53-13
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 53 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Configuring DHCP Snooping
Enabling the DHCP Snooping Database Agent
To configure the database agent, perform one or more of the following tasks:
Note Because both NVRAM and bootflash have limited storage capacity, you should use TFTP or
network-based files. If you use flash to store the database file, new updates (by the agent) result in the
creation of new files (flash fills quickly). Moreover, because of the nature of the file system used on
flash, a large number of files can cause slow access. When a file is stored in a remote location accessible
through TFTP, an RPR or SSO standby supervisor engine can take over the binding list when a
switchover occurs.
Note Network-based URLs (such as TFTP and FTP) require that you create an empty file at the configured
URL before the switch can write the set of bindings for the first time.
Limiting the Rate of Incoming DHCP Packets
The switch CPU performs DHCP validation checks; therefore, the number of incoming DHCP packets
is rate-limited to prevent a denial-of-service attack.
When the rate of incoming DHCP packets exceeds the configured limit, the switch places the port in the
errdisabled state. The port remains in that state until you intervene or you enable errdisable recovery so
that ports automatically emerge from this state after a specified timeout period.
Note Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also
changes its rate limit to the default value for that trust state. After you configure the rate limit, the
interface retains the rate limit even when its trust state is changed. If you enter the
no ip dhcp snooping limit rate
interface configuration command, the interface reverts to its default rate
limit.
Command Purpose
Switch(config)# ip dhcp snooping database {url |
write-delay seconds | timeout seconds}
Switch(config)# no ip dhcp snooping database
[write-delay | timeout]
(Required) Configures a URL for the database agent (or file)
and the related timeout values.
Switch# show ip dhcp snooping database [detail]
(Optional) Displays the current operating state of the
database agent and statistics associated with the transfers.
Switch# clear ip dhcp snooping database statistics
(Optional) Clears the statistics associated with the database
agent.
Switch# renew ip dhcp snooping database [validation
none] [url]
(Optional) Requests the read entries from a file at the given
URL.
Switch# ip dhcp snooping binding mac-addr vlan vlan
ipaddr interface ifname expiry lease-in-seconds
Switch# no ip dhcp snooping binding mac-addr vlan
vlan ipaddr interface ifname
(Optional) Adds or deletes bindings to the snooping database.
To Next Page
Loading...
Need help?
General
