Chapter 22 Configuring DHCP Features and IP Source Guard

Configuring DHCP Features

 

Command

Purpose

Step 6

 

 

ip dhcp snooping information option

(Optional) If the switch is an aggregation switch connected to an edge

 

allow-untrusted

switch, enable the switch to accept incoming DHCP snooping packets

 

 

with option-82 information from the edge switch.

 

 

The default setting is disabled.

 

 

Note Enter this command only on aggregation switches that are

 

 

connected to trusted devices.

Step 7

 

 

interface interface-id

Specify the interface to be configured, and enter interface configuration

 

 

mode.

Step 8

 

 

ip dhcp snooping vlan vlan information

(Optional) Configure the circuit-ID suboption for the specified interface.

 

option format-type circuit-id string

Specify the VLAN and port identifier, using a VLAN ID in the range of 1

 

ASCII-string

 

to 4094. The default circuit ID is the port identifier, in the format

 

 

 

 

vlan-mod-port.

 

 

You can configure the circuit ID to be a string of 3 to 63 ASCII characters

 

 

(no spaces).

Step 9

 

 

ip dhcp snooping trust

(Optional) Configure the interface as trusted or untrusted. You can use the

 

 

no keyword to configure an interface to receive messages from an

 

 

untrusted client. The default setting is untrusted.

Step 10

 

 

ip dhcp snooping limit rate rate

(Optional) Configure the number of DHCP packets per second that an

 

 

interface can receive. The range is 1 to 2048. By default, no rate limit is

 

 

configured.

 

 

Note We recommend an untrusted rate limit of not more than 100

 

 

packets per second. If you configure rate limiting for trusted

 

 

interfaces, you might need to increase the rate limit if the port is

 

 

a trunk port assigned to more than one VLAN on which DHCP

 

 

snooping is enabled.

Step 11

 

 

exit

Return to global configuration mode.

Step 12

 

 

ip dhcp snooping verify mac-address

(Optional) Configure the switch to verify that the source MAC address in

 

 

a DHCP packet that is received on untrusted ports matches the client

 

 

hardware address in the packet. The default is to verify that the source

 

 

MAC address matches the client hardware address in the packet.

Step 13

 

 

end

Return to privileged EXEC mode.

Step 14

 

 

show running-config

Verify your entries.

Step 15

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-rangeglobal configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp snooping information option global configuration command. To configure an aggregation switch to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no ip dhcp snooping information option allow-untrustedglobal configuration command.

This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port:

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 10

Switch(config)# ip dhcp snooping information option

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

OL-9775-02

 

 

22-13

 

 

 

 

 

Page 531
Image 531
Cisco Systems 3750E manual 22-13