Commands For Dhcp Snooping

7.5 Commands for DHCP Snooping

7.5.1 debug ip dhcp snooping binding

Command: debug ip dhcp snooping binding
no debug ip dhcp snooping binding
Function: This command is used to enable the DHCP snooping debug switch to debug the DHCP snooping binding data.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: This command is used to debug DHCP snooping when it adds ARP list entries, dot1x users, and trusted user list entries according to binding data.
Example: Enable DHCP snooping debug to debug the DHCP snooping binding data.

active500EM#debug ip dhcp snooping binding

 

7.5.2 debug ip dhcp snooping event

Command: debug ip dhcp snooping event
no debug ip dhcp snooping event
Function: This command is used to enable the DHCP snooping debug switch to debug DHCP snooping.
Parameters: None.
Command mode: Admin Mode.
Default: None.
Usage guide: This command is used to debug DHCP snooping. The output includes bind data and port action execution.
Example: Enable the DHCP snooping debug switch to debug DHCP snooping.

active500EM#debug ip dhcp snooping event

 

7.5.3 debug ip dhcp snooping packet

Command: debug ip dhcp snooping packet
no debug ip dhcp snooping packet
Function: This command is used to enable DHCP snooping debug to debug DHCP snooping message-processing.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Debug information includes DHCP snooping processing messages. This includes every step in the message-processing procedure: adding alarm information, adding bind information, transmitting DHCP messages, and adding/peeling option 82.
Example: Enable DHCP snooping debug to debug DHCP snooping message-processing.

active500EM#debug ip dhcp snooping packet

 

7.5.4 debug ip dhcp snooping packet interface

Command: debug ip dhcp snooping packet interface {[ethernet] <InterfaceName>}
no debug ip dhcp snooping packet {[ethernet] <InterfaceName>}
Function: This command is used to enable the DHCP snooping debug switch to debug the information of the received DHCP snooping packet.
Parameters:

  • <InterfaceName>: Interface name.

Command mode: Admin Mode
Default: None.
Usage guide: This command shows the DHCP snooping receiving messages from a specific port.
Example: Enable the DHCP snooping debug switch to debug the information of the received DHCP snooping packet.

active500EM#debug ip dhcp snooping packet interface ethernet 1/0/1

 

7.5.5 debug ip dhcp snooping update

Command: debug ip dhcp snooping update
no debug ip dhcp snooping update
Function: This command enables the DHCP snooping debug switch to debug the communication information between the DHCP snooping and helper server.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Debug the communication messages received and sent by the DHCP snooping and helper server.
Example: Debug the communication messages received and sent by the DHCP snooping and helper server.

active500EM#debug ip dhcp snooping update

 

7.5.6 enable trustview key

Command: enable trustview key {0 | 7} <password>
no enable trustview key
Function: Configure the DES encrypted key for private packets. This command is also used to enable or disable the hash functions on the switch for the encrypted private packets.
Parameters:

  • <password>: encrypted key. The valid character string length is less than 16. A value of 0 is used as un-encrypted text for the password. A value of 7 is used as encrypted text for the password.

Command mode: Global Mode
Default: Disabled.
Usage guide: The switch communicates with the TrustView management system through private protocols. By default, these packets are not encrypted. In order to prevent spoofing, it can be configured to encrypt these packets. At the same time, the same password should be configured on the TrustView server.
Example: Enable the private message encrypt or hash function.

active500EM(config)#enable trustview key 0 att

 

7.5.7 ip dhcp snooping

Command: ip dhcp snooping enable
no ip dhcp snooping enable
Function: Enable DHCP Snooping.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When this function is enabled, all DHCP Server packets of non-trusted ports will be monitored.
Example: Enable DHCP Snooping.

active500EM#(config)#ip dhcp snooping enable

 

7.5.8 ip dhcp snooping action

Command: ip dhcp snooping action {shutdown | blackhole} [recovery <second>] no ip dhcp snooping action
Function: Set or delete the automatic port alarm.
Parameters:

  • shutdown: When the port detects a fake DHCP Server, that port will shut down.
  • blackhole: when the port detects a fake DHCP Server, the vid and source MAC of the fake packet will be used to block the traffic from this MAC.
  • recovery: users can recover the automatic alarm being executed (do not shut ports or delete a corresponding blackhole).
  • second: users can set the length of time for recovery after the alarm. The unit is seconds and the valid range is 10 to 3600.

Command mode: Port Mode
Default: None.
Usage guide: This command can be set when DHCP snooping is globally enabled. A trusted port will not detect a fake DHCP server and will not trigger an alarm. When a port turns into a trusted port from a non-trusted port, the original port alarm will be automatically deleted.
Example: Set the DHCP Snooping port alarm for port ethernet1/0/1 to blackhole with a recovery time of 30 seconds.

active500EM#(config)#interface ethernet 1/0/1
active500EM#(config-if-ethernet1/0/1)#ip dhcp snooping action blackhole recovery 30

 

7.5.9 ip dhcp snooping action MaxNum

Command: ip dhcp snooping action {<maxNum>|default}
Function: Set the number of defense actions which can simultaneously occur.
Parameters:

  • <maxNum>: the number of defense actions on each port. The valid range is from 1 to 200.
  • default: recover to the default value.

Command mode: Global Mode
Default: The default value is 10.
Usage guide: Set the maximum number of defense actions to avoid resource exhaustion of the switch caused by attacks. If the number of alarms is larger than the set value, then the earliest defense action will be recovered forcibly in order to send new defense actions.
Example: Set the number of port defense actions to 100.

active500EM(config)#ip dhcp snooping action 100

 

7.5.10 ip dhcp snooping binding

Command: ip dhcp snooping binding enable
no ip dhcp snooping binding enable
Function: Enables DHCP Snooping binding.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When the function is enabled, it will record the bind information allocated by all trusted ports of the DHCP Server. If DHCP snooping is enabled, the bind function can be enabled.
Example: Enable DHCP snooping binding.

active500EM#(config)#ip dhcp snooping binding enable

Related Command: ip dhcp snooping enable
 

7.5.11 ip dhcp snooping binding arp

Command: ip dhcp snooping binding arp
no ip dhcp snooping binding arp
Function: Enable DHCP snooping binding ARP.
Parameters: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When this function is enabled, DHCP snooping will add binding ARP list entries according to the binding information. Once the binding function is enabled, the binding ARP function is also enabled. Binding ARP list entries are static entries without configuration restraints and will be added to the neighbor list. The ARP binding priority of list entries is lower than the priority of static ARP list entries set by the administrator. The ARP binding priority can be overwritten by static ARP list entries. However, when static ARP list entries are deleted, the binding ARP list entries cannot be recovered until DHCP snooping recaptures the binding information. Adding binding ARP list entries is used to prevent these list entries from being attacked by ARP cheating. At the same time, these static list entries need no reauthentication, which can prevent the switch from failing to reauthenticate ARP when it is being attacked by ARP scanning. Once DHCP snooping binding is enabled, binding ARP can be set.
Example: Enable DHCP snooping binding ARP.

active500EM#(config)#ip dhcp snooping binding arp

Related Command: ip dhcp snooping binding enable
 

7.5.12 ip dhcp snooping binding dot1x

Command: ip dhcp snooping binding dot1
no ip dhcp snooping binding dot1x
Function: Enables DHCP snooping binding DOT1X.
Parameters: None.
Command mode: Port Mode
Default: Binding DOT1X is disabled on all ports.
Usage guide: When this function is enabled, DHCP snooping will notify the DOT1X module of the captured binding information as a DOT1X controlled user. This command is mutually exclusive to the ?ip dhcp snooping binding user-control? command. The binding DOT1X function can be set after DHCP snooping binding is enabled.
Example: Enable binding DOT1X on port ethernet1/0/1.

active500EM#(config)#interface ethernet 1/0/1
active500EM#(config-if-ethernet1/0/1)# ip dhcp snooping binding dot1x

Related Commands: ip dhcp snooping binding enable, ip dhcp snooping binding user-control
 

7.5.13 ip dhcp snooping binding user

Command: ip dhcp snooping binding user <mac> address <ipaddress> vlan <vid> interface [Ethernet] <ifname>
no ip dhcp snooping binding user <mac> interface [Ethernet] <ifname>
Function: Configure static binding user information.
Parameters:

  • <mac>: user?s static binding MAC address. This is the only index of the binding user.
  • <ipaddress>: IP address of the static binding user.
  • <vid>: VLAN ID which the static binding user belongs to.
  • <ifname>: access interface of the static binding user.

Command mode: Global Mode
Default: DHCP Snooping has no static binding list entry.
Usage guide: Static binding users are handled in a similar manner as dynamic binding users captured by DHCP snooping. The following actions are allowed: notify DOT1X to be a controlled user of DOT1X, add a trusted user list entry directly, and add a binding ARP list entry. Static binding will not age and has a priority higher than dynamic binding users. Once DHCP snooping binding is enabled, static binding users can be enabled.
Example: Configure static binding users.

active500EM#(config)#ip dhcp snooping binding user 00-03-0f-12-34-56 address 192.168.1.16 interface Ethernet 1/0/16

Related Command: ip dhcp snooping binding enable

7.5.14 ip dhcp snooping binding user-control

Command: ip dhcp snooping binding user-control
no ip dhcp snooping binding user-control
Function: Enable the binding user function.
Parameters: None.
Command mode: Port Mode
Default: Disabled on all ports.
Usage guide: When this function is enabled, DHCP snooping will treat the captured binding information as trusted users allowed to access all resources. This command is mutually exclusive to the ?ip dhcp snooping binding dot1x? command. Only after DHCP snooping binding is enabled can the binding user function be set. This command is not limited by ?ip dhcp snooping? based on VLAN, it is only limited by the global ?ip dhcp snooping enable? command.
Example: Enable the binding user function on port ethernet1/0/1.

active500EM(config)#interface ethernet 1/0/1
active500EM(config-if-ethernet1/0/1)#ip dhcp snooping binding user-control

Related Commands: ip dhcp snooping binding enable, ip dhcp snooping binding dot1x
 

7.5.15 ip dhcp snooping binding user-control max-user

Command: ip dhcp snooping binding user-control max-user <number>
no ip dhcp snooping binding user-control max-user
Function: Set the maximum number of users allowed to access the port when enabling the DHCP snooping binding user function. The no command restores the default value.
Parameters:

  • <number>: maximum number of users allowed to access the port. The valid value is from 0 to 1024.

Command mode: Port Configuration Mode
Default: The maximum number of users allowed to access each port is 1024.
Usage guide: This command defines the maximum number of trusted users distributed according to the bind information with ip dhcp snooping binding user-contrl enabled on the port. By default, the number is 1024. Considering the limited hardware resources of the switch, the actual number of trusted users depends on the resource load. If a larger maximum number of users is set using this command, DHCP snooping will distribute the bind information of untrusted users on the hardware to be trusted users as long as there are available resources. Otherwise, DHCP snooping will change the distributed binding information according to the new smaller user number. When the number of distributed binding entries reaches the maximum limit, no new DHCP will be able to become a trusted user or access other network resources via the switch.
Example: Enable DHCP snooping binding user function on Port ethernet1/0/1 and sett the maximum number of users allowed to access by Port Ethernet1/0/1 to 5.

active500EM(config-if-ethernet1/0/1)#ip dhcp snooping binding user-control max-user 5

Related Command: ip dhcp snooping binding user-control
 

7.5.16 ip dhcp snooping information enable

Command: ip dhcp snooping information enable
no ip dhcp snooping information enable
Function: This command will enable DHCP Snooping option 82 on the switch. The no command disables the function.
Parameters: None.
Command mode: Global Configuration Mode
Default: None.
Usage guide: Only by implementing this command can DHCP Snooping add standard option 82 to DHCP request messages and then forward the messages. The format of option1 in option 82 (circuit ID option) is the standard VLAN name plus the physical port name, like VLAN1+ethernet1/0/12. The format of option2 in option 82 (remote ID option) is CPU MAC of the switch, like 00030f023301. If a DHCP request message with option 82 options is received, DHCP snooping will replace those options in the message with its own. If a DHCP reply message with option 82 options is received, DHCP snooping will dump those options in the message and forward it.
Example:Enable DHCP snooping the option 82 function on the switch.

active500EM(config)#ip dhcp snooping enable
active500EM(config)#ip dhcp snooping binding enable
active500EM(config)#ip dhcp snooping information enable

 

7.5.17 ip dhcp snooping information option allow-untrusted (replace|)

Command?ip dhcp snooping information option allow-untrusted (replace|)
no ip dhcp snooping information option allow-untrusted (replace|)
Function: This command is used to allow DHCP snooping untrusted ports to receive DHCP packets with option 82. When parameter ?replace? is used, option 82 is allowed to replace. When disabling this command, all untrusted ports will drop DHCP packets with option 82.
Parameters: None.
Command mode: Global Mode
Default: Drop DHCP packets with option 82 received by untrusted ports.
Usage guide: Usually the switch with DHCP snooping connects the terminal user directly. This allows untrusted as the default to avoid option 82 to be added by the user. The uplink port should be set as the trusted port when enabling the uplink of DHCP snooping.
Example: Enable the function that receives DHCP packets with option 82.

active500EM(config)#ip dhcp snooping information option allow-untrusted

 

7.5.18 ip dhcp snooping information option delimiter

Command: ip dhcp snooping information option delimiter [colon | dot | slash | space] no ip dhcp snooping information option delimiter
Function: Set the delimiter of each parameter for sub-option of option 82 in Global Mode. The no command restores the delimiter as slash.
Parameters: None.
Command mode: Global Mode
Default: slash (?/?).
Usage guide: Divide parameters with the configured delimiters after users have defined them which are used to create a sub-option (remote-id, circuit-id) of option82 in Global Mode.
Example: Set the parameter delimiters as dot (?.?) for sub-option of option 82.

active500EM(config)#ip dhcp snooping information option delimiter dot

 

7.5.19 ip dhcp snooping information option remote-id

Command: ip dhcp snooping information option remote-id {standard | <remote-id>}
no ip dhcp snooping information option remote-id
Function: Set the sub-option2 (remote ID option) content of option 82 added by DHCP request packets (they are received by the port). The no command sets the added sub-option2 (remote ID option) format of option 82 as standard.
Parameters:

  • standard: default VLAN MAC format.
  • <remote-id>: the option 82 remote-id content specified by users. The length cannot exceed 64 characters.

Command mode: Global Mode
Default: Standard format.
Usage guide: The added option 82 needs to associate with the third-party DHCP server. It is used to specify the remote-id content by users when the standard remote-id format cannot satisfy the server?s request.
Example: Set the DHCP option 82 sub-option remote-id to street-1-1.

active500EM(config)#ip dhcp snooping information option remote-id street-1-1

 

7.5.20 ip dhcp snooping information option self-defined remote-id

Command: ip dhcp snooping information option self-defined remote-id {hostname | mac | string WORD}
no ip dhcp snooping information option self-defined remote-id
Function: Set the creation method for option82. Users can define the parameters of the remote-id sub-option
Parameters:

  • WORD: defined character string of remote-id. The maximum length is 64.

Command mode: Global Mode
Default: Standard method.
Usage guide: After configuring this command, if users do not configure IP DHCP snooping remote-id globally, it will create remote-id sub-option for option 82 according to the self-defined method. For MAC, the format to be used is in the same format as 00-02-d1-2e-3a-0d for packets in ASCII format. Hex format occupies 6 bytes. Each option will be filled with packets according to the configured order of the commands and divides them with the delimiter (delimiter is IP DHCP snooping information option delimiter configuration).
Example: Set the self-defined method and character string of remote-id sub-option are ?mac? and ?abc? respectively for option 82.

active500EM(config)#ip dhcp snooping information option self-defined remote-id mac string abc

 

7.5.21 ip dhcp snooping information option self-defined remote-id format

Command: ip dhcp snooping information option self-defined remote-id format [ascii | hex] Function: Set the remote-id self-defined format for snooping option 82.
Parameters: None.
Command mode: Global Mode
Default: ASCII.
Usage guide: Self-defined format uses IP DHCP snooping information option type self-defined remote-id to create the remote-id format.
Example: Set remote-id self-defined format as hex for snooping option 82.

active500EM(config)#ip dhcp snooping information option self-defined remote-id format hex

 

7.5.22 ip dhcp snooping information option self-defined subscriber-id

Command: ip dhcp snooping information option self-defined subscriber-id {vlan | port | id (switch-id (mac | hostname)| remote-mac) | string WORD}
no ip dhcp snooping information option type self-defined subscriber-id
Function: Set creation method for option82. Users can define the parameters of circuit-id sub-option.
Parameters:

  • WORD: defined circuit-id character string. The maximum length is 64.

Command mode: Global Mode
Default: Standard method.
Usage guide: After configuring this command, if users do not configure circuit-id on the port, a option 82 circuit-id sub-option will be created according to the self-defined method.

  • Circuit-id self-defined format: if the self-defined subscriber-id format is ascii, the VLAN filled format will be ?VLAN2?, the port format will be ?Ethernet1/0/1?, and the MAC and remote-mac will be in a format like ?00-02-d1-2e-3a-0d?.
  • Self-defined format of hex: the filled format of VLAN occupies 2 bytes and the port format occupies 4 bytes. A byte means slot (for chassis switch, it means slot ID; for box switch it is 1). In hex byte means Module (the default is 0), two bytes means port ID beginning from 1, and MAC and remote-mac occupy 6 bytes. Each option will be filled by packets according to the configured order of the commands and divided with a delimiter (delimiter is in the ip dhcp snooping information option delimiter configuration).

Example: Set self-defined method of circuit-id sub-option as VLAN, port, MAC, and remote-mac for option 82.

active500EM(config)#ip dhcp snooping information option self-defined subscriber-id vlan port id remote-mac

 

7.5.23 ip dhcp snooping information option self-defined subscriber-id format

Command: ip dhcp snooping information option self-defined subscriber-id format [ascii | hex] Function: Set the circuit-id self-defined format for snooping option 82.
Parameters: None.
Command mode: Global Mode
Default: ASCII.
Usage guide: The self-defined format uses the IP DHCP snooping option type self-defined subscriber-id to create the circuit-id format.
Example: Set the circuit-id self-defined format as hex for snooping option 82.

active500EM(config)#ip dhcp snooping information option self-defined subscriber-id format hex

 

7.5.24 ip dhcp snooping information option subscriber-id

Command: ip dhcp snooping information option subscriber-id {standard | <circuit-id>}
no ip dhcp snooping information option subscriber-id
Function: Set the sub-option1 (circuit ID option) content of option 82 added by DHCP request packets (which are received by the port). The no command sets the added sub-option1 (circuit ID option) format of option 82 to standard.
Parameters:

  • standard: the VLAN name in standard format and the physical port name. For example VLAN2+Ethernet1/0/12.
  • <circuit-id>: the option 82circuit-id content specified by the user. The valid length cannot exceed 64 characters.

Command mode: Port Mode
Default: Standard format.
Usage guide: The added option 82 needs to be associated with the third-party DHCP server. It is used to specify the circuit-id content when the standard circuit-id format cannot satisfy the server?s request.
Example: Set the DHCP option82 sub-option circuit-id to P2.

active500EM(config)#ip dhcp snooping information option subscriber-id P2

 

7.5.25 ip dhcp snooping information option subscriber-id format

Command: ip dhcp snooping information option subscriber-id format {hex | acsii | vs-hp}
Function: This command is used to set the DHCP snooping option 82 subscriber-id format.
Parameters:

  • hex: subscriber-id is set to VLAN and port information is in hexadecimal format.
  • acsii: subscriber-id is set to VLAN and the port information is in ACSII format.
  • vs-hp: subscriber-id is compatible with the format of HP (Hewlett Packard).

Command mode: Global Mode
Default: ASCII.
User Guide: This command can set the VLAN and port information in ASCII format, such as Vlan1+Ethernet1/0/11. VLAN and port information in hexadecimal format is shown below:

  • VLAN field: fill in the VLAN ID. For a chassis switch, slot means slot number. For a box switch, Slot is 1. The default Module is 0. Port means the port number which begins from 1.

The compatible subscriber-id format with HP is shown below:

  • Port: port number which begins with 1.

Example: Set the DHCP snooping option 82 subscriber-id format to hexadecimal format.

active500EM(config)#ip dhcp snooping information option subscriber-id format hex

 

7.5.26 ip dhcp snooping limit-rate

Command: ip dhcp snooping limit-rate <pps>
no ip dhcp snooping limit-rate
Function: Set the DHCP message rate limit
Parameters:

  • <pps>: number of DHCP messages transmitted every minute. The valid range is from 0 to 100. 0 means that no DHCP messages will be transmitted.

Command mode: Global Mode
Default: The default value is 100.
Usage guide: After enabling DHCP snooping, the switch will monitor the DHCP messages and start transmission. The software performance of the switch is relative to the type of the switch and its current load.
Example: Set the message transmission rate to 50pps.

active500EM(config)#ip dhcpsnooping limit-rate 50

 

7.5.27 ip dhcp snooping trust

Command: ip dhcp snooping trust
no ip dhcp snooping trust
Function: Set or delete the DHCP Snooping trust attributes of a port.
Parameters: None.
Command mode: Port Mode
Default: All ports are non-trusted ports
Usage guide: This command can be set only when DHCP snooping is globally enabled. When a port turns into a trusted port from a non-trusted port, the original defense action of the port will be automatically deleted. All the security history records will be cleared (except the information in the system log).
Example: Set port ethernet1/0/1 to a DHCP Snooping trusted port

active500EM(config)#interface ethernet 1/0/1
active500EM(config-if-ethernet1/0/1)#ip dhcp snooping trust

 

7.5.28 ip user helper-address

Command: ip user helper-address <svr-addr> [port <udp-port>] source <src-addr> [secondary] no ip user helper-address [secondary]
Function: Set the address and port of the HELPER SERVER.
Parameters:

  • <svr-addr>: IP address of helper server IP in dotted-decimal notation.
  • udp-port: UDP port of the helper server. The valid range is from 1 to 65535. The default value is 9119.
  • src-addr: local management IP address for the switch in dotted-decimal notation.
  • secondary: identifies if the address is a secondary server address.

Command mode: Global Mode
Default: No helper server address.
Usage guide: DHCP snooping will send the monitored binding information to the helper server to save it. If the switch starts abnormally, it can recover the bind data from the HELPER SERVER. The helper server function usually is integrated into the DCBI packet. The DHCP snooping and helper server use UDP protocol to communicate. They guarantee that transmitted data arrives. The helper server configuration can also be used to send DOT1X user data from the server. The usage detail is described in the DOT1X Configuration Chapter. Two helper server addresses are allowed. DHCP snooping will try to connect to the primary server first. When the primary server is unreachable, the switch helper server connects to the secondary server. Please note: the source address is the effective management IP address of the switch. If the management IP address of the switch changes, this configuration should be updated.
Example: Set the local management IP address to 100.1.1.1. Set the primary helper server address to 100.1.1.100 and the port to default value.

active500EM(config)#interface vlan 1
active500EM(config-if-vlan1)#ip address 100.1.1.1 255.255.255.0
active500EM(config-if-vlan1)exit
active500EM(config)#ip user helper-address 100.1.1.100 source 100.1.1.1

 

7.5.29 ip user private packet version two

Command: ip user private packet version two
no ip user private packet version two
Function: Configure the switch to choose private packet version two in order to communicate with trustview.
Parameters: None.
Command mode: Global Mode.
Default: The switch chooses private packet version one to communicate with DCBI.
Usage guide: If the DCBI access control system is applied, the switch should be configured to use private protocol of version one to communicate with the DCBI server. If TrustView is applied, version two should be applied.
Example: Configure the switch to choose private packet version two to communicate with the inter security management background system.

active500EM(config)#ip user private packet version two

 

7.5.30 show ip dhcp snooping

Command: show ip dhcp snooping [interface [ethernet] <interfaceName>] Function: Display the current DHCP snooping configuration information or display the alarm records for a specific port.
Parameters:

  • <interfaceName>: name of the identified port for DHCP snooping configuration information.

Command mode: Admin and Global Configuration Mode
Default: None.
Usage guide: If no specific port is identified, then the current DHCP snooping configuration information will be displayed. If a specific port is identified, alarm records of the identified port will be displayed.
Example: Display the current DHCP snooping configuration information.

active500EM#show ip dhcp snooping
DHCP Snooping is enabled
DHCP Snooping binding arp: disabled
DHCP Snooping maxnum of action info:10
DHCP Snooping limit rate: 100(pps), switch ID: 0003.0F12.3456
DHCP Snooping droped packets: 0, discarded packets: 0
DHCP Snooping alarm count: 0, binding count: 0,
   expired binding: 0, request binding: 0
interface         trust      action    recovery    alarm num    bind num
---------------------------------------------------------------------
Ethernet1/0/1     trust      none      0second     0            0
Ethernet1/0/2     untrust    none      0second     0            0
Ethernet1/0/3     untrust    none      0second     0            0
Ethernet1/0/4     untrust    none      0second     0            1
Ethernet1/0/5     untrust    none      0second     2            0
Ethernet1/0/6     untrust    none      0second     0            0
Ethernet1/0/7     untrust    none      0second     0            0
Ethernet1/0/8     untrust    none      0second     0            1
Ethernet1/0/9     untrust    none      0second     0            0
Ethernet1/0/10    untrust    none      0second     0            0
Ethernet1/0/11    untrust    none      0second     0            0
Ethernet1/0/12    untrust    none      0second     0            0
Ethernet1/0/13    untrust    none      0second     0            0
Ethernet1/0/14    untrust    none      0second     0            0
Ethernet1/0/15    untrust    none      0second     0            0
Ethernet1/0/16    untrust    none      0second     0            0
Ethernet1/0/17    untrust    none      0second     0            0
Ethernet1/0/18    untrust    none      0second     0            0
Ethernet1/0/19    untrust    none      0second     0            0
Ethernet1/0/20    untrust    none      0second     0            0
Ethernet1/0/21    untrust    none      0second     0            0
Ethernet1/0/22    untrust    none      0second     0            0
Ethernet1/0/23    untrust    none      0second     0            0
Ethernet1/0/24    untrust    none      0second     0            0
Displayed Information Explanation
DHCP Snooping is enable Displays DHCP snooping as globally enabled or disabled.
DHCP Snooping binding arp Displays ARP binding as enabled or disabled.
DHCP Snooping maxnum of action info Maximum number of port alarms.
DHCP Snooping limit rate Receiving packet rate limitation.
switch ID The switch ID is used to identify the switch. Usually the CPU MAC address is used.
DHCP Snooping droped packets Number of dropped messages when the received DHCP messages exceeds the rate limit.
discarded packets Number of discarded packets caused by communication failure within the system. This communication failure can occur if the CPU of the switch is too busy to schedule the DHCP snooping task and cannot handle received DHCP messages.
DHCP Snooping alarm count: Number of alarm records.
binding count Number of bound records.
expired binding Number of bound records which are expired but have not been deleted. The expired information may not delete immediately as the switch needs to notify the helper server and the helper server may not have acknowledged it yet.
request binding Number of request records.
interface Name of port.
trust Trust attributes of the port.
action Automatic port alarm.
recovery Automatic recovery time of the port.
alarm num Number of alarm history records for the port.
bind num Number of binds.
active500EM#show ip dhcp snooping int Ethernet 1/0/1
interface Ethernet1/0/1 user config:
trust attribute: untrust
action: none
binding dot1x: disabled
binding user: disabled
recovery interval:0(s)
Alarm info: 0
Binding info: 0
Expired Binding: 0
Request Binding: 0
Displayed Information Explanation
interface Name of port.
trust attribute Trust attributes of the port.
action Port alarms.
recovery interval Automatic recovery time of the port.
maxnum of alarm info Maximum number of alarms that can be recorded by the port.
binding dot1x Displays if the bind DOT1X function is enabled on the port.
binding user Displays if the bind user function is enabled on the port.
Alarm info Number of alarms.
Binding info Number of bound records.
Expired Binding The expired bind records.
Request Binding Request information.

 

7.5.31 show ip dhcp snooping binding all

Command: show ip dhcp snooping binding all
Function: Displays the current global DHCP snooping bind information.
Parameters: None.
Command mode: Admin and Global Configuration Mode.
Default: None.
Usage guide: This command checks the DHCP snooping global bind information. Each table entry includes the corresponding MAC address, IP address, port name, VLAN ID, and the flag of the binding state. DHCP snooping must be enabled globally for this command to be configured.
Example: Display the current global DHCP snooping bind information.

active500EM#show ip dhcp snooping binding all
ip dhcp snooping static binding count:1169, dynamic binding count:0
MAC                 IP address      Interface     Vlan ID   Flag
--------------------------------------------------------------------------
00-00-00-00-11-11   192.168.40.1    Ethernet1/0/1    1      S
00-00-00-00-00-10   192.168.40.10   Ethernet1/0/2    1      D
00-00-00-00-00-11   192.168.40.11   Ethernet1/0/4    1      D
00-00-00-00-00-12   192.168.40.12   Ethernet1/0/4    1      D
00-00-00-00-00-13   192.168.40.13   Ethernet1/0/4    1      SU
00-00-00-00-00-14   192.168.40.14   Ethernet1/0/4    1      SU
00-00-00-00-00-15   192.168.40.15   Ethernet1/0/5    1      SL
00-00-00-00-00-16   192.168.40.16   Ethernet1/0/5    1      SL
--------------------------------------------------------------------------
The flag explanation of the binding state:
S The static binding is configured by shell command
D The dynamic binding type
U The binding is uploaded to the server
R The static binding is configured by the server
O DHCP response with the option82
L The hardware drive is announced by the binding
X Announcing dot1x module is successful
E Announcing dot1x module is fail

 

7.5.32 show trustview status

Command: show trustview status
Function: Show private packet state information which are sent or received from TrustView (inter security management background system).
Parameters: None.
Command mode: Admin and Global Configuration Mode
Default: None.
Usage guide: This command can be used to debug communication messages between the switch and the TrustView server. Messages such as protocol version notification, encryption negotiation, free resource and web URL redirection, number of forced log-off messages, and the number of forced accounting update messages will be displayed.
Example: Show private packet state information which are sent or received from TrustView

active500EM#show trustview status
Primary TrustView Server 200.101.0.9:9119
TrustView version2 message inform successed
TrustView inform free resource successed
TrustView inform web redirect address successed
TrustView inform user binding data successed
TrustView version2 message encrypt/digest enabled
Key: 08:02:33:34:35:36:37:38
Rcvd 106 encrypted messages, in which MD5-error 0 messages, DES-error 0 messages
Sent 106 encrypted messages
Free resource is 200.101.0.9/255.255.255.255
Web redirect address for unauthencated users is <http://200.101.0.9:8080>
Rcvd 0 force log-off packets
Rcvd 19 force accounting update packets
Using version two private packet

 
Return to Controller Wired CLI Table of Contents