Chapter 9
| General Security Measures
DHCPv4 Snooping
– 294 –
â—†
Set all ports connected to DHCP servers within the local network or fire wall to
trusted, and all other ports outside the local network or fire wall to untrusted.
â—†
When DHCP snooping is enabled globally using the ip dhcp snooping
command, and enabled on a VLAN with ip dhcp snooping vlan command,
DHCP packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an
interface with the
no ip dhcp snooping trust
command.
â—†
When an untrusted port is changed to a trusted port, all the dynamic DHCP
snooping bindings associated with this port are removed.
â—†
Additional considerations when the switch itself is a DHCP client – The port(s)
through which it submits a client request to the DHCP server must be
configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ip dhcp snooping trust
Console(config-if)#
ip dhcp snooping
max-number
This command configures the maximum number of DHCP clients which can be
supported per interface. Use the
no
form to restore the default setting.
Syntax
ip dhcp snooping max-number
max-number
no dhcp snooping max-number
max-number - Maximum number of DHCP clients. (Range: 1-32)
Default Setting
16
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
This example sets the maximum number of DHCP clients supported on port 1 to 2.
Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping max-number 2
Console(config-if)#
To Next Page
Loading...
Need help?
General