General Security Measures

4-133

4
MAC address verification is enabled, then the packet will only be
forwarded if the client’s hardware address stored in the DHCP packet is
the same as the source MAC address in the Ethernet header.
* If the DHCP packet is not a recognizable type, it is dropped.
- If a DHCP packet from a client passes the filtering criteria above, it will only
be forwarded to trusted ports in the same VLAN.
- If a DHCP packet is from server is received on a trusted port, it will be
forwarded to both trusted and untrusted ports in the same VLAN.
If the DHCP snooping is globally disabled, all dynamic bindings are removed
from the binding table.
Additional considerations when the switch itself is a DHCP client – The port(s)
through which the switch submits a client request to the DHCP server must be
configured as trusted (ip dhcp snooping trust, page 4-134). Note that the
switch will not add a dynamic entry for itself to the binding table when it
receives an ACK message from a DHCP server. Also, when the switch sends
out DHCP client packets for itself, no filtering takes place. However, when the
switch receives any messages from a DHCP server, any packets received
from untrusted ports are dropped.
Example
This example enables DHCP snooping globally for the switch.
Related Commands
ip dhcp snooping vlan (4-133)
ip dhcp snooping trust (4-134)

ip dhcp snooping vlan

This command enables DHCP snooping on the specified VLAN. Use the no form to
restore the default setting.
Syntax
[no] ip dhcp snooping vlan vlan-id
vlan-id - ID of a configured VLAN (Range: 1-4094)
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
When DHCP snooping enabled globally using the ip dhcp snooping
command (page 4-132), and enabled on a VLAN with this command, DHCP
Console(config)#ip dhcp snooping
Console(config)#