
Use this command to enable the debugging DHCP snooping.
Use the no parameter to disable the debug options.
Command Syntax
debug ip dhcp snooping (event|rx|tx|packet|all)
no debug ip dhcp snooping (event|rx|tx|packet|all)
Parameters
event
Enable event debugging
rx
Enable receive debugging
tx
Enable transmit debugging
packet
Enable packet debugging
all
Enable all debugging
Default
By default all debugging options are disabled.
Command Mode
Exec mode and configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#debug ip dhcp snooping all
#no debug ip dhcp snooping packet
hardware-profile filter dhcp-snoop
Use this command to enable or disable the ingress dhcp-snoop TCAM group.
Command Syntax
hardware-profile filter dhcp-snoop (disable | enable)
Parameters
enable
Enable the ingress dhcp-snoop group
disable
Disable the ingress dhcp-snoop group
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Examples
configure terminal
(config)#hardware-profile filter dhcp-snoop enable
 
hardware-profile filter dhcp-snoop-ipv6
Use this command to enable or disable the ingress dhcp-snoop-ipv6 TCAM group.
Command Syntax
hardware-profile filter dhcp-snoop-ipv6 (disable | enable)
Parameters
enable
Enable the ingress dhcp-snoop-ipv6 group
disable
Disable the ingress dhcp-snoop-ipv6 group
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Examples
configure terminal
(config)#hardware-profile filter dhcp-snoop-ipv6 enable
 
ip dhcp packet strict-validation bridge
Use this command to enable strict validation of DHCP packets. Strict validation checks that the DHCP option field in the packet is valid including the magic cookie in the first four bytes of the options field. The device drops the packet if validation fails.
Use the no form of this command to disable strict validation.
Command Syntax
ip dhcp packet strict-validation bridge <1-32>
no ip dhcp packet strict-validation bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default, strict validation of DHCP packets is disabled.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
configure terminal
(config)#bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#ip dhcp packet strict-validation bridge 1
ip dhcp snooping arp-inspection bridge
Use this command to enable/disable arp-inspection on the bridge.
Note: You must enable dhcp snooping before enabling ARP inspection.
Command Syntax
ip dhcp snooping arp-inspection bridge <1-32>
no ip dhcp snooping arp-inspection bridge <1-32>
Parameter
<1-32>
Bridge number
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#configure terminal
(config)#bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#ip dhcp snooping arp-inspection bridge 1
 
ip dhcp snooping arp-inspection vlan
Use this command to enable ARP inspection on the VLAN in a bridge.
Use the no form of this command to disable ARP inspection on the VLAN in a bridge.
Command Syntax
ip dhcp snooping arp-inspection vlan VLAN_RANGE2 bridge <1-32>
no ip dhcp snooping arp-inspection vlan VLAN_RANGE2 bridge <1-32>
Parameters
VLAN_RANGE2
VLAN identifier <1-4094> or range such as 2-5,10 or 2-5,7-19
<1-32>
Bridge number
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Examples
configure terminal
(config)#bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#ip dhcp snooping arp-inspection bridge 1
(config)#vlan 2 bridge 1 state enable
(config)#ip dhcp snooping vlan 2 bridge 1
(config)#ip dhcp snooping arp-inspection vlan 2 bridge 1
 
ip dhcp snooping arp-inspection validate
Use this command to enable validation of the source-mac, destination-mac, or IP address field in the ARP packet payload.
Note: The IP address in a payload is validated for not being a broadcast address, a reserved zero IP address, and multicast address.
Use the no form of this command to disable validation of the source-mac, destination-mac, or IP address field in the ARP packet payload
Command Syntax
ip dhcp snooping arp-inspection validate (dst-mac | ip | src-mac) bridge <1-32>
no ip dhcp snooping arp-inspection validate (dst-mac | ip | src-mac) bridge <1-32>
Parameters
dst-mac
Destination MAC validation
ip
ARP IP address validation
src-mac
Source MAC validation
<1-32>
Bridge number
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Examples
configure terminal
(config)# bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#ip dhcp snooping arp-inspection bridge 1
(config)#ip dhcp snooping arp-inspection validate dst-mac bridge 1
(config)#no ip dhcp snooping arp-inspection validate dst-mac bridge 1
(config)#ip dhcp snooping arp-inspection validate src-mac bridge 1
(config)#no ip dhcp snooping arp-inspection validate src-mac bridge 1
(config)#ip dhcp snooping arp-inspection validate ip bridge 1
(config)#no ip dhcp snooping arp-inspection validate ip bridge 1
 
ip dhcp snooping bridge
Use this command to enable DHCP snooping on a bridge.
Use the no form of this command to disable DHCP snooping on a bridge.
Command Syntax
ip dhcp snooping bridge <1-32>
no ip dhcp snooping bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default DHCP snooping is disabled on a bridge.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#configure terminal
(config)#bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
 
ip dhcp snooping database
Use this command to write the entries in the binding table to persistent storage.
Command Syntax
ip dhcp snooping database bridge <1-32>
Parameters
<1-32>
Bridge number
Default
No default value is specified.
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#ip dhcp snooping database bridge 1
ip dhcp snooping information option bridge
Use this command to insert interface and VLAN name in the option 82 field in DHCP packets.
Use the no form of this command to disable inserting option 82 information in DHCP packets.
Command Syntax
ip dhcp snooping information option bridge <1-32>
no ip dhcp snooping information option bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default option 82 information insertion is disabled.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
configure terminal
(config)# bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#vlan 2 bridge 1 state enable
(config)#ip dhcp snooping vlan 2 bridge 1
(config)#ip dhcp information option bridge 1
 
ip dhcp snooping trust
Use this command to mark an interface as trusted. All DHCP servers must be connected to the trusted interface.
Use the no form of this command to remove an interface from the list of trusted interfaces.
Command Syntax
ip dhcp snooping trust
no ip dhcp snooping trust
Parameters
None
Default
By default all interfaces are untrusted.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
configure terminal
(config)#bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#vlan 2 bridge 1 state enable
(config)#ip dhcp snooping vlan 2 bridge 1
(config)#interface xe1
(config-if)#switchport
(config-if)#bridge-group 1
(config-if)#switchport mode access
(config-if)#switchport access vlan 2
(config-if)#ip dhcp snooping trust
 
ip dhcp snooping verify mac-address
Use this command to enable MAC address verification. If the device receives a DHCP request packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, the device drops the packet.
Use the no form of this command to disable address verification.
Command Syntax
ip dhcp snooping verify mac-address bridge <1-32>
no ip dhcp snooping verify mac-address bridge <1-32>
Parameters
<1-32>
Bridge number
Default
By default MAC address verification is disabled.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
configure terminal
(config)# bridge 1 protocol mstp
(config)#ip dhcp snooping bridge 1
(config)#ip dhcp snooping verify mac-address bridge 1
 
ip dhcp snooping vlan
Use this command to enable DHCP snooping for the given VLAN.
Use the no form of this command to disable the DHCP snooping for aVLAN.
Command Syntax
ip dhcp snooping vlan VLAN_RANGE2 bridge <1-32>
no ip dhcp snooping vlan VLAN_RANGE2 bridge <1-32>
Parameters
VLAN_RANGE2
VLAN identifier <1-4094> or range such as 2-5,10 or 2-5,7-19
<1-32>
Bridge number
Default
By default DHCP snooping is disabled for all VLANs.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
configure terminal
(config)#vlan 2 bridge 1 state enable
(config)#ip dhcp snooping vlan 2 bridge 1
 
 
renew ip dhcp snooping binding database
Use this command to populate the binding table by fetching the binding entries from persistent storage.
Command Syntax
renew ip dhcp snooping (source|) binding database bridge <1-32>
Parameters
<1-32>
Bridge number
source
IP source guard
Default
No default value is specified.
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#renew ip dhcp snooping binding database bridge 1
 
show debugging ip dhcp snooping
Use this command to display the enabled debugging options.
Command Syntax
show debugging ip dhcp snooping
Parameters
None
Command Mode
Privileged Exec Mode and Exec mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#show debugging ip dhcp snooping
DHCP snoop debugging status:
DHCP snoop event debugging is on
DHCP snoop tx debugging is on
show ip dhcp snooping arp-inspection statistics bridge
Use this command to show dhcp dynamic ARP inspection related statistics on bridge.
Command Syntax
show ip dhcp snooping arp-inspection statistics bridge <1-32>
Parameters
<1-32>
Bridge number.
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 5.0.
Examples
#show ip dhcp snooping arp-inspection statistics bridge 1
 
bridge forwarded dai dropped
------ --------- -----------
1 9 1
Table 3-1 explains the fields in the output.
Table 3-1: show ip dhcp snooping arp-inspection statistics bridge fields 
Field
Description
bridge
Bridge number.
forwarded
Number of forwarded packets.
dai dropped
Number of dropped packets.
 
show ip dhcp snooping bridge
Use this command to display the DHCP configuration, including trusted ports, configured VLAN, active VLAN, and strict validation status.
Command Syntax
show ip dhcp snooping bridge <1-32>
Parameters
<1-32>
Bridge number
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#show ip dhcp snooping bridge 1
 
Bridge Group : 1
DHCP snooping is : Enabled
DHCP snooping option82 is : Disabled
Verification of hwaddr field is : Disabled
Strict validation of DHCP packet is : Disabled
DB Write Interval(secs) : 300
DHCP snooping is configured on following VLANs : 20,30
DHCP snooping is operational on following VLANs : 20,30
 
DHCP snooping trust is configured on the following Interfaces
 
Interface Trusted
--------------- -------
xe1 Yes
 
DHCP snooping IP Source Guard is configured on the following Interfaces
 
Interface Source Guard
--------------- ------------
Table 3-2 explains the fields in the output.
Table 3-2: show ip dhcp snooping bridge fields 
Field
Description
Bridge Group
Bridge number
DHCP snooping is
Whether DHCP snooping is enabled
DHCP snooping option82 is
Whether DHCP snooping option 82 is enabled
Verification of hwaddr field is
Whether verification of hwaddr field is enabled
Strict validation of DHCP packet is
Whether strict validation of DHCP packets is enabled
DB Write Interval(secs)
Database write interval in seconds
DHCP snooping is configured on following VLANs
VLANs on which DHCP snooping is enabled
DHCP snooping is operational on following VLANs
VLANs on which DHCP snooping is operating
Interface
Interface name
Trusted
Whether DHCP snooping trust is enabled on the interface
Source Guard
Whether DHCP snooping IP source guard is enabled on the interface
 
show ip dhcp snooping binding bridge
Use this command to display the DHCP snooping binding table.
Command Syntax
show ip dhcp snooping binding bridge <1-32>
Parameters
<1-32>
Bridge number
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 5.0.
Example
#show ip dhcp snooping binding bridge 1
 
Total number of static IPV4 entries : 0
Total number of dynamic IPV4 entries : 2
Total number of static IPV6 entries : 0
Total number of dynamic IPV6 entries : 0
 
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------
3cfd.fe0b.06e0 12.12.12.10 30 dhcp-snooping 20 xe12
 
3cfd.fe0b.06e0 30.30.30.30 480 dhcp-snooping 30 xe12
 
 
Table 3-3 explains the output .
Table 3-3: show ip dhcp snooping binding bridge fields
Field
Description
Total number of static IPV4 entries
Number of static IPV4 entries.
Total number of dynamic IPV4 entries
Number of dynamic IPV4 entries.
Total number of static IPV6 entries
Number of static IPV6 entries.
Total number of dynamic IPV6 entries
Number of dynamic IPV6 entries .
MacAddress
MAC address of the interface.
IP Address
IP address of the peer device.
Lease (sec)
DHCP lease time in seconds provided to untrusted IP addresses.
Type
Configured either statically or dynamically by the DHCP server.
VLAN
Identifier of the number.
Interface
Interface is being snooped.