50-8
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
OL-25340-01
Chapter 50 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Configuring DHCP Snooping
To enable DHCP snooping, perform this task:
You can configure DHCP snooping for a single VLAN or a range of VLANs. To configure a single
VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending
VLAN number or a dash and range of VLANs.
The number of incoming DHCP packets is rate-limited to prevent a denial-of-service attack. When the
rate of incoming DHCP packets exceeds the configured limit, the switch places the port in the errdisabled
state. To prevent the port from shutting down, you can use the errdisable detect cause dhcp-rate-limit
action shutdown vlan global configuration command to shut down just the offending VLAN on the port
where the violation occurred.
When a secure port is in the errdisabled state, you can bring it out of this state automatically by
configuring the errdisable recovery cause dhcp-rate-limit global configuration command or you can
manually reenable it by entering the shutdown and no shut down interface configuration commands. If
a port is in per-VLAN errdisable mode, you can also use clear errdisable interface name vlan range
command to reenable the VLAN on the port.
This example shows how to enable DHCP snooping on VLAN 500 through 555:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 500 555
Switch(config)# ip dhcp snooping information option format remote-id string switch123
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit rate 100
Command Purpose
Step 1
Switch(config)# ip dhcp snooping
Enables DHCP snooping globally.
You can use the no keyword to disable DHCP snooping.
Step 2
Switch(config)# ip dhcp snooping vlan number
[number] | vlan {vlan range}]
Enables DHCP snooping on your VLAN or VLAN
range.
Step 3
Switch(config)# errdisable recovery {cause
dhcp-rate-limit | interval interval}
(Optional) Configures the amount of time required for
recovery from a specified errdisable cause.
Step 4
Switch(config)# errdisable detect cause
dhcp-rate-limit {action shutdown vlan}
(Optional) Enables per-VLAN errdisable detection.
Note By default this command is enabled, and when a
violation occurs the interface is shutdown.
Step 5
Switch(config-if)# ip dhcp snooping trust
Configures the interface as trusted or untrusted.
You can use the no keyword to configure an interface to
receive messages from an untrusted client.
Step 6
Switch(config-if)# ip dhcp snooping limit rate
rate
Configures the number of DHCP packets per second
(pps) that an interface can receive.
1
1. We recommend not configuring the untrusted interface rate limit to more than 100 packets per second. The recommended rate limit for each
untrusted client is 15 packets per second. Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted
interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher
value. You should fine tune this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained
rate of more than 1,000 packets per second.
Step 7
Switch(config)# end
Exits configuration mode.
Step 8
Switch# show ip dhcp snooping
Verifies the configuration.
To Next Page
Loading...
Need help?
General
