CINXE.COM
Security - Configuring DHCP Snooping [Support] - Cisco Systems
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <!-- $Revision: 1.8 $ (c) 1992-2004 Cisco Systems, Inc. All rights reserved. Terms and Conditions: http://cisco.com/en/US/swassets/sw293/sitewide_important_notices.html --> <head> <title> Security - Configuring DHCP Snooping [Support] - Cisco Systems </title> <meta http-equiv="Content-type" content="text/html;charset=UTF-8"/> <meta name="concept" content="Support"/> <meta name="accessLevel" content="Guest"/> <meta name="country" content="US"/> <meta name="primaryObjectId" content="external_docbase:0900e4b1804a5e6a"/> <meta name="docType" content="TSD Island of Content Chapter"/> <meta name="language" content="en"/> <meta name="contentType" content="cisco.com#US#postSales"/> <meta name="iaPath" content="cisco.com#Technical Support"/> <meta name="ioContentSource" content="CCIM-TD"/> <meta name="locale" content="US"/> <meta name="date" content="Tue Nov 06 10:45:29 PST 2007"/> <meta name="docRequest" content="/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html"/> <link rel="canonical" href="http://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html"/> <meta name="title" content="Security - Configuring DHCP Snooping&nbsp; [Support]"/> <meta property="og:site_name" content="Cisco" /> <meta property="og:image" content="http://www.cisco.com/web/fw/i/logo-open-graph.gif" /> <meta property="og:title" content="Security - Configuring DHCP Snooping&nbsp; [Support]" /> <meta property="fb:app_id" content="156494687694418" /> <meta property="og:type" content="website" /> <meta property="og:url" content="http://www.cisco.com/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.html" /> <script type="text/javascript" src="/web/fw/j/global.js"></script> <link rel="stylesheet" type="text/css" href="/web/fw/c/global.css" /> <link rel="stylesheet" type="text/css" media="print" href="/web/fw/c/global_print.css" /> <link rel="stylesheet" type="text/css" href="/web/fw/c/book.css" > <link rel="search" type="application/opensearchdescription+xml" title="Search Cisco.com" href="http://www.cisco.com/web/tsweb/searchplugins/cdc_search.xml" /> <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="GKZXC-NS3SU-A7VFH-HKBHM-U7LKH",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"GKZXC-NS3SU-A7VFH-HKBHM-U7LKH";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbeqxgy4r2z5ytwba-f-6a9eb059a-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"61004","ak.ai":parseInt("271834",10),"ak.ol":"0","ak.cr":4,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"2ccf32f6","ak.r":37669,"ak.a2":n,"ak.m":"dsca","ak.n":"essl","ak.bpcip":"8.222.208.0","ak.cport":49182,"ak.gh":"23.53.33.222","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1740152194","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==RVDgt3oreXjX3gCld+ERRQpPfIN3/alD6No/Ad487G4RPnghLLYVtGsLj4afvwr9iRN6e+8xhlA4JJ6WuqInOnXt0zIctUU8i1HPO1E4tA4oIWVhLFBkWKbmd5wQA+KOOIZS4b9jcVN3Olf3II1xcxnc9GlvAn7TAkYv5BWinoJL3LK2j4MUwqqOyBSINA6EZvzzWvbyUehq1Dx6/piv080PON4HpaHrxxKhB092nOD8cw2RX72lqHTraFDcK8ZxeHBZpOCUrTjcb6dIQWe6rMchl2L5d2n4Typ92hqHuDPszsGEFO2WrCbOG6yLBF1A72brY9mf0azOdvZSOM3fo5CNFYRuD/bUpnTTLRed9ZV17kP6K3mSCAf2KkSE6KTKDZgys1IvqIuFBHSaRPLJeiA6hRsrjSHRPUPXRMQXQRs=","ak.pv":"521","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="30%" rowspan="2" valign="bottom"><div class="logo" align="center"><a href="/en/US/hmpgs/index.html" name="&lpos=ft_" rel="exit"><img border="0" alt="Cisco Systems, Inc." height="73" width="110" src="/web/fw/i/logo.gif"></a></div> <div class="logo-bottom-border"><img src="/web/fw/i/logo_bottom_border_bg.gif" alt=""></div> </td> <td width="70%" align="left" valign="top"><div class="book-heading"> </div></td> </tr> <tr> <td width="70%" valign="bottom"><div class="book-heading"> <div class="chapter-title">Configuring DHCP Snooping</div> </div> <div class="masthead"><img src="/web/fw/i/book_content_masthead.gif" alt=""></div></td> </tr> <tr align="left" valign="top"> <td width="30%"><!-- googleoff:index --> </td> <td width="70%"><div class="book"><!-- googleon:index --> <div class="sidebar"> <!-- $Revision: 1.2 $ (c) 1992-2004 Cisco Systems, Inc. All rights reserved. Terms and Conditions: http://cisco.com/en/US/swassets/sw293/sitewide_important_notices.html --> <!-- Description: package for pdf module. --> <div class="book-pdf-module"> <div class="pdf-module-title">Download this chapter</div> <div class="pdf-module-link"> <img alt="Configuring DHCP Snooping" width="20" height="16" border="0" src="http://www.cisco.com/swa/i/icon_pdf.gif"><a href="/en/US/docs/general/Test/dwerblo/broken_guide/snoodhcp.pdf" class="contentlink" target="_blank">Configuring DHCP Snooping</a> </div> </div> <migrate> <a href="javascript: void(0)" onclick="window.open('https://secure.opinionlab.com/ccc01/o.asp?id=HPXysfff&referer='+document.URL+'&resize=false', 'feedback', 'width=550, height=460, scrollbars=1, menubar=1, resizable=1'); return false;"><img id="feedback_img" border="0" style="cursor: pointer;" title="Feedback" src="http://www.cisco.com/web/fw/i/sm_0000EE_oo1.gif"> Feedback</a> </migrate> </div> <?xml version="1.0" encoding="UTF-8"?> <div class="contentMargins"><span class="content"> <!-- WFP 1.0.0.0 Released 11/20/2006 --> <!-- Added on date : 10/09/2003 Do not delete blockquotes --> <MIGRATE><LINK REL="stylesheet" HREF="/swa/c/ccimr.css" TYPE="text/css" /></MIGRATE> <blockquote> <!-- Start of Mini TOC : Added on 09/23/2003 16:38:30 PST --> <h2 class="p_H_Head1">Table Of Contents</h2> <p class="MiniTOC1"><a href="#wp1074087">Configuring DHCP Snooping </a></p> <p class="MiniTOC2"><a href="#wp1120427">Understanding DHCP Snooping</a></p> <p class="MiniTOC3"><a href="#wp1119962">Overview of DHCP Snooping</a></p> <p class="MiniTOC3"><a href="#wp1114389">Trusted and Untrusted Sources</a></p> <p class="MiniTOC3"><a href="#wp1101941">DHCP Snooping Binding Database</a></p> <p class="MiniTOC3"><a href="#wp1101946">Packet Validation</a></p> <p class="MiniTOC3"><a href="#wp1108657">DHCP Snooping Option-82 Data Insertion</a></p> <p class="MiniTOC3"><a href="#wp1090370">Overview of the DHCP Snooping Database Agent</a></p> <p class="MiniTOC2"><a href="#wp1097570">Default Configuration for DHCP Snooping</a></p> <p class="MiniTOC2"><a href="#wp1102622">DHCP Snooping Configuration Restrictions and Guidelines</a></p> <p class="MiniTOC3"><a href="#wp1114949">DHCP Snooping Configuration Restrictions </a></p> <p class="MiniTOC3"><a href="#wp1114907">DHCP Snooping Configuration Guidelines</a></p> <p class="MiniTOC3"><a href="#wp1115085">Minimum DHCP Snooping Configuration</a></p> <p class="MiniTOC2"><a href="#wp1073367">Configuring DHCP Snooping </a></p> <p class="MiniTOC3"><a href="#wp1073418">Enabling DHCP Snooping Globally</a></p> <p class="MiniTOC3"><a href="#wp1099127">Enabling DHCP Option-82 Data Insertion </a></p> <p class="MiniTOC3"><a href="#wp1109594">Enabling the DHCP Option-82 on Untrusted Port Feature</a></p> <p class="MiniTOC3"><a href="#wp1099635">Enabling DHCP Snooping MAC Address Verification</a></p> <p class="MiniTOC3"><a href="#wp1097781">Enabling DHCP Snooping on VLANs</a></p> <p class="MiniTOC3"><a href="#wp1098976">Configuring the DHCP Trust State on Layer 2 LAN Interfaces</a></p> <p class="MiniTOC3"><a href="#wp1097369">Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces</a></p> <p class="MiniTOC3"><a href="#wp1090479">Configuring the DHCP Snooping Database Agent</a></p> <p class="MiniTOC3"><a href="#wp1092681">Configuration Examples for the Database Agent</a></p> <p class="MiniTOC4"><a href="#wp1090512">Example 1: Enabling the Database Agent</a></p> <p class="MiniTOC4"><a href="#wp1090557">Example 2: Reading Binding Entries from a TFTP File</a></p> <p class="MiniTOC4"><a href="#wp1090624">Example 3: Adding Information to the DHCP Snooping Database</a></p> <p class="MiniTOC3"><a href="#wp1084420">Displaying a Binding Table</a></p> <br /> <!-- End of Mini TOC --> <a name="wp1073797"></a><a name="wpxref40280"></a><a name="wp1074087"></a><a name="wpxref12371"></a><h2 class="pCT_ChapTitle"> Configuring DHCP Snooping </h2> <hr class="Chap1" /> <a name="wp1117779"></a><a name="wpmkr1117778"></a><p class="pB1_Body1"> This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping in Cisco IOS Software Release 12.2SX. </p> <a name="wp1076360"></a><p class="pB1_Body1"> This chapter consists of the following major sections: </p> <a name="wp1098616"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1120427">Understanding DHCP Snooping</a> </p> <a name="wp1073339"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1097570">Default Configuration for DHCP Snooping</a> </p> <a name="wp1114801"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1102622">DHCP Snooping Configuration Restrictions and Guidelines</a> </p> <a name="wp1073343"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1073367">Configuring DHCP Snooping</a> </p> <div class="Note1B"><img src="../../../../../i/templates/note.gif" alt="" /></div><hr class="Cautn1table" /> <a name="wp1107390"></a><p class="pN1P_Note1Para"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />For complete syntax and usage information for the commands used in this chapter, see the <em class="cEmphasis">Cisco IOS Software Releases 12.2SX Command References</em> at this URL: </p> <a name="wp1128713"></a><p class="pB1_Body1"> <a href="http://www.cisco.com/en/US/docs/ios/mcl/122sx_mcl.html">http://www.cisco.com/en/US/docs/ios/mcl/122sx_mcl.html</a> </p> <hr class="Cautn1table" /><a name="wp1120424"></a><a name="Understanding_DHCP_Snooping"> </a> <a name="wp1120427"></a><a name="wpmkr1120425"></a><a name="wpxref69282"></a><h2 class="p_H_Head1"> Understanding DHCP Snooping </h2> <a name="wp1120006"></a><p class="pB1_Body1"> These sections describe the DHCP snooping feature: </p> <a name="wp1120010"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1119962">Overview of DHCP Snooping</a> </p> <a name="wp1120032"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1114389">Trusted and Untrusted Sources</a> </p> <a name="wp1120014"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1101941">DHCP Snooping Binding Database</a> </p> <a name="wp1120018"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1101946">Packet Validation</a> </p> <a name="wp1120022"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1108657">DHCP Snooping Option-82 Data Insertion</a> </p> <a name="wp1120031"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1090370">Overview of the DHCP Snooping Database Agent</a> </p> <a name="Overview_of_DHCP_Snooping"> </a> <a name="wp1119962"></a><a name="wpxref17128"></a><h3 class="p_H_Head2"> Overview of DHCP Snooping </h3> <a name="wp1114027"></a><p class="pB1_Body1"> DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities: </p> <a name="wp1114028"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Validates DHCP messages received from untrusted sources and filters out invalid messages. </p> <a name="wp1113844"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Rate-limits DHCP traffic from trusted and untrusted sources. </p> <a name="wp1113794"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses. </p> <a name="wp1118795"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts. </p> <a name="wp1118796"></a><p class="pB1_Body1"> Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database. </p> <a name="wp1114005"></a><p class="pB1_Body1"> DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. </p> <a name="wp1111853"></a><p class="pB1_Body1"> The DHCP snooping feature is implemented in software on the route processor (RP). Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the RP for processing. </p> <a name="Trusted_and_Untrusted_Sources"> </a> <a name="wp1114389"></a><a name="wpxref52677"></a><h3 class="p_H_Head2"> Trusted and Untrusted Sources </h3> <a name="wp1119920"></a><p class="pB1_Body1"> The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources. </p> <a name="wp1116259"></a><p class="pB1_Body1"> In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports are generally treated as untrusted sources. </p> <a name="wp1116308"></a><p class="pB1_Body1"> In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources. </p> <a name="wp1116617"></a><p class="pB1_Body1"> In the switch, you indicate that a source is trusted by configuring the trust state of its connecting interface. </p> <a name="wp1114429"></a><p class="pB1_Body1"> The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted. </p> <div class="Note1B"><img src="../../../../../i/templates/note.gif" alt="" /></div><hr class="Cautn1table" /> <a name="wp1101939"></a><p class="pN1_Note1"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces, as untrusted DHCP messages will be forwarded only to trusted interfaces. </p> <hr class="Cautn1table" /> <a name="DHCP_Snooping_Binding_Database"> </a> <a name="wp1101941"></a><a name="wpmkr1114681"></a><a name="wpmkr1114682"></a><a name="wpmkr1114683"></a><a name="wpxref78020"></a><a name="wpmkr1114684"></a><a name="wpmkr1114685"></a><h3 class="p_H_Head2"> DHCP Snooping Binding Database </h3> <a name="wp1112178"></a><a name="wpmkr1103439"></a><a name="wpmkr1103437"></a><a name="wpmkr1103435"></a><a name="wpmkr1101943"></a><a name="wpmkr1103445"></a><a name="wpmkr1113218"></a><a name="wpmkr1113219"></a><a name="wpmkr1113220"></a><p class="pB1_Body1"> The DHCP snooping binding database is also referred to as the DHCP snooping binding table. </p> <a name="wp1114690"></a><p class="pB1_Body1"> The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces. </p> <a name="wp1117847"></a><p class="pB1_Body1"> The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host. </p> <a name="wp1112737"></a><p class="pB1_Body1"> Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host. </p> <a name="Packet_Validation"> </a> <a name="wp1101946"></a><a name="wpxref24840"></a><h3 class="p_H_Head2"> Packet Validation </h3> <a name="wp1113549"></a><p class="pB1_Body1"> The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped): </p> <a name="wp1119166"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall. </p> <a name="wp1113580"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on. </p> <a name="wp1101952"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received. </p> <a name="wp1101953"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0. </p> <a name="wp1122044"></a><a name="wpmkr1109422"></a><p class="pB1_Body1"> To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP option-82 on untrusted port feature, which enables untrusted aggregation-switch ports to accept DHCP packets that include option-82 information. Configure the port on the edge switch that connects to the aggregation switch as a trusted port. </p> <div class="Note1B"><img src="../../../../../i/templates/note.gif" alt="" /></div><hr class="Cautn1table" /> <a name="wp1108993"></a><p class="pN1_Note1"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />With the DHCP option-82 on untrusted port feature enabled, use dynamic ARP inspection on the aggregation switch to protect untrusted input interfaces. </p> <hr class="Cautn1table" /> <a name="DHCP_Snooping_Option-82_Data_Insertion"> </a> <a name="wp1108657"></a><a name="wpxref80785"></a><a name="wpmkr1108655"></a><a name="wpmkr1108656"></a><h3 class="p_H_Head2"> DHCP Snooping Option-82 Data Insertion </h3> <a name="wp1101957"></a><p class="pB1_Body1"> In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP snooping option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified. </p> <a name="wp1101962"></a><p class="pB1_Body1"> <a href="#wp1101964">Figure 46-1</a> is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server. </p> <a name="wp1101964"></a><a name="wpxref78270"></a><p class="pTC_TableCap"> Figure 46-1 DHCP Relay Agent in a Metropolitan Ethernet Network </p> <a name="wp1101968"></a><p class="pAnchor"> </p> <div align="left"><img src="../../../../../../../../i/000001-100000/95001-100000/98001-99000/98813.jpg" id="wp1101966" border="0" hspace="0" vspace="0"/></div><p class="pAnchor"> </p> <a name="wp1101969"></a><a name="wpmkr1101970"></a><p class="pB1_Body1"> When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs: </p> <a name="wp1101971"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The host (DHCP client) generates a DHCP request and broadcasts it on the network. </p> <a name="wp1101972"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). </p> <a name="wp1122886"></a><a name="wpmkr1122903"></a><a name="wpmkr1123175"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />If IEEE 802.1X port-based authentication is enabled, the switch will also add the host's 802.1X authenticated user identity information (the RADIUS attributes suboption) to the packet. See the <a href="dot1x.html#wpxref75636">"Using 802.1X Authentication with DHCP Snooping" section on page 52-8</a>. </p> <a name="wp1101973"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />If the IP address of the relay agent is configured, the switch adds the IP address in the DHCP packet. </p> <a name="wp1101974"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The switch forwards the DHCP request that includes the option-82 field to the DHCP server. </p> <a name="wp1101975"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply. </p> <a name="wp1101976"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request. </p> <a name="wp1101977"></a><p class="pB1_Body1"> When the previously described sequence of events occurs, the values in these fields in <a href="#wp1102001">Figure 46-2</a> do not change: </p> <a name="wp1101984"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Circuit ID suboption fields </p> <a name="wp1101985"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Suboption type </p> <a name="wp1101986"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Length of the suboption type </p> <a name="wp1101987"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Circuit ID type </p> <a name="wp1101988"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Length of the circuit ID type </p> <a name="wp1101989"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Remote ID suboption fields </p> <a name="wp1101990"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Suboption type </p> <a name="wp1101991"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Length of the suboption type </p> <a name="wp1101992"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Remote ID type </p> <a name="wp1101993"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />Length of the circuit ID type </p> <a name="wp1101995"></a><a name="wpmkr1103431"></a><a name="wpmkr1103429"></a><a name="wpmkr1103427"></a><a name="wpmkr1103425"></a><p class="pB1_Body1"> <a href="#wp1102001">Figure 46-2</a> shows the packet formats for the remote ID suboption and the circuit ID suboption. The switch uses the packet formats when DHCP snooping is globally enabled and when the<b class="cBold"> ip dhcp snooping information option </b>global configuration command is entered. For the circuit ID suboption, the module field is the slot number of the module. </p> <a name="wp1102001"></a><a name="wpxref47956"></a><p class="pTC_TableCap"> Figure 46-2 Suboption Packet Formats </p> <a name="wp1102005"></a><p class="pAnchor"> </p> <div align="left"><img src="../../../../../../../../i/100001-200000/110001-120000/116001-117000/116300.jpg" id="wp1102003" border="0" hspace="0" vspace="0"/></div><p class="pAnchor"> </p> <a name="Overview_of_the_DHCP_Snooping_Database_Agent"> </a> <a name="wp1090370"></a><a name="wpmkr1091688"></a><a name="wpmkr1103443"></a><a name="wpxref58256"></a><h3 class="p_H_Head2"> Overview of the DHCP Snooping Database Agent </h3> <a name="wp1090371"></a><p class="pB1_Body1"> To retain the bindings across reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well. </p> <a name="wp1090372"></a><p class="pB1_Body1"> The database agent stores the bindings in a file at a configured location. Upon reload, the switch reads the file to build the database for the bindings. The switch keeps the file current by writing to the file as the database changes. </p> <a name="wp1090373"></a><p class="pB1_Body1"> The format of the file that contains the bindings is as follows: </p> <a name="wp1090374"></a><div class="pEx1_Example1"> <pre><initial-checksum> </pre> </div><a name="wp1090375"></a><div class="pEx1_Example1"> <pre>TYPE DHCP-SNOOPING </pre> </div><a name="wp1090376"></a><div class="pEx1_Example1"> <pre>VERSION 1 </pre> </div><a name="wp1090377"></a><div class="pEx1_Example1"> <pre>BEGIN </pre> </div><a name="wp1090378"></a><div class="pEx1_Example1"> <pre><entry-1> <checksum-1> </pre> </div><a name="wp1090379"></a><div class="pEx1_Example1"> <pre><entry-2> <checksum-1-2> </pre> </div><a name="wp1090380"></a><div class="pEx1_Example1"> <pre>... </pre> </div><a name="wp1090381"></a><div class="pEx1_Example1"> <pre>... </pre> </div><a name="wp1090382"></a><div class="pEx1_Example1"> <pre><entry-n> <checksum-1-2-..-n> </pre> </div><a name="wp1090383"></a><div class="pEx1_Example1"> <pre>END </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090384"></a><br /></pre></div> <a name="wp1090385"></a><p class="pB1_Body1"> Each entry in the file is tagged with a checksum that is used to validate the entries whenever the file is read. The <initial-checksum> entry on the first line helps distinguish entries associated with the latest write from entries that are associated with a previous write. </p> <a name="wp1090386"></a><p class="pB1_Body1"> This is a sample bindings file: </p> <a name="wp1090387"></a><div class="pEx1_Example1"> <pre>3ebe1518 </pre> </div><a name="wp1090388"></a><div class="pEx1_Example1"> <pre>TYPE DHCP-SNOOPING </pre> </div><a name="wp1090389"></a><div class="pEx1_Example1"> <pre>VERSION 1 </pre> </div><a name="wp1090390"></a><div class="pEx1_Example1"> <pre>BEGIN </pre> </div><a name="wp1090391"></a><div class="pEx1_Example1"> <pre>1.1.1.1 512 0001.0001.0005 3EBE2881 Gi1/1 e5e1e733 </pre> </div><a name="wp1090392"></a><div class="pEx1_Example1"> <pre>1.1.1.1 512 0001.0001.0002 3EBE2881 Gi1/1 4b3486ec </pre> </div><a name="wp1090393"></a><div class="pEx1_Example1"> <pre>1.1.1.1 1536 0001.0001.0004 3EBE2881 Gi1/1 f0e02872 </pre> </div><a name="wp1090394"></a><div class="pEx1_Example1"> <pre>1.1.1.1 1024 0001.0001.0003 3EBE2881 Gi1/1 ac41adf9 </pre> </div><a name="wp1090395"></a><div class="pEx1_Example1"> <pre>1.1.1.1 1 0001.0001.0001 3EBE2881 Gi1/1 34b3273e </pre> </div><a name="wp1090396"></a><div class="pEx1_Example1"> <pre>END </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090397"></a><br /></pre></div> <a name="wp1090398"></a><p class="pB1_Body1"> Each entry holds an IP address, VLAN, MAC address, lease time (in hex), and the interface associated with a binding. At the end of each entry is a checksum that is based on all the bytes from the start of the file through all the bytes associated with the entry. Each entry consists of 72 bytes of data, followed by a space, followed by a checksum. </p> <a name="wp1091581"></a><p class="pB1_Body1"> Upon bootup, when the calculated checksum equals the stored checksum, the switch reads entries from the file and adds the bindings to the DHCP snooping database. If the calculated checksum does not equal the stored checksum, the entry read from the file is ignored and so are all the entries following the failed entry. The switch also ignores all those entries from the file whose lease time has expired. (This is possible because the lease time might indicate an expired time.) An entry from the file is also ignored if the interface referred to in the entry no longer exists on the system, or if it is a router port or a DHCP snooping-trusted interface. </p> <a name="wp1090400"></a><p class="pB1_Body1"> When the switch learns of new bindings or when it loses some bindings, the switch writes the modified set of entries from the snooping database to the file. The writes are performed with a configurable delay to batch as many changes as possible before the actual write happens. Associated with each transfer is a timeout after which a transfer is aborted if it is not completed. These timers are referred to as the write delay and abort timeout. </p> <a name="Default_Configuration_for_DHCP_Snooping"> </a> <a name="wp1097570"></a><a name="wpmkr1097567"></a><a name="wpxref83760"></a><a name="wpmkr1097569"></a><h2 class="p_H_Head1"> Default Configuration for DHCP Snooping </h2> <a name="wp1097574"></a><p class="pB1_Body1"> <a href="#wp1097578">Table 46-1</a> shows all the default configuration values for each DHCP snooping option. </p> <a name="wp1097605"></a><p class="pAnchor"> </p> <div align="left"> <table border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1097578table1097575"> <caption><a name="wp1097578"></a><a name="wpxref42458"></a><p class="pTC_TableCap"> Table 46-1 Default Configuration Values for DHCP Snooping </p> </caption> <tr align="left" valign="bottom"> <th scope="col"><a name="wp1097582"></a><div class="pCH1_CellHead1"> Option </div> </th> <th scope="col"><a name="wp1097584"></a><div class="pCH1_CellHead1"> Default Value/State </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1097586"></a><p class="pB1_Body1"> DHCP snooping </p> </td> <td><a name="wp1097588"></a><p class="pB1_Body1"> Disabled </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097590"></a><p class="pB1_Body1"> DHCP snooping information option </p> </td> <td><a name="wp1097592"></a><p class="pB1_Body1"> Enabled </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1109392"></a><p class="pB1_Body1"> DHCP option-82 on untrusted port feature </p> </td> <td><a name="wp1109397"></a><p class="pB1_Body1"> Disabled </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097594"></a><p class="pB1_Body1"> DHCP snooping limit rate </p> </td> <td><a name="wp1097596"></a><p class="pB1_Body1"> None </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097598"></a><p class="pB1_Body1"> DHCP snooping trust </p> </td> <td><a name="wp1097600"></a><p class="pB1_Body1"> Untrusted </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097602"></a><p class="pB1_Body1"> DHCP snooping vlan </p> </td> <td><a name="wp1097604"></a><p class="pB1_Body1"> Disabled </p> </td> </tr> </table> </div><br /> <p class="pAnchor"> </p> <a name="DHCP_Snooping_Configuration_Restrictions_and_Guidelines"> </a> <a name="wp1102622"></a><a name="wpxref35119"></a><h2 class="p_H_Head1"> DHCP Snooping Configuration Restrictions and Guidelines </h2> <a name="wp1114932"></a><p class="pB1_Body1"> These sections provide DHCP snooping configuration restrictions and guidelines: </p> <a name="wp1102623"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1114949">DHCP Snooping Configuration Restrictions</a> </p> <a name="wp1115391"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1114907">DHCP Snooping Configuration Guidelines</a> </p> <a name="wp1115412"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1115085">Minimum DHCP Snooping Configuration</a> </p> <a name="DHCP_Snooping_Configuration_Restrictions_"> </a> <a name="wp1114949"></a><a name="wpxref21929"></a><h3 class="p_H_Head2"> DHCP Snooping Configuration Restrictions </h3> <a name="wp1114930"></a><p class="pB1_Body1"> When configuring DHCP snooping, note these restrictions: </p> <a name="wp1122078"></a><a name="wpmkr1122077"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The DHCP snooping database stores at least 8,000 bindings. </p> <a name="wp1114838"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the switch: </p> <a name="wp1114842"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" /><b class="cBold">ip dhcp relay information check</b> global configuration command </p> <a name="wp1114843"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" /><b class="cBold">ip dhcp relay information policy</b> global configuration command </p> <a name="wp1114844"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" /><b class="cBold">ip dhcp relay information trust-all</b> global configuration command </p> <a name="wp1114845"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" /><b class="cBold">ip dhcp relay information option</b> global configuration command </p> <a name="wp1114846"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" /><b class="cBold">ip dhcp relay information trusted</b> interface configuration command </p> <a name="wp1114810"></a><p class="pB2_Body2"> If you enter these commands, the switch returns an error message, and the configuration is not applied. </p> <a name="DHCP_Snooping_Configuration_Guidelines"> </a> <a name="wp1114907"></a><a name="wpxref54943"></a><h3 class="p_H_Head2"> DHCP Snooping Configuration Guidelines </h3> <a name="wp1115048"></a><p class="pB1_Body1"> When configuring DHCP snooping, follow these guidelines: </p> <a name="wp1114905"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />DHCP snooping is not active until you enable the feature on at least one VLAN, and enable DHCP globally on the switch. </p> <a name="wp1118455"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled. </p> <a name="wp1104607"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />For DHCP server configuration information, see "Configuring DHCP" in the <em class="cEmphasis">Cisco IOS IP and IP Routing Configuration Guide</em> at: </p> <a name="wp1104609"></a><p class="pB2_Body2"> <a href="/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html">http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm</a> </p> <a name="wp1102879"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />If a Layer 2 LAN port is connected to a DHCP server, configure the port as trusted by entering the <b class="cBold">ip dhcp snooping trust </b>interface configuration command. </p> <a name="wp1118632"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />If a Layer 2 LAN port is connected to a DHCP client, configure the port as untrusted by entering the <b class="cBold">no ip dhcp snooping trust </b>interface configuration command. </p> <a name="wp1106891"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />You can enable DHCP snooping on private VLANs: </p> <a name="wp1106892"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />If DHCP snooping is enabled, any primary VLAN configuration is propagated to its associated secondary VLANs. </p> <a name="wp1106893"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />If DHCP snooping is configured on the primary VLAN and you configure DHCP snooping with different settings on an associated secondary VLAN, the configuration on the secondary VLAN does not take effect. </p> <a name="wp1106894"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />If DHCP snooping is not configured on the primary VLAN and you configure DHCP snooping on a secondary VLAN, the configuration takes affect only on the secondary VLAN. </p> <a name="wp1106895"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />When you manually configure DHCP snooping on a secondary VLAN, this message appears: </p> <a name="wp1106896"></a><div class="pEx3_Example3"> <pre>DHCP Snooping configuration may not take effect on secondary vlan XXX<span style="color: Black; font-style: normal; font-weight: normal"> </span></pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1110425"></a><br /></pre></div> <a name="wp1106898"></a><p class="pBu2_Bullet2"> –<img src="../../../../../i/templates/blank.gif" alt="" width="17" height="2" border="0" />The <b class="cBold">show ip dhcp snooping</b> command displays all VLANs (both primary and secondary) that have DHCP snooping<span style="color: Black; font-style: normal; font-weight: normal"> </span>enabled. </p> <a name="Minimum_DHCP_Snooping_Configuration"> </a> <a name="wp1115085"></a><a name="wpxref74290"></a><h3 class="p_H_Head2"> Minimum DHCP Snooping Configuration </h3> <a name="wp1115101"></a><p class="pB1_Body1"> The minimum configuration steps for the DHCP snooping feature are as follows: </p> <a name="wp1115110"></a><p class="pNF_NumFirst"> <b> 1. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Define and configure the DHCP server. </p> <a name="wp1115958"></a><p class="pB2_Body2"> For DHCP server configuration information, see "Configuring DHCP" in the <em class="cEmphasis">Cisco IOS IP and IP Routing Configuration Guide</em> at: </p> <a name="wp1115960"></a><p class="pB2_Body2"> <a href="/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html">http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm</a> </p> <a name="wp1115208"></a><p class="pNN_NumNext"> <b> 2. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Enable DHCP snooping on at least one VLAN. </p> <a name="wp1116925"></a><p class="pB2_Body2"> By default, DHCP snooping is inactive on all VLANs. See the <a href="#wp1097781">"Enabling DHCP Snooping on VLANs" section</a> </p> <a name="wp1117067"></a><p class="pNN_NumNext"> <b> 3. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Ensure that DHCP server is connected through a trusted interface. </p> <a name="wp1116926"></a><p class="pB2_Body2"> By default, the trust state of all interfaces is untrusted. See the <a href="#wp1098976">"Configuring the DHCP Trust State on Layer 2 LAN Interfaces" section</a> </p> <a name="wp1116927"></a><p class="pNN_NumNext"> <b> 4. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Configure the DHCP snooping database agent. </p> <a name="wp1116066"></a><p class="pB2_Body2"> This step ensures that database entries are restored after a restart or switchover. See the <a href="#wp1090479">"Configuring the DHCP Snooping Database Agent" section</a> </p> <a name="wp1118071"></a><p class="pNN_NumNext"> <b> 5. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Enable DHCP snooping globally. </p> <a name="wp1117983"></a><p class="pB2_Body2"> The feature is not active until you complete this step. See the <a href="#wp1073418">"Enabling DHCP Snooping Globally" section</a> </p> <a name="wp1116097"></a><p class="pB1_Body1"> If you are configuring the switch for DHCP relay, the following additional steps are required: </p> <a name="wp1115286"></a><p class="pNF_NumFirst"> <b> 1. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Define and configure the DHCP relay agent IP address. </p> <a name="wp1117499"></a><p class="pB2_Body2"> If the DHCP server is in a different subnet from the DHCP clients, configure the server IP address in the helper address field of the client side VLAN. </p> <a name="wp1115273"></a><p class="pNN_NumNext"> <b> 2. </b><img src="../../../../../i/templates/blank.gif" alt="" width="10" height="2" border="0" />Configure DHCP option-82 on untrusted port. </p> <a name="wp1116824"></a><p class="pB2_Body2"> See the <a href="#wp1109594">"Enabling the DHCP Option-82 on Untrusted Port Feature" section</a> </p> <a name="Configuring_DHCP_Snooping_"> </a> <a name="wp1073367"></a><a name="wpmkr1074162"></a><a name="wpxref30724"></a><h2 class="p_H_Head1"> Configuring DHCP Snooping </h2> <a name="wp1074972"></a><p class="pB1_Body1"> These sections describe how to configure DHCP snooping: </p> <a name="wp1100095"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1073418">Enabling DHCP Snooping Globally</a> </p> <a name="wp1109290"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1099127">Enabling DHCP Option-82 Data Insertion</a> </p> <a name="wp1100103"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1109594">Enabling the DHCP Option-82 on Untrusted Port Feature</a> </p> <a name="wp1098352"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1099635">Enabling DHCP Snooping MAC Address Verification</a> </p> <a name="wp1102221"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1097781">Enabling DHCP Snooping on VLANs</a> </p> <a name="wp1098649"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1098976">Configuring the DHCP Trust State on Layer 2 LAN Interfaces</a> </p> <a name="wp1073377"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1097369">Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces</a> </p> <a name="wp1090723"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1090479">Configuring the DHCP Snooping Database Agent</a> </p> <a name="wp1105197"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1092681">Configuration Examples for the Database Agent</a> </p> <a name="wp1091804"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1084420">Displaying a Binding Table</a> </p> <a name="Enabling_DHCP_Snooping_Globally"> </a> <a name="wp1073418"></a><a name="wpmkr1073417"></a><a name="wpxref47158"></a><h3 class="p_H_Head2"> Enabling DHCP Snooping Globally </h3> <div class="Note1B"><img src="../../../../../i/templates/note.gif" alt="" /></div><hr class="Cautn1table" /> <a name="wp1089811"></a><p class="pN1_Note1"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />Configure this command as the last configuration step (or enable the DHCP feature during a scheduled maintenance period) because after you enable DHCP snooping globally, the switch drops DHCP requests until you configure the ports. </p> <hr class="Cautn1table" /><a name="wp1089853"></a><p class="pB1_Body1"> To enable DHCP snooping globally, perform this task: </p> <a name="wp1079612"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1079670table1079560"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1079562"></a></th> <th scope="col"><a name="wp1079670"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1079694"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp1079568"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1079672"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">ip dhcp snooping</b> </p></td> <td><a name="wp1079696"></a><p class="pB1_Body1"> Enables DHCP snooping globally. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097759"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">no ip dhcp snooping</b> </p></td> <td><a name="wp1097761"></a><p class="pB1_Body1"> Disables DHCP snooping. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1079607"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1079684"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">do show ip dhcp snooping | include Switch</b> </p></td> <td><a name="wp1079711"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1076743"></a><p class="pB1_Body1"> This example shows how to enable DHCP snooping globally: </p> <a name="wp1073473"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1073474"></a><div class="pEx1_Example1"> <pre>Enter configuration commands, one per line. End with CNTL/Z. </pre> </div><a name="wp1073475"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping</b> </pre> </div><a name="wp1073480"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">do how ip dhcp snooping | include Switch</b> </pre> </div><a name="wp1098318"></a><div class="pEx1_Example1"> <pre>Switch DHCP snooping is enabled </pre> </div><a name="wp1099468"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div> <a name="Enabling_DHCP_Option-82_Data_Insertion_"> </a> <a name="wp1099127"></a><a name="wpmkr1099125"></a><a name="wpxref65537"></a><h3 class="p_H_Head2"> Enabling DHCP Option-82 Data Insertion </h3> <a name="wp1099128"></a><p class="pB1_Body1"> To enable DHCP option-82 data insertion, perform this task: </p> <a name="wp1099154"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1099133table1099129"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1099131"></a></th> <th scope="col"><a name="wp1099133"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1099135"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp1099137"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1099139"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">ip dhcp snooping information option</b> </p></td> <td><a name="wp1099141"></a><p class="pB1_Body1"> Enables DHCP option-82 data insertion. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1099145"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">no ip dhcp snooping information option</b> </p></td> <td><a name="wp1099147"></a><p class="pB1_Body1"> Disables DHCP option-82 data insertion. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1099149"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1099151"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">do show ip dhcp snooping | include 82</b> </p></td> <td><a name="wp1099153"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1099571"></a><p class="pB1_Body1"> This example shows how to disable DHCP option-82 data insertion: </p> <a name="wp1099572"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1099573"></a><div class="pEx1_Example1"> <pre>Enter configuration commands, one per line. End with CNTL/Z. </pre> </div><a name="wp1099574"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">no ip dhcp snooping information option</b> </pre> </div><a name="wp1099575"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">do show ip dhcp snooping | include 82</b> </pre> </div><a name="wp1099605"></a><div class="pEx1_Example1"> <pre>Insertion of option 82 is disabled </pre> </div><a name="wp1099609"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1099628"></a><br /></pre></div> <a name="wp1099530"></a><p class="pB1_Body1"> This example shows how to enable DHCP option-82 data insertion: </p> <a name="wp1099531"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1099532"></a><div class="pEx1_Example1"> <pre>Enter configuration commands, one per line. End with CNTL/Z. </pre> </div><a name="wp1099533"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping information option</b> </pre> </div><a name="wp1099534"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">do show ip dhcp snooping | include 82</b> </pre> </div><a name="wp1099543"></a><div class="pEx1_Example1"> <pre>Insertion of option 82 is enabled </pre> </div><a name="wp1109591"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div> <a name="Enabling_the_DHCP_Option-82_on_Untrusted_Port_Feature"> </a> <a name="wp1109594"></a><a name="wpmkr1109592"></a><a name="wpxref84321"></a><a name="wpmkr1109702"></a><a name="wpmkr1109616"></a><h3 class="p_H_Head2"> Enabling the DHCP Option-82 on Untrusted Port Feature </h3> <div class="Note1B"><img src="../../../../../i/templates/note.gif" alt="" /></div><hr class="Cautn1table" /> <a name="wp1109598"></a><p class="pN1_Note1"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />With the DHCP option-82 on untrusted port feature enabled, the switch does not drop DHCP packets that include option-82 information that are received on untrusted ports. Do not enter the <b class="cBold">ip dhcp snooping information option allowed-untrusted</b> command on an aggregation switch to which any untrusted devices are connected. </p> <hr class="Cautn1table" /><a name="wp1109175"></a><p class="pB1_Body1"> To enable untrusted ports to accept DHCP packets that include option-82 information, perform this task: </p> <a name="wp1108266"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1108245table1108241"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1108243"></a></th> <th scope="col"><a name="wp1108245"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1108247"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp1108249"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1108251"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">ip dhcp snooping information option allow-untrusted</b> </p></td> <td><a name="wp1108328"></a><p class="pB1_Body1"> (Optional) Enables untrusted ports to accept incoming DHCP packets with option-82 information. </p> <a name="wp1108330"></a><p class="pB1_Body1"> The default setting is disabled. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1108257"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">no ip dhcp snooping information option allow-untrusted</b> </p></td> <td><a name="wp1108259"></a><p class="pB1_Body1"> Disables the DHCP option-82 on untrusted port feature. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1108261"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1108263"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">do show ip dhcp snooping</b> </p></td> <td><a name="wp1108265"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1108275"></a><p class="pB1_Body1"> This example shows how to enable the DHCP option-82 on untrusted port feature: </p> <a name="wp1108276"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1108277"></a><div class="pEx1_Example1"> <pre>Enter configuration commands, one per line. End with CNTL/Z. </pre> </div><a name="wp1108943"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping information option allow-untrusted</b> </pre> </div><a name="wp1108946"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div> <a name="Enabling_DHCP_Snooping_MAC_Address_Verification"> </a> <a name="wp1099635"></a><a name="wpmkr1099634"></a><a name="wpxref80699"></a><h3 class="p_H_Head2"> Enabling DHCP Snooping MAC Address Verification </h3> <a name="wp1099636"></a><p class="pB1_Body1"> With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet. </p> <a name="wp1099875"></a><p class="pB1_Body1"> To enable DHCP snooping MAC address verification, perform this task: </p> <a name="wp1099662"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1099641table1099637"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1099639"></a></th> <th scope="col"><a name="wp1099641"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1099643"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp1099645"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1099647"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">ip dhcp snooping verify mac-address</b> </p></td> <td><a name="wp1099649"></a><p class="pB1_Body1"> Enables DHCP snooping MAC address verification. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1099653"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">no ip dhcp snooping verify mac-address</b> </p></td> <td><a name="wp1099655"></a><p class="pB1_Body1"> Disables DHCP snooping MAC address verification. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1099657"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1099659"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">do show ip dhcp snooping | include hwaddr</b> </p></td> <td><a name="wp1099661"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1099663"></a><p class="pB1_Body1"> This example shows how to disable DHCP snooping MAC address verification: </p> <a name="wp1100306"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">no ip dhcp snooping verify mac-address</b> </pre> </div><a name="wp1100377"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">do show ip dhcp snooping | include hwaddr</b> </pre> </div><a name="wp1100304"></a><div class="pEx1_Example1"> <pre>Verification of hwaddr field is disabled </pre> </div><a name="wp1100385"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1100455"></a><br /></pre></div> <a name="wp1100438"></a><p class="pB1_Body1"> This example shows how to enable DHCP snooping MAC address verification: </p> <a name="wp1100439"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping verify mac-address</b> </pre> </div><a name="wp1100440"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">do show ip dhcp snooping | include hwaddr</b> </pre> </div><a name="wp1100441"></a><div class="pEx1_Example1"> <pre>Verification of hwaddr field is enabled </pre> </div><a name="wp1100442"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div> <a name="Enabling_DHCP_Snooping_on_VLANs"> </a> <a name="wp1097781"></a><a name="wpmkr1097779"></a><a name="wpxref12547"></a><h3 class="p_H_Head2"> Enabling DHCP Snooping on VLANs </h3> <a name="wp1112569"></a><p class="pB1_Body1"> By default, the DHCP snooping feature is inactive on all VLANs. You may enable the feature on a single VLAN or a range of VLANs. </p> <a name="wp1097786"></a><p class="pB1_Body1"> When enabled on a VLAN, the DHCP snooping feature creates four entries in the VACL table in the MFC3. These entries cause the PFC3 to intercept all DHCP messages on this VLAN and send them to the RP. The DHCP snooping feature is implemented in software on the RP. </p> <a name="wp1112567"></a><p class="pB1_Body1"> To enable DHCP snooping on VLANs, perform this task: </p> <a name="wp1097824"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1097791table1097787"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1097789"></a></th> <th scope="col"><a name="wp1097791"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1097793"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp1097795"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1097797"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">ip dhcp snooping</b> <b class="cBold">vlan</b> {{<em class="cEmphasis">vlan_ID</em> [<em class="cEmphasis">vlan_ID</em>]} | {<em class="cEmphasis">vlan_range</em>} </p></td> <td><a name="wp1097885"></a><p class="pB1_Body1"> Enables DHCP snooping on a VLAN or VLAN range. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097803"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">no ip dhcp snooping</b> </p></td> <td><a name="wp1097805"></a><p class="pB1_Body1"> Disables DHCP snooping. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097819"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1097821"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">do show ip dhcp snooping</b> </p></td> <td><a name="wp1097823"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1097934"></a><p class="pB1_Body1"> You can configure DHCP snooping for a single VLAN or a range of VLANs: </p> <a name="wp1098384"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />To configure a single VLAN, enter a single VLAN number. </p> <a name="wp1098398"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />To configure a range of VLANs, enter a beginning and an ending VLAN number or a dash-separated pair of VLAN numbers. </p> <a name="wp1098399"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN numbers. </p> <a name="wp1097935"></a><p class="pB1_Body1"> This example shows how to enable DHCP snooping on VLANs 10 through 12: </p> <a name="wp1097936"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1097939"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping vlan 10 12</b> </pre> </div><a name="wp1097944"></a><div class="pEx1_Example1"> <pre>Router(config)# </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1098445"></a><br /></pre></div> <a name="wp1098429"></a><p class="pB1_Body1"> This example shows another way to enable DHCP snooping on VLANs 10 through 12: </p> <a name="wp1098430"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1098431"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping vlan 10-12</b> </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1098460"></a><br /></pre></div> <a name="wp1098542"></a><p class="pB1_Body1"> This example shows another way to enable DHCP snooping on VLANs 10 through 12: </p> <a name="wp1098454"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1098455"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping vlan 10,11,12</b> </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1098550"></a><br /></pre></div> <a name="wp1098551"></a><p class="pB1_Body1"> This example shows how to enable DHCP snooping on VLANs 10 through 12 and VLAN 15: </p> <a name="wp1098552"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1098553"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping vlan 10-12,15</b> </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1101011"></a><br /></pre></div> <a name="wp1098449"></a><p class="pB1_Body1"> This example shows how to verify the configuration: </p> <a name="wp1097945"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">do show ip dhcp snooping</b> </pre> </div><a name="wp1098581"></a><div class="pEx1_Example1"> <pre>Switch DHCP snooping is enabled </pre> </div><a name="wp1098582"></a><div class="pEx1_Example1"> <pre>DHCP snooping is configured on following VLANs: </pre> </div><a name="wp1098583"></a><div class="pEx1_Example1"> <pre>10-12,15 </pre> </div><a name="wp1098584"></a><div class="pEx1_Example1"> <pre>DHCP snooping is operational on following VLANs: </pre> </div><a name="wp1098597"></a><div class="pEx1_Example1"> <pre>none </pre> </div><a name="wp1098586"></a><div class="pEx1_Example1"> <pre>DHCP snooping is configured on the following Interfaces: </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1098587"></a><br /></pre></div> <a name="wp1098588"></a><div class="pEx1_Example1"> <pre>Insertion of option 82 is enabled </pre> </div><a name="wp1098589"></a><div class="pEx1_Example1"> <pre>Verification of hwaddr field is enabled </pre> </div><a name="wp1098590"></a><div class="pEx1_Example1"> <pre>Interface Trusted Rate limit (pps) </pre> </div><a name="wp1097957"></a><div class="pEx1_Example1"> <pre>------------------------ ------- ---------------- </pre> </div><a name="wp1098729"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div> <a name="Configuring_the_DHCP_Trust_State_on_Layer_2_LAN_Interfaces"> </a> <a name="wp1098976"></a><a name="wpmkr1098974"></a><a name="wpxref43874"></a><h3 class="p_H_Head2"> Configuring the DHCP Trust State on Layer 2 LAN Interfaces </h3> <a name="wp1098977"></a><p class="pB1_Body1"> To configure DHCP trust state on a Layer 2 LAN interface, perform this task: </p> <a name="wp1106427"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1106477table1106473"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1106475"></a></th> <th scope="col"><a name="wp1106477"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1106479"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1106481"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1106486"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">interface</b> {<em class="cEmphasis">type</em><sup><a href="#wpxref1106485">1</a> </sup><em class="cEmphasis"> slot/port</em> | <b class="cBold">port-channel</b> <em class="cEmphasis">number</em>} </p></td> <td><a name="wp1106488"></a><p class="pB1_Body1"> Selects the interface to configure. </p> <a name="wp1106489"></a><p class="pNT_NoteTable"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />Select only LAN ports configured with the <b class="cBold">switchport</b> command or Layer 2 port-channel interfaces. </p> </td> </tr> <tr align="left" valign="top"> <td colspan="1" rowspan="2"><a name="wp1106491"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1106493"></a><p class="pExT_ExampleTable">Router(config-if)# <b class="cBold">ip dhcp snooping trust</b> </p></td> <td><a name="wp1106495"></a><p class="pB1_Body1"> Configures the interface as trusted. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1106499"></a><p class="pExT_ExampleTable">Router(config-if)# <b class="cBold">no ip dhcp snooping trust</b> </p></td> <td><a name="wp1106501"></a><p class="pB1_Body1"> Reverts to the default (untrusted) state. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1106503"></a><p class="pCSN_CellStepnext"> Step 3  </p> </td> <td><a name="wp1106505"></a><p class="pExT_ExampleTable">Router(config-if)# <b class="cBold">do show ip dhcp snooping | begin pps</b> </p></td> <td><a name="wp1106507"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> <table> <tr> <td><a name="wp1106485"></a><p class="pTFi_TableFootnoteIndent"> <sup><a href="#wpxref1106486">1</a> </sup><em class="cEmphasis">type</em> = <b class="cBold">fastethernet</b>, <b class="cBold">gigabitethernet</b>, or <b class="cBold">tengigabitethernet</b> </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1105114"></a><p class="pB1_Body1"> This example shows how to configure Fast Ethernet port 5/12 as trusted: </p> <a name="wp1105115"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1105116"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">interface FastEthernet 5/12</b> </pre> </div><a name="wp1105117"></a><div class="pEx1_Example1"> <pre>Router(config-if)# <b class="cBold">ip dhcp snooping trust</b> </pre> </div><a name="wp1105118"></a><div class="pEx1_Example1"> <pre>Router(config-if)# <b class="cBold">do show ip dhcp snooping | begin pps</b> </pre> </div><a name="wp1105119"></a><div class="pEx1_Example1"> <pre>Interface Trusted Rate limit (pps) </pre> </div><a name="wp1105120"></a><div class="pEx1_Example1"> <pre>------------------------ ------- ---------------- </pre> </div><a name="wp1105121"></a><div class="pEx1_Example1"> <pre>FastEthernet5/12 yes unlimited </pre> </div><a name="wp1105122"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div><a name="wp1099026"></a><p class="pAnchor"> </p> <a name="wp1099028"></a><p class="pB1_Body1"> This example shows how to configure Fast Ethernet port 5/12 as untrusted: </p> <a name="wp1099029"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1099030"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">interface FastEthernet 5/12</b> </pre> </div><a name="wp1099031"></a><div class="pEx1_Example1"> <pre>Router(config-if)# <b class="cBold">no ip dhcp snooping trust</b> </pre> </div><a name="wp1099032"></a><div class="pEx1_Example1"> <pre>Router(config-if)# <b class="cBold">do show ip dhcp snooping | begin pps</b> </pre> </div><a name="wp1101062"></a><div class="pEx1_Example1"> <pre>Interface Trusted Rate limit (pps) </pre> </div><a name="wp1101063"></a><div class="pEx1_Example1"> <pre>------------------------ ------- ---------------- </pre> </div><a name="wp1099045"></a><div class="pEx1_Example1"> <pre>FastEthernet5/12 no unlimited </pre> </div><a name="wp1101875"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div> <a name="Configuring_DHCP_Snooping_Rate_Limiting_on_Layer_2_LAN_Interfaces"> </a> <a name="wp1097369"></a><a name="wpmkr1097367"></a><a name="wpxref41087"></a><h3 class="p_H_Head2"> Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces </h3> <a name="wp1097374"></a><p class="pB1_Body1"> To configure DHCP snooping rate limiting on a Layer 2 LAN interface, perform this task: </p> <a name="wp1097420"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1097379table1097375"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1097377"></a></th> <th scope="col"><a name="wp1097379"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1097381"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1098654"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1098656"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">interface</b> {<em class="cEmphasis">type</em><sup><a href="#wpxref1098660">1</a> </sup><em class="cEmphasis"> slot/port</em> | <b class="cBold">port-channel</b> <em class="cArgument">number</em>} </p></td> <td><a name="wp1098662"></a><p class="pB1_Body1"> Selects the interface to configure. </p> <a name="wp1098902"></a><p class="pNT_NoteTable"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />Select only LAN ports configured with the <b class="cBold">switchport</b> command or Layer 2 port-channel interfaces. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097403"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1097405"></a><p class="pExT_ExampleTable">Router(config-if)# <b style="font-weight: bold" class="cBold">ip dhcp snooping limit rate </b><span style="color: Black; font-style: italic; font-weight: normal">rate</span> </p></td> <td><a name="wp1097407"></a><p class="pB1_Body1"> Configures DHCP packet rate limiting. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1099072"></a><p class="pCSN_CellStepnext"> Step 3  </p> </td> <td><a name="wp1099078"></a><p class="pExT_ExampleTable">Router(config-if)# <b class="cBold">no ip dhcp snooping limit rate</b> </p></td> <td><a name="wp1099080"></a><p class="pB1_Body1"> Disables DHCP packet rate limiting. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1097415"></a><p class="pCSN_CellStepnext"> Step 4  </p> </td> <td><a name="wp1097417"></a><p class="pExT_ExampleTable">Router(config-if)# <b class="cBold">do show ip dhcp snooping | begin pps</b> </p></td> <td><a name="wp1097419"></a><p class="pB1_Body1"> Verifies the configuration. </p> </td> </tr> </table> <table> <tr> <td><a name="wp1098660"></a><a name="wpxref48654"></a><p class="pTFi_TableFootnoteIndent"> <sup><a href="#wpxref1098656">1</a> </sup><em class="cEmphasis">type</em> = <b class="cBold">fastethernet</b>, <b class="cBold">gigabitethernet</b>, or <b class="cBold">tengigabitethernet</b> </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1105150"></a><a name="wp1106159"></a><p class="pB1_Body1"> When configuring DHCP snooping rate limiting on a Layer 2 LAN interface, note the following information: </p> <a name="wp1106085"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />We recommend an untrusted rate limit of not more than 100 packets per second (pps). </p> <a name="wp1105481"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />If you configure rate limiting for trusted interfaces, you might need to increase the rate limit on trunk ports carrying more than one VLAN on which DHCP snooping is enabled. </p> <a name="wp1105497"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />DHCP snooping puts ports where the rate limit is exceeded into the error-disabled state. </p> <a name="wp1098237"></a><p class="pB1_Body1"> This example shows how to configure DHCP packet rate limiting to 100 pps on Fast Ethernet port 5/12: </p> <a name="wp1098238"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1098243"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">interface FastEthernet 5/12</b> </pre> </div><a name="wp1098244"></a><div class="pEx1_Example1"> <pre>Router(config-if)# <b class="cBold">ip dhcp snooping limit rate 100</b> </pre> </div><a name="wp1101255"></a><div class="pEx1_Example1"> <pre>Router(config-if)# <b class="cBold">do show ip dhcp snooping | begin pps</b> </pre> </div><a name="wp1101256"></a><div class="pEx1_Example1"> <pre>Interface Trusted Rate limit (pps) </pre> </div><a name="wp1101257"></a><div class="pEx1_Example1"> <pre>------------------------ ------- ---------------- </pre> </div><a name="wp1101258"></a><div class="pEx1_Example1"> <pre>FastEthernet5/12 no 100 </pre> </div><a name="wp1098258"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div> <a name="Configuring_the_DHCP_Snooping_Database_Agent"> </a> <a name="wp1090479"></a><a name="wpxref48352"></a><a name="wpmkr1091698"></a><h3 class="p_H_Head2"> Configuring the DHCP Snooping Database Agent </h3> <a name="wp1090480"></a><p class="pB1_Body1"> To configure the DHCP snooping database agent, perform one or more of the following tasks: </p> <a name="wp1090510"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1090483table1090481"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"><a name="wp1090483"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1090485"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1090487"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping database</b> { <em class="cEmphasis">_url</em> | <b class="cBold">write-delay</b> <em class="cEmphasis">seconds</em> | <b class="cBold">timeout</b> <em class="cEmphasis">seconds</em> } </pre> </div></td> <td><a name="wp1090491"></a><p class="pB1_Body1"> Configures a URL for the database agent (or file) and the related timeout values. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1104709"></a><p class="pExT_ExampleTable">Router(config)# <b class="cBold">no ip dhcp snooping database</b> [<b class="cBold">write-delay</b> | <b class="cBold">timeout</b>] </p></td> <td><a name="wp1104711"></a><p class="pB1_Body1"> Clears the configuration. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1090493"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping database</b> [<b class="cBold">detail</b>] </pre> </div></td> <td><a name="wp1090495"></a><p class="pB1_Body1"> Displays the current operating state of the database agent and statistics associated with the transfers. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1090497"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">clear ip dhcp snooping database statistics</b> </pre> </div></td> <td><a name="wp1090499"></a><p class="pB1_Body1"> Clears the statistics associated with the database agent. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1090501"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">renew ip dhcp snooping database</b> [<b class="cBold">validation none</b>] [<em class="cEmphasis">url</em>] </pre> </div></td> <td><a name="wp1090503"></a><p class="pB1_Body1"> Requests the read entries from a file at the given URL. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1090505"></a><div class="pEx1_Example1"> <pre>Router# <b style="font-weight: bold" class="cBold">ip dhcp snooping binding </b><span style="color: Black; font-style: italic; font-weight: normal">mac_address</span><span style="color: Black; font-style: normal; font-weight: bold"> vlan </span><span style="color: Black; font-style: italic; font-weight: normal">vlan_ID ip_address</span><span style="color: Black; font-style: normal; font-weight: bold"> interface </span><span style="color: Black; font-style: italic; font-weight: normal">ifname</span><span style="color: Black; font-style: normal; font-weight: bold"> expiry </span><span style="color: Black; font-style: italic; font-weight: normal">lease_in_seconds</span> </pre> </div></td> <td><a name="wp1090509"></a><p class="pB1_Body1"> Adds bindings to the snooping database. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1104766"></a><p class="pExT_ExampleTable">Router# <b style="font-weight: bold" class="cBold">no ip dhcp snooping binding </b><span style="color: Black; font-style: italic; font-weight: normal">mac_address</span><span style="color: Black; font-style: normal; font-weight: bold"> vlan </span><span style="color: Black; font-style: italic; font-weight: normal">vlan_ID ip_address</span><span style="color: Black; font-style: normal; font-weight: bold"> interface</span> <em class="cEmphasis">ifname</em> </p></td> <td><a name="wp1104768"></a><p class="pB1_Body1"> Deletes bindings from the snooping database. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1107145"></a><p class="pB1_Body1"> When configuring the DHCP snooping database agent, note the following information: </p> <a name="wp1119105"></a><a name="wpmkr1119111"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />The DHCP snooping database stores at least 8,000 bindings. </p> <a name="wp1092744"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Store the file on a TFTP server to avoid consuming storage space on the switch storage devices. </p> <a name="wp1104836"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />When a switchover occurs, if the file is stored in a remote location accessible through TFTP, the newly active supervisor engine can use the binding list. </p> <a name="wp1092745"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" />Network-based URLs (such as TFTP and FTP) require that you create an empty file at the configured URL before the switch can write the set of bindings for the first time. </p> <a name="Configuration_Examples_for_the_Database_Agent"> </a> <a name="wp1092681"></a><a name="wpxref70009"></a><h3 class="p_H_Head2"> Configuration Examples for the Database Agent </h3> <a name="wp1091770"></a><p class="pB1_Body1"> These sections provide examples for the database agent: </p> <a name="wp1105007"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1090512">Example 1: Enabling the Database Agent</a> </p> <a name="wp1105023"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1090557">Example 2: Reading Binding Entries from a TFTP File</a> </p> <a name="wp1104972"></a><p class="pBu1_Bullet1"> •<img src="../../../../../i/templates/blank.gif" alt="" width="19" height="2" border="0" /><a href="#wp1090624">Example 3: Adding Information to the DHCP Snooping Database</a> </p> <a name="Example_1:_Enabling_the_Database_Agent"> </a> <a name="wp1090512"></a><a name="wpxref41757"></a><a name="wpmkr1091699"></a><h3 class="p_H_Head3"> Example 1: Enabling the Database Agent </h3> <a name="wp1090513"></a><p class="pB1_Body1"> The following example shows how to configure the DHCP snooping database agent to store the bindings at a given location and to view the configuration and operating state: </p> <a name="wp1090514"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">configure terminal</b> </pre> </div><a name="wp1090515"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">ip dhcp snooping database tftp://10.1.1.1/directory/file</b> </pre> </div><a name="wp1090516"></a><div class="pEx1_Example1"> <pre>Router(config)# <b class="cBold">end</b> </pre> </div><a name="wp1090517"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping database detail</b> </pre> </div><a name="wp1090518"></a><div class="pEx1_Example1"> <pre>Agent URL : tftp://10.1.1.1/directory/file </pre> </div><a name="wp1090519"></a><div class="pEx1_Example1"> <pre>Write delay Timer : 300 seconds </pre> </div><a name="wp1090520"></a><div class="pEx1_Example1"> <pre>Abort Timer : 300 seconds </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090521"></a><br /></pre></div> <a name="wp1090522"></a><div class="pEx1_Example1"> <pre>Agent Running : No </pre> </div><a name="wp1090523"></a><div class="pEx1_Example1"> <pre>Delay Timer Expiry : 7 (00:00:07) </pre> </div><a name="wp1090524"></a><div class="pEx1_Example1"> <pre>Abort Timer Expiry : Not Running </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090525"></a><br /></pre></div> <a name="wp1090526"></a><div class="pEx1_Example1"> <pre>Last Succeeded Time : None </pre> </div><a name="wp1090527"></a><div class="pEx1_Example1"> <pre>Last Failed Time : 17:14:25 UTC Sat Jul 7 2001 </pre> </div><a name="wp1090528"></a><div class="pEx1_Example1"> <pre>Last Failed Reason : Unable to access URL. </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090529"></a><br /></pre></div> <a name="wp1090530"></a><div class="pEx1_Example1"> <pre>Total Attempts : 21 Startup Failures : 0 </pre> </div><a name="wp1090531"></a><div class="pEx1_Example1"> <pre>Successful Transfers : 0 Failed Transfers : 21 </pre> </div><a name="wp1090532"></a><div class="pEx1_Example1"> <pre>Successful Reads : 0 Failed Reads : 0 </pre> </div><a name="wp1090533"></a><div class="pEx1_Example1"> <pre>Successful Writes : 0 Failed Writes : 21 </pre> </div><a name="wp1090534"></a><div class="pEx1_Example1"> <pre>Media Failures : 0 </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090535"></a><br /></pre></div> <a name="wp1090536"></a><div class="pEx1_Example1"> <pre>First successful access: Read </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090537"></a><br /></pre></div> <a name="wp1090538"></a><div class="pEx1_Example1"> <pre>Last ignored bindings counters : </pre> </div><a name="wp1090539"></a><div class="pEx1_Example1"> <pre>Binding Collisions : 0 Expired leases : 0 </pre> </div><a name="wp1090540"></a><div class="pEx1_Example1"> <pre>Invalid interfaces : 0 Unsupported vlans : 0 </pre> </div><a name="wp1090541"></a><div class="pEx1_Example1"> <pre>Parse failures : 0 </pre> </div><a name="wp1090542"></a><div class="pEx1_Example1"> <pre>Last Ignored Time : None </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090543"></a><br /></pre></div> <a name="wp1090544"></a><div class="pEx1_Example1"> <pre>Total ignored bindings counters: </pre> </div><a name="wp1090545"></a><div class="pEx1_Example1"> <pre>Binding Collisions : 0 Expired leases : 0 </pre> </div><a name="wp1090546"></a><div class="pEx1_Example1"> <pre>Invalid interfaces : 0 Unsupported vlans : 0 </pre> </div><a name="wp1090547"></a><div class="pEx1_Example1"> <pre>Parse failures : 0 </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090548"></a><br /></pre></div> <a name="wp1090549"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090550"></a><br /></pre></div> <a name="wp1090551"></a><p class="pB1_Body1"> The first three lines of output show the configured URL and related timer-configuration values. The next three lines show the operating state and the amount of time left for expiry of write delay and abort timers. </p> <a name="wp1090552"></a><p class="pB1_Body1"> Among the statistics shown in the output, startup failures indicate the number of attempts to read or create the file that failed on bootup. </p> <div class="Note1B"><img src="../../../../../i/templates/note.gif" alt="" /></div><hr class="Cautn1table" /> <a name="wp1090553"></a><p class="pN1_Note1"> <b>Note </b><img src="../../../../../i/templates/blank.gif" alt="" width="1" height="2" border="0" />Create a temporary file on the TFTP server with the <b class="cBold">touch</b> command in the TFTP server daemon directory. With some UNIX implementations, the file should have full read and write access permissions (777). </p> <hr class="Cautn1table" /><a name="wp1090554"></a><p class="pB1_Body1"> DHCP snooping bindings are keyed on the MAC address and VLAN combination. If an entry in the remote file has an entry for a given MAC address and VLAN set for which the switch already has a binding, the entry from the remote file is ignored when the file is read. This condition is referred to as the <em class="cEmphasis">binding collision</em>. </p> <a name="wp1091599"></a><p class="pB1_Body1"> An entry in a file may no longer be valid because the lease indicated by the entry may have expired by the time it is read. The expired leases counter indicates the number of bindings that are ignored because of this condition. The Invalid interfaces counter refers to the number of bindings that have been ignored when the interface referred by the entry either does not exist on the system or is a router or DHCP snooping trusted interface (if it exists) when the read happened. Unsupported VLANs refers to the number of entries that have been ignored because the indicated VLAN is not supported on the system. The Parse failures counter provides the number of entries that have been ignored when the switch is unable to interpret the meaning of the entries from the file. </p> <a name="wp1090556"></a><p class="pB1_Body1"> The switch maintains two sets of counters for these ignored bindings. One provides the counters for a read that has at least one binding ignored by at least one of these conditions. These counters are shown as the "Last ignored bindings counters." The total ignored bindings counters provides a sum of the number of bindings that have been ignored because of all the reads since the switch bootup. These two sets of counters are cleared by the <span style="color: Black; font-style: normal; font-weight: bold">clear</span> command. The total counter set may indicate the number of bindings that have been ignored since the last clear. </p> <a name="Example_2:_Reading_Binding_Entries_from_a_TFTP_File"> </a> <a name="wp1090557"></a><a name="wpmkr1091701"></a><a name="wpxref15161"></a><h3 class="p_H_Head3"> Example 2: Reading Binding Entries from a TFTP File </h3> <a name="wp1090558"></a><p class="pB1_Body1"> To manually read the entries from a TFTP file, perform this task: </p> <a name="wp1092302"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1092254table1092250"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1092252"></a></th> <th scope="col"><a name="wp1092254"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1092256"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1092258"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1092260"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping database</b> </pre> </div></td> <td><a name="wp1092263"></a><p class="pB1_Body1"> Displays the DHCP snooping database agent statistics. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1092265"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1092267"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">renew ip dhcp snoop data</b> <em class="cEmphasis">url</em> </pre> </div></td> <td><a name="wp1092269"></a><p class="pB1_Body1"> Directs the switch to read the file from the URL. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1092271"></a><p class="pCSN_CellStepnext"> Step 3  </p> </td> <td><a name="wp1092273"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snoop data</b> </pre> </div></td> <td><a name="wp1092275"></a><p class="pB1_Body1"> Displays the read status. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1092277"></a><p class="pCSN_CellStepnext"> Step 4  </p> </td> <td><a name="wp1092279"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snoop bind</b> </pre> </div></td> <td><a name="wp1092282"></a><p class="pB1_Body1"> Verifies whether the bindings were read successfully. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1092248"></a><p class="pB1_Body1"> This is an example of how to manually read entries from the tftp://10.1.1.1/directory/file: </p> <a name="wp1090560"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping database</b> </pre> </div><a name="wp1090561"></a><div class="pEx1_Example1"> <pre>Agent URL : </pre> </div><a name="wp1090562"></a><div class="pEx1_Example1"> <pre>Write delay Timer : 300 seconds </pre> </div><a name="wp1090563"></a><div class="pEx1_Example1"> <pre>Abort Timer : 300 seconds </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090564"></a><br /></pre></div> <a name="wp1090565"></a><div class="pEx1_Example1"> <pre>Agent Running : No </pre> </div><a name="wp1090566"></a><div class="pEx1_Example1"> <pre>Delay Timer Expiry : Not Running </pre> </div><a name="wp1090567"></a><div class="pEx1_Example1"> <pre>Abort Timer Expiry : Not Running </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090568"></a><br /></pre></div> <a name="wp1090569"></a><div class="pEx1_Example1"> <pre>Last Succeeded Time : None </pre> </div><a name="wp1090570"></a><div class="pEx1_Example1"> <pre>Last Failed Time : None </pre> </div><a name="wp1090571"></a><div class="pEx1_Example1"> <pre>Last Failed Reason : No failure recorded. </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090572"></a><br /></pre></div> <a name="wp1090573"></a><div class="pEx1_Example1"> <pre>Total Attempts : 0 Startup Failures : 0 </pre> </div><a name="wp1090574"></a><div class="pEx1_Example1"> <pre>Successful Transfers : 0 Failed Transfers : 0 </pre> </div><a name="wp1090575"></a><div class="pEx1_Example1"> <pre>Successful Reads : 0 Failed Reads : 0 </pre> </div><a name="wp1090576"></a><div class="pEx1_Example1"> <pre>Successful Writes : 0 Failed Writes : 0 </pre> </div><a name="wp1090577"></a><div class="pEx1_Example1"> <pre>Media Failures : 0 </pre> </div><a name="wp1090580"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">renew ip dhcp snoop data tftp://10.1.1.1/directory/file</b> </pre> </div><a name="wp1090581"></a><div class="pEx1_Example1"> <pre>Loading directory/file from 10.1.1.1 (via GigabitEthernet1/1): ! </pre> </div><a name="wp1090582"></a><div class="pEx1_Example1"> <pre>[OK - 457 bytes] </pre> </div><a name="wp1090583"></a><div class="pEx1_Example1"> <pre>Database downloaded successfully. </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090584"></a><br /></pre></div> <a name="wp1090585"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div><a name="wp1090586"></a><div class="pEx1_Example1"> <pre>00:01:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Read succeeded. </pre> </div><a name="wp1090589"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snoop data</b> </pre> </div><a name="wp1090590"></a><div class="pEx1_Example1"> <pre>Agent URL : </pre> </div><a name="wp1090591"></a><div class="pEx1_Example1"> <pre>Write delay Timer : 300 seconds </pre> </div><a name="wp1090592"></a><div class="pEx1_Example1"> <pre>Abort Timer : 300 seconds </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090593"></a><br /></pre></div> <a name="wp1090594"></a><div class="pEx1_Example1"> <pre>Agent Running : No </pre> </div><a name="wp1090595"></a><div class="pEx1_Example1"> <pre>Delay Timer Expiry : Not Running </pre> </div><a name="wp1090596"></a><div class="pEx1_Example1"> <pre>Abort Timer Expiry : Not Running </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090597"></a><br /></pre></div> <a name="wp1090598"></a><div class="pEx1_Example1"> <pre>Last Succeeded Time : 15:24:34 UTC Sun Jul 8 2001 </pre> </div><a name="wp1090599"></a><div class="pEx1_Example1"> <pre>Last Failed Time : None </pre> </div><a name="wp1090600"></a><div class="pEx1_Example1"> <pre>Last Failed Reason : No failure recorded. </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090601"></a><br /></pre></div> <a name="wp1090602"></a><div class="pEx1_Example1"> <pre>Total Attempts : 1 Startup Failures : 0 </pre> </div><a name="wp1090603"></a><div class="pEx1_Example1"> <pre>Successful Transfers : 1 Failed Transfers : 0 </pre> </div><a name="wp1090604"></a><div class="pEx1_Example1"> <pre>Successful Reads : 1 Failed Reads : 0 </pre> </div><a name="wp1090605"></a><div class="pEx1_Example1"> <pre>Successful Writes : 0 Failed Writes : 0 </pre> </div><a name="wp1090606"></a><div class="pEx1_Example1"> <pre>Media Failures : 0 </pre> </div><a name="wp1090607"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div><a name="wp1090609"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snoop bind</b> </pre> </div><a name="wp1090610"></a><div class="pEx1_Example1"> <pre>MacAddress IpAddress Lease(sec) Type VLAN Interface </pre> </div><a name="wp1090611"></a><div class="pEx1_Example1"> <pre>------------------ --------------- ---------- ------------- ---- -------------------- </pre> </div><a name="wp1090612"></a><div class="pEx1_Example1"> <pre>00:01:00:01:00:05 1.1.1.1 49810 dhcp-snooping 512 GigabitEthernet1/1 </pre> </div><a name="wp1090613"></a><div class="pEx1_Example1"> <pre>00:01:00:01:00:02 1.1.1.1 49810 dhcp-snooping 512 GigabitEthernet1/1 </pre> </div><a name="wp1090614"></a><div class="pEx1_Example1"> <pre>00:01:00:01:00:04 1.1.1.1 49810 dhcp-snooping 1536 GigabitEthernet1/1 </pre> </div><a name="wp1090615"></a><div class="pEx1_Example1"> <pre>00:01:00:01:00:03 1.1.1.1 49810 dhcp-snooping 1024 GigabitEthernet1/1 </pre> </div><a name="wp1090616"></a><div class="pEx1_Example1"> <pre>00:01:00:01:00:01 1.1.1.1 49810 dhcp-snooping 1 GigabitEthernet1/1 </pre> </div><a name="wp1090618"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">clear ip dhcp snoop bind</b> </pre> </div><a name="wp1090619"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snoop bind</b> </pre> </div><a name="wp1090620"></a><div class="pEx1_Example1"> <pre>MacAddress IpAddress Lease(sec) Type VLAN Interface </pre> </div><a name="wp1090621"></a><div class="pEx1_Example1"> <pre>------------------ --------------- ---------- ------------- ---- -------------------- </pre> </div><a name="wp1090622"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div> <a name="Example_3:_Adding_Information_to_the_DHCP_Snooping_Database"> </a> <a name="wp1090624"></a><a name="wpmkr1091702"></a><a name="wpxref71981"></a><h3 class="p_H_Head3"> Example 3: Adding Information to the DHCP Snooping Database </h3> <a name="wp1090625"></a><p class="pB1_Body1"> To manually add a binding to the DHCP snooping database, perform this task: </p> <a name="wp1092541"></a><p class="pAnchor"> </p> <div align="left"> <table class="steptable" border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1092514table1092510"> <caption></caption> <tr align="left" valign="bottom"> <th scope="col"> <a name="wp1092512"></a></th> <th scope="col"><a name="wp1092514"></a><div class="pCH1_CellHead1"> Command </div> </th> <th scope="col"><a name="wp1092516"></a><div class="pCH1_CellHead1"> Purpose </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1092518"></a><p class="pCSF_CellStepFirst"> Step 1  </p> </td> <td><a name="wp1092520"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping binding</b> </pre> </div></td> <td><a name="wp1092522"></a><p class="pB1_Body1"> Views the DHCP snooping database. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1092524"></a><p class="pCSN_CellStepnext"> Step 2  </p> </td> <td><a name="wp1092526"></a><div class="pEx1_Example1"> <pre>Router# <b style="font-weight: bold" class="cBold">ip dhcp snooping binding </b><span style="color: Black; font-style: italic; font-weight: normal">binding_id</span><span style="color: Black; font-style: normal; font-weight: bold"> vlan </span><span style="color: Black; font-style: italic; font-weight: normal">vlan_id</span> <b style="font-weight: bold" class="cBold">interface </b><span style="color: Black; font-style: italic; font-weight: normal">interface</span> <b class="cBold">expiry</b> <em class="cEmphasis">lease_time</em> </pre> </div></td> <td><a name="wp1092528"></a><p class="pB1_Body1"> Adds the binding using the <b class="cBold">ip dhcp snooping</b> exec command. </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1092530"></a><p class="pCSN_CellStepnext"> Step 3  </p> </td> <td><a name="wp1092532"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping binding</b> </pre> </div></td> <td><a name="wp1092534"></a><p class="pB1_Body1"> Checks the DHCP snooping database. </p> </td> </tr> </table> </div> <p class="pAnchor"> </p> <a name="wp1090626"></a><p class="pB1_Body1"> This example shows how to manually add a binding to the DHCP snooping database: </p> <a name="wp1090627"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping binding</b> </pre> </div><a name="wp1090628"></a><div class="pEx1_Example1"> <pre>MacAddress IpAddress Lease(sec) Type VLAN Interface </pre> </div><a name="wp1090629"></a><div class="pEx1_Example1"> <pre>------------------ --------------- ---------- ------------- ---- -------------------- </pre> </div><a name="wp1090630"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div><a name="wp1090633"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi1/1 expiry 1000</b> </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1090634"></a><br /></pre></div> <a name="wp1090636"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping binding</b> </pre> </div><a name="wp1090637"></a><div class="pEx1_Example1"> <pre>MacAddress IpAddress Lease(sec) Type VLAN Interface </pre> </div><a name="wp1090638"></a><div class="pEx1_Example1"> <pre>------------------ --------------- ---------- ------------- ---- -------------------- </pre> </div><a name="wp1090639"></a><div class="pEx1_Example1"> <pre>00:01:00:01:00:01 1.1.1.1 992 dhcp-snooping 1 GigabitEthernet1/1 </pre> </div><a name="wp1090640"></a><div class="pEx1_Example1"> <pre>Router# </pre> </div> <a name="Displaying_a_Binding_Table"> </a> <a name="wp1084420"></a><a name="wpxref40890"></a><a name="wpmkr1084419"></a><h3 class="p_H_Head2"> Displaying a Binding Table </h3> <a name="wp1084421"></a><p class="pB1_Body1"> The DHCP snooping binding table for each switch contains binding entries that correspond to untrusted ports. The table does not contain information about hosts interconnected with a trusted port because each interconnected switch will have its own DHCP snooping binding table. </p> <a name="wp1084422"></a><p class="pB1_Body1"> This example shows how to display the DHCP snooping binding information for a switch: </p> <a name="wp1086703"></a><div class="pEx1_Example1"> <pre>Router# <b class="cBold">show ip dhcp snooping binding</b> </pre> </div><a name="wp1086704"></a><div class="pEx1_Example1"> <pre>MacAddress IpAddress Lease(sec) Type VLAN Interface </pre> </div><a name="wp1086705"></a><div class="pEx1_Example1"> <pre>------------------ --------------- ---------- ------------- ---- -------------------- </pre> </div><a name="wp1086706"></a><div class="pEx1_Example1"> <pre>00:02:B3:3F:3B:99 55.5.5.2 6943 dhcp-snooping 10 FastEthernet6/10 </pre> </div><div class="pPreformatted"><pre class="pPreformatted"> <a name="wp1084428"></a><br /></pre></div> <a name="wp1084432"></a><p class="pB1_Body1"> <a href="#wp1084436">Table 46-2</a> describes the fields in the <b class="cBold">show ip dhcp snooping binding</b> command output. </p> <a name="wp1084467"></a><p class="pAnchor"> </p> <div align="left"> <table border="1" cellpadding="3" cellspacing="0" width="80%" bordercolor="#808080" id="wp1084436table1084433"> <caption><a name="wp1084436"></a><a name="wpxref27622"></a><p class="pTC_TableCap"> Table 46-2 show ip dhcp snooping binding Command Output  </p> </caption> <tr align="left" valign="bottom"> <th scope="col"><a name="wp1084440"></a><div class="pCH1_CellHead1"> Field </div> </th> <th scope="col"><a name="wp1084442"></a><div class="pCH1_CellHead1"> Description </div> </th> </tr> <tr align="left" valign="top"><td><a name="wp1084444"></a><p class="pB1_Body1"> MAC Address </p> </td> <td><a name="wp1084446"></a><p class="pB1_Body1"> Client hardware MAC address </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1084448"></a><p class="pB1_Body1"> IP Address </p> </td> <td><a name="wp1084450"></a><p class="pB1_Body1"> Client IP address assigned from the DHCP server </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1084452"></a><p class="pB1_Body1"> Lease (seconds) </p> </td> <td><a name="wp1084454"></a><p class="pB1_Body1"> IP address lease time </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1084456"></a><p class="pB1_Body1"> Type </p> </td> <td><a name="wp1084458"></a><p class="pB1_Body1"> Binding type: dynamic binding learned by DHCP snooping or statically-configured binding </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1084460"></a><p class="pB1_Body1"> VLAN </p> </td> <td><a name="wp1084462"></a><p class="pB1_Body1"> VLAN number of the client interface </p> </td> </tr> <tr align="left" valign="top"><td><a name="wp1084464"></a><p class="pB1_Body1"> Interface </p> </td> <td><a name="wp1084466"></a><p class="pB1_Body1"> Interface that connects to the DHCP client host </p> </td> </tr> </table> </div><br /> <p class="pAnchor"> </p> </blockquote> <hr noshade /> </span></div> </div> </td> </tr> <tr align="left" valign="top"> <td><div class="left-col-min-width"><wbr/></div></td> <td><div class="footer"><div id="footer-legal"><a href="/web/siteassets/legal/terms_condition.html">Terms & Conditions</a> | <a href="/web/siteassets/legal/privacy.html">Privacy Statement</a> | <a href="/web/siteassets/legal/privacy.html#cookies">Cookie Policy</a> | <a href="/web/siteassets/legal/trademark.html">Trademarks</a></div></div> <div class="right-col-min-width"><wbr/></div></td> </tr> </table> </body> </html>