Cisco Catalyst 4500 series Administration Manual page 1384
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring DHCP Snooping
To enable DHCP snooping, perform this task:
Command
Step 1
Switch(config)# ip dhcp snooping
Step 2
Switch(config)# ip dhcp snooping vlan number
[number] | vlan {vlan range}]
Step 3
Switch(config)# errdisable recovery {cause
dhcp-rate-limit | interval interval}
Step 4
Switch(config)# errdisable detect cause
dhcp-rate-limit {action shutdown vlan}
Step 5
Switch(config-if)# ip dhcp snooping trust
Step 6
Switch(config-if)# ip dhcp snooping limit rate
rate
Step 7
Switch(config)# end
Step 8
Switch# show ip dhcp snooping
1.
We recommend not configuring the untrusted interface rate limit to more than 100 packets per second. The recommended rate limit for each
untrusted client is 15 packets per second. Normally, the rate limit applies to untrusted interfaces. If you want to set up rate limiting for trusted
interfaces, keep in mind that trusted interfaces aggregate all DHCP traffic in the switch, and you will need to adjust the rate limit to a higher
value. You should fine tune this threshold depending on the network configuration. The CPU should not receive DHCP packets at a sustained
rate of more than 1,000 packets per second.
You can configure DHCP snooping for a single VLAN or a range of VLANs. To configure a single
VLAN, enter a single VLAN number. To configure a range of VLANs, enter a beginning and an ending
VLAN number or a dash and range of VLANs.
The number of incoming DHCP packets is rate-limited to prevent a denial-of-service attack. When the
rate of incoming DHCP packets exceeds the configured limit, the switch places the port in the errdisabled
state. To prevent the port from shutting down, you can use the errdisable detect cause dhcp-rate-limit
action shutdown vlan global configuration command to shut down just the offending VLAN on the port
where the violation occurred.
When a secure port is in the errdisabled state, you can bring it out of this state automatically by
configuring the errdisable recovery cause dhcp-rate-limit global configuration command or you can
manually reenable it by entering the shutdown and no shut down interface configuration commands. If
a port is in per-VLAN errdisable mode, you can also use clear errdisable interface name vlan range
command to reenable the VLAN on the port.
This example shows how to enable DHCP snooping on VLAN 500 through 555:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 500 555
Switch(config)# ip dhcp snooping information option format remote-id string switch123
Switch(config)# interface GigabitEthernet 5/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit rate 100
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
53-8
Chapter 53
Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Purpose
Enables DHCP snooping globally.
You can use the no keyword to disable DHCP snooping.
Enables DHCP snooping on your VLAN or VLAN
range.
(Optional) Configures the amount of time required for
recovery from a specified errdisable cause.
(Optional) Enables per-VLAN errdisable detection.
By default this command is enabled, and when a
Note
violation occurs the interface is shutdown.
Configures the interface as trusted or untrusted.
You can use the no keyword to configure an interface to
receive messages from an untrusted client.
Configures the number of DHCP packets per second
(pps) that an interface can receive.
Exits configuration mode.
Verifies the configuration.
1
OL_28731-01
Advertisement
Chapters
Table of Contents
Troubleshooting
