DHCP Snooping
26-20 Configuring Security Features
Configuration Notes
DHCP Server
• When the switch is operating in switch mode, then the DHCP server and DHCP clients must
be in the same VLAN.
• If the switch is in routing mode (on those platforms that support routing), then the DCHP
server can be remotely connected to a routing interface, or running locally.
• If the DHCP server is remotely connected, then the use of an IP helper address is required and
MAC address verification should be disabled (set dhcpsnooping verify mac-address
disable).
• The DHCP server must use Scopes in order to provide the IP addresses per VLAN.
• DHCP snooping must be enabled on the interfaces where the DHCP clients are connected,
and the interfaces must be untrusted DHCP snooping ports.
• The routing interface that is connected to the DHCP server must be enabled for DHCP
snooping and must be a trusted DHCP snooping port.
Default Parameter Values
Procedure 26-6 Basic Configuration for DHCP Snooping
Step Task Command(s)
1. Enable DHCP snooping globally on the switch. set dhcpsnooping enable
2. Determine where DHCP clients will be
connected and enable DHCP snooping on their
VLANs.
set dhcpsnooping vlan vlan-list
enable
3. Determine which ports will be connected to the
DHCP server and configure them as trusted
ports.
set dhcpsnooping trust port
port-string enable
4. If desired, enable logging of invalid DHCP
messages on specific ports.
set dhcpsnooping log-invalid port
port-string enable
5. If desired, add static bindings to the database. set dhcpsnooping binding mac-address
vlan vlan-id ipaddr port port-string
6. If the switch has been configured as a DHCP
relay agent, disable MAC address verification.
set dhcpsnooping verify mac-address
disable
7. If desired, change the rate limiting values. set dhcpsnooping limit port-string
{none | rate pps {burst interval
secs]}
Table 26-9 DHCP Snooping Default Parameters
Parameter Default Setting
DHCP snooping Disabled globally and on all VLANs
Trusted ports All ports are untrusted
Source MAC address verification Enabled
Logging of invalid DHCP messages on
ports
Disabled
Rate limit for DHCP packets 15 packets per second
To Next Page
Loading...
Need help?
General