20-12
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 20 Configuring DHCP Features and IP Source Guard Features
Configuring DHCP Snooping
To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable
DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global
configuration command. To disable the insertion and the removal of the option-82 field, use the no ip
dhcp snooping information option global configuration command. To configure an aggregation switch
to drop incoming DHCP snooping packets with option-82 information from an edge sw itch, use the no
ip dhcp snooping information option allow-untrusted global configuration command.
This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate
limit of 100 packets per second on a port:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip dhcp snooping limit rate 100
Step 7 ip dhcp snooping trust (Optional) Configure the interface as trusted or as untrusted. Use t he no
keyword to configure an interface to receive messages from an untrusted
client. The default setting is untrusted.
Step 8 ip dhcp snooping limit rate rate (Optional) Configure the number of DHCP packets per second that an
interface can receive. The range is 1 to 2048. By default, no rate limit is
configured.
Note We recommend an untrusted rate limit of not more than 100
packets per second. If you configure rate limiting for trusted
interfaces, you might need to increase the rate limit if the port is
a trunk port assigned to more than one VLAN with DHCP
snooping.
Step 9 exit Return to global configuration mode.
Step 10 ip dhcp snooping verify mac-address (Optional) Configure the switch to verify that the source MAC address in
a DHCP packet received on untrusted ports matches the client hardware
address in the packet. The default is to verify that the source MAC
address matches the client hardware address in the packet.
Step 11 end Return to privileged EXEC mode.
Step 12 show running-config Verify your entries.
Step 13 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose