Cisco Systems 3560 DHCP Snooping Configuration Guidelines

21-9

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 21 Configuring DHCP Features and IP Source Guard

Configuring DHCP Snooping

DHCP Snooping Configuration Guidelines

These are the configuration guidelines for DHCP snooping.

• You must globally enable DHCP snooping on the switch.

• DHCP snooping is not active until DHCP snooping is enabled on a VLAN.

• Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the

DHCP server and the DHCP relay agent are configured and enabled.

• When you globally enable DHCP snooping on the switch, these Cisco IOS commands are not

available until snooping is disabled. If you enter these commands, the switch returns an error

message, and the configuration is not applied.

–

ip dhcp relay information check global configuration command

–

ip dhcp relay information policy global configuration command

–

ip dhcp relay information trust-all global configuration command

–

ip dhcp relay information trusted interface configuration command

• Before configuring the DHCP snooping information option on your switch, be sure to configure the

device that is acting as the DHCP server. For example, you must specify the IP addresses that the

DHCP server can assign or exclude, or you must configure DHCP options for these devices.

• When configuring a large number of circuit IDs on a switch, consider the impact of lengthy

character strings on the NVRAM or the flash memory. If the circuit-ID configurations, combined

with other data, exceed the capacity of the NVRAM or the flash memory, an error message appears.

• Before configuring the DHCP relay agent on your switch, make sure to configure the device that is

acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server

can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent.

• If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data

insertion feature is not supported.

• If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp

snooping trust interface configuration command.

• If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip

dhcp snooping trust interface configuration command.

• Follow these guidelines when configuring the DHCP snooping binding database:

–

Because both NVRAM and the flash memory have limited storage capacity, we recommend that

you store the binding file on a TFTP server.

–

For network-based URLs (such as TFTP and FTP), you must create an empty file at the

configured URL before the switch can write bindings to the binding file at that URL. See the

documentation for your TFTP server to determine whether you must first create an empty file

on the server; some TFTP servers cannot be configured this way.

–

To ensure that the lease time in the database is accurate, we recommend that you enable and

configure NTP. For more information, see the “Configuring NTP” section on page 7-3.

–

If NTP is configured, the switch writes binding changes to the binding file only when the switch

system clock is synchronized with NTP.

• Do not enter the ip dhcp snooping information option allow-untrusted command on an

aggregation switch to which an untrusted device is connected. If you enter this command, an

untrusted device might spoof the option-82 information.