set antispoof dhcp-snooping mac-verification

Use this command to enable or disable the DHCP snooping MAC verification on the specified port or port range.

Syntax

set antispoof dhcp-snooping mac-verification {enable | disable} port-string

Parameters

enable	Enables DHCP snooping MAC verification on the specified port or port range.
disable	Disables DHCP snooping MAC verification on the specified port or port range.
`port-string`	Specifies the port or port range.

Defaults

DHCP snooping MAC verification is disabled by default on all ports.

Mode

All command modes.

Usage

The DHCP client packet contains an L2 source MAC address and an L3 client hardware address. With DHCP snooping MAC verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP client packets that transit untrusted ports. If the addresses do not match, the packet is dropped. DHCP MAC verification is a network edge feature that should be enabled on ports transited by client packets from the intended client. For DHCP snooping MAC verification to be operational:

DHCP snooping must be enabled using set antispoof dhcp-snooping
The port must be set to untrusted using set antispoof dhcp-snooping port-mode

Examples

This example shows how to enable DHCP snooping MAC verification on port ge.1.2:

System(rw)->set antispoof dhcp-snooping mac-verification ge.1.2

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback