Configuring the Switch

3-102

3
- If a DHCP packet from a client passes the filtering criteria above, it will only be
forwarded to trusted ports in the same VLAN.
- If a DHCP packet is from server is received on a trusted port, it will be forwarded
to both trusted and untrusted ports in the same VLAN.
- If the DHCP snooping is globally disabled, all dynamic bindings are removed
from the binding table.
-Additional considerations when the switch itself is a DHCP client – The port(s)
through which the switch submits a client request to the DHCP server must be
configured as trusted. Note that the switch will not add a dynamic entry for itself
to the binding table when it receives an ACK message from a DHCP server.
Also, when the switch sends out DHCP client packets for itself, no filtering takes
place. However, when the switch receives any messages from a DHCP server,
any packets received from untrusted ports are dropped.

DHCP Snooping Configuration

Use the DHCP Snooping Configuration page to enable DHCP Snooping globally on
the switch, or to configure MAC Address Verification.
Command Attributes
DHCP Snooping Status – Enables DHCP snooping globally. (Default: Disabled)
DHCP Snooping MAC-Address Verification – Enables or disables MAC address
verification. If the source MAC address in the Ethernet header of the packet is not
same as the client's hardware address in the DHCP packet, the packet is dropped.
Web – Click DHCP Snooping, Configuration. Select the required options and click
Apply.
Figure 3-62 DHCP Snooping Configuration
CLI – This example first enables DHCP Snooping, and then enables DHCP
Snooping MAC-Address Verification.
Console(config)#ip dhcp snooping 4-132
Console(config)#ip dhcp snooping verify mac-address 4-135
Console(config)#