31-5
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter31 Configuring DHCP Snooping an d IP Source Guard
Configuring DHCP Snooping on the Switch
This example shows how to enable DHCP snooping on VLANs 10 through 100:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10 100
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# interface FastEthernet 2/1
Switch(config-if)# ip dhcp snooping limit rate 100
Switch(config)# end
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled.
DHCP Snooping is configured on the following VLANs:
10-100
Insertion of option 82 is enabled
Option82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
--------- ------- ----------------
FastEthernet2/1 yes 100
FastEthernet2/2 yes none
FastEthernet3/1 no 20
GigabitEthernet5/1 yes none
Switch#
The following configuration describes the DHCP snooping configuration steps if ro uting is defined on
another Catalyst switch (for example, a Catalyst 6500 series switch):
// Trust the uplink gigabit Ethernet trunk port
interface range GigabitEthernet 1/1 – 2
switchport mode trunk
switchport trunk encapsulation dot1q
ip dhcp snooping trust
!
interface VLAN 14
ip address 10.33.234.1 255.255.254.0
ip helper-address 10.5.1.2
Note If you are enabling trunking on uplink gigabit interfaces, and the above rout ing configuration is defined
on a Catalyst 6500 series switch, you must configure the “trust” rela tionship with downstream DHCP
Snooping (on a Catalyst 4500 series switch) which adds Option 82. On a Catalyst 6500 series switch,
this task is accomplished with ip dhcp relay information trusted VLAN configuration command.
Enabling DHCP Snooping on Aggregration Switch
To enable DHCP Snooping on an aggregation switch, configure the interface connecting to a downstream
switch as a snooping untrusted port. If the downstream switch (or a device such as a DSLAM in the path
between the aggregation switch and the DHCP clients) adds DHCP information option 82 to the DHCP
packets, the DHCP packets would be dropped on arriving on a snooping untrusted port. Configuring the
ip dhcp snooping information option allow-untrusted global configuration command on the
aggregation switch would allow the aggregation switch to accept DHCP requests with option 82
information from any snooping untrusted port.