Chapter 9
| General Security Measures
DHCPv4 Snooping
– 349 –
Command Usage
â—† A trusted interface is an interface that is configured to receive only messages
from within the network. An untrusted interface is an interface that is
configured to receive messages from outside the network or fire wall.
â—† Set all ports connected to DHCP servers within the local network or fire wall to
trusted, and all other ports outside the local network or fire wall to untrusted.
â—† When DHCP snooping is enabled globally using the ip dhcp snooping
command, and enabled on a VLAN with ip dhcp snooping vlan command,
DHCP packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an
interface with the no ip dhcp snooping trust command.
â—† When an untrusted port is changed to a trusted port, all the dynamic DHCP
snooping bindings associated with this port are removed.
◆ Additional considerations when the switch itself is a DHCP client – The port(s)
through which it submits a client request to the DHCP server must be
configured as trusted.
Example
This example sets port 5 to untrusted.
Console(config)#interface ethernet 1/5
Console(config-if)#no ip dhcp snooping trust
Console(config-if)#
Related Commands
ip dhcp snooping (339)
ip dhcp snooping vlan (346)
clear ip dhcp
snooping binding
This command clears DHCP snooping binding table entries from RAM. Use this
command without any optional keywords to clear all entries from the binding
table.
Syntax
clear ip dhcp snooping binding mac-address ip-address
mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx)
ip-address - Specifies the IP address bound to this entry.
Command Mode
Privileged Exec
Example
To Next Page
Loading...
Need help?
General