DHCP Snooping
- Enable on Switch
- Enable on VLAN
- ID Trusted Ports
SW2#conf terminal
! Enable the feature
SW2(config)#ip dhcp snooping
! Set directory to save database
SW2(config)#ip dhcp snooping database flash:/snoopy.db
! Enable the feature for VLAN
SW2(config)#ip dhcp snooping vlan 123
! Configure Trust port (DHCP Server)
SW2(config)#interface fas 0/3
SW2(config-if)#description trunk leading to real DHCP server
SW2(config-if)#ip dhcp snooping trust
* Note: accepts OFFERS and ACKs
* Note: If we use IOS DHCP server, we have to execute next command
Router(config)# ip dhcp relay information trust
! Configure user ports
SW2(config)#interface fas 0/1
SW2(config-if)#description user port
SW2(config-if)#ip dhcp snooping limit rate 10
* Note: 10 pps (Packet per second)
SW2(config-if)#switchport port-security
SW2(config-if)#switchport port-security maximum 5
SW2#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
123
DHCP snooping is operational on following VLANs:
123
DHCP snooping is configured on the following L3 Interfaces:
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 no 10
FastEthernet0/3 yes unlimited
SW2#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:16:57:AC 10.123.0.3 85971 dhcp-snooping 123 FasEthernet0/2
Total number of bindings: 1
