31-6
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter31 Configuring DHCP Snooping and IP Source Guard
Configuring DHCP Snooping on the Switch
Enabling DHCP Snooping on Private VLAN
DHCP snooping can be enabled on private VLANs, which provide isolati on between Layer 2 ports
within the same VLAN. If DHCP snooping is enabled (or disabled), the configuration is propagated to
both the primary VLAN and its associated secondary VLAN s. You cannot enable (or disable) DHCP
snooping on a primary VLAN without reflecting this configuratio n change on the secondary VLANs.
Configuring DHCP snooping on a secondary VLAN is still allowed, but it will not take effect if the
associated primary VLAN is already configured. If the associated primary VLAN is configured, the
effective DHCP snooping mode on the secondary VLAN is derived from the correspo nding primary
VLAN. Manually configuring DHCP snooping on a secondary VLAN will cause the switch to issue this
warning message:
DHCP Snooping configuration may not take effect on secondary vlan XXX
The show ip dhcp snooping command will display all VLANs (both primary and secondary) that have
DHCP snooping enabled.
Enabling the DHCP Snooping Database Agent
To configure the database agent, perform one or more of the following tasks:
Note Because both NVRAM and bootflash have limited storage capacity, using TFTP or network-based files
is preferable. If you use bootflash to store the database file, new updates to the file (by the agent) result
in the creation of new files, causing the flash to fill very quickly. Moreover, when a file is stored in a
remote location accessible through TFTP, an RPR standby supervisor engine can take over the binding
list when a switchover occurs.
Note Network-based URLs (such as TFTP and FTP) require that you create an empty file at the configured
URL before the switch can write the set of bindings for the first time.
Command Purpose
Switch(config)# ip dhcp snooping database {
url
|
write-delay
seconds
| timeout
seconds
}
Switch(config)# no ip dhcp snooping database
[write-delay | timeout]
(Required) Configures a URL for the database agent (or file)
and the related timeout values.
Switch# show ip dhcp snooping database [detail] (Optional) Displays the current operating state of the
database agent and statistics associated with the transfers.
Switch# clear ip dhcp snooping database statistics (Optional) Clears the statistics associated with the database
agent.
Switch# renew ip dhcp snooping database [validation
none] [
url
]
(Optional) Requests the read entries from a file at the given
URL.
Switch# ip dhcp snooping binding
mac-addr
vlan
vlan
ipaddr
interface
ifname
expiry
lease-in-seconds
Switch# no ip dhcp snooping binding
mac-addr
vlan
vlan
ipaddr
interface
ifname
(Optional) Adds/deletes bindings to the snooping database.