4-302
[no] ip dhcp snooping
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
• Network traffic may be disrupted when malicious DHCP messages are
received from an outside source. DHCP snooping is used to filter
DHCP messages received on an unsecure interface from outside the
network or firewall. When DHCP snooping is enabled globally by this
command, and enabled on a VLAN interface by the
ip dhcp
snooping vlan command (page -304), DHCP messages received on
an untrusted interface (as specified by the no ip dhcp snooping trust
command, page -305) from a device not listed in the DHCP snooping
table will be dropped.
• When enabled, DHCP messages entering an untrusted interface are
filtered based upon dynamic entries learned via DHCP snooping.
• Table entries are only learned for untrusted interfaces. Each entry
includes a MAC address, IP address, lease time, entry type
(Dynamic-DHCP-Binding, Static-DHCP-Binding), VLAN identifier,
and port identifier.
• When DHCP snooping is enabled, the rate limit for the number of
DHCP messages that can be processed by the switch is 100 packets
per second. Any DHCP packets in excess of this limit are dropped.
• Filtering rules are implemented as follows:
• If the global DHCP snooping is disabled, all DHCP packets are
forwarded.
• If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, all DHCP packets are forwarded for
a trusted port. If the received packet is a DHCP ACK message, a dynamic
DHCP snooping entry is also added to the binding table.
• If DHCP snooping is enabled globally, and also enabled on the VLAN
where the DHCP packet is received, but the port is not trusted, it is
processed as follows: