33-4
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 33 Configuring DHCP Snooping and IP Source Guard
Configuring DHCP Snooping on the Switch
If you want to change the default configuration values, see the “Enabling DHCP Snooping” section.
Enabling DHCP Snooping
Note When DHCP snooping is enabled globally, DHCP requests are dropped until the ports are configured.
Consequently, you should probably this feature during a maintenance window and not during
production.
To enable DHCP snooping, perform this task:
You can configure DHCP snooping for a single VLAN or a range of VLANs. To configure a single
VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending
VLAN number or a dash and range of VLANs.
This example shows how to enable DHCP snooping on VLANs 10 through 100:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10 100
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# interface FastEthernet 2/1
Switch(config-if)# ip dhcp snooping limit rate 100
DHCP snooping trust Untrusted
DHCP snooping vlan Disabled
Table 33-1 Default Configuration Values for DHCP Snooping (continued)
Option Default Value/State
Command Purpose
Step 1
Switch(config)# ip dhcp snooping
Enables DHCP snooping globally.
You can use the no keyword to disable DHCP snooping.
Step 2
Switch(config)# ip dhcp snooping vlan
number
[
number
] | vlan {
vlan range
}]
Enables DHCP snooping on your VLAN or VLAN range
Step 3
Switch(config-if)# ip dhcp snooping trust
Configures the interface as trusted or untrusted.
You can use the no keyword to configure an interface to
receive messages from an untrusted client.
Step 4
Switch(config-if)# ip dhcp snooping limit rate
rate
Configures the number of DHCP packets per second
(pps) that an interface can receive.
1
1. Cisco recommends not configuring the untrusted interface rate limit to more than 100 packets per second. The recommended rate limit for
each untrusted client is 15 packets per second. Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for
trusted interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a
higher value. You should fine tune this threshold depending on the network configuration. The CPU should not receive DHCP packets at a
sustained rate of more than 1,000 packets per second
Step 5
Switch(config)# end
Exits configuration mode.
Step 6
Switch# show ip dhcp snooping
Verifies the configuration.
To Next Page
Loading...
Need help?
General
