60-11
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 60 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Configuring DHCP Snooping
To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable
DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global
configuration command. To disable the insertion and removal of the Option 82 field, use the no ip dhcp
snooping information option global configuration command. To configure an aggregation switch to
drop incoming DHCP snooping packets with Option 82 information from an edge switch, use the no ip
dhcp snooping information option allow-untrusted global configuration command.
This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate
limit of 100 packets per second on a port:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet2/
0/1
Switch(config-if)# ip dhcp snooping limit rate 100
The following example shows how to enable DHCP snooping on VLAN 500 through 555 and option 82
circuit-id:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 500 555
Switch(config)# ip dhcp snooping information option format remote-id string switch123
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit rate 100
Switch(config-if)# ip dhcp snooping vlan 555 information option format-type circuit-id
string customer-555
Switch(config-if)# interface FastEthernet 2/1
Switch(config-if)# ip dhcp snooping vlan 555 information option format-type circuit-id
string customer-500
Switch(config)# end
This example shows how to configure the Option 82 circuit-ID override suboption:
Switch(config-if)# ip dhcp snooping vlan 250 information option format-type circuit-id
Step 10
Switch(config-if)# ip dhcp snooping
limit rate rate
(Optional) Configures the number of DHCP packets per second that an
interface can receive. The range is 1 to 2048. By default, no rate limit is
configured.
Note We recommend an untrusted rate limit of not more than 100
packets per second. If you configure rate limiting for trusted
interfaces, you might need to increase the rate limit if the port is
a trunk port assigned to more than one VLAN on which DHCP
snooping is enabled.
Step 11
Switch(config-if)# exit
Returns to global configuration mode.
Step 12
Switch(config)# ip dhcp snooping
verify mac-address
(Optional) Configures the switch to verify that the source MAC address
in a DHCP packet that is received on untrusted ports matches the client
hardware address in the packet. The default is to verify that the source
MAC address matches the client hardware address in the packet.
Step 13
Switch(config)# end
Returns to privileged EXEC mode.
Step 14
Switch# show running-config
Verifies your entries.
Step 15
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
To Next Page
Loading...
