Cisco catalyst 3750 Command Reference Manual page 621

Chapter 2 Catalyst 3750 Switch Cisco IOS Commands
Table 2-30
Table 2-30 DHCP Snooping Statistics
DHCP Snooping Statistic
Packets Processed by DHCP Snooping
Packets Dropped Because IDB not
known
Queue full
Interface is in errdisabled
Rate limit exceeded
Received on untrusted ports
Nonzero giaddr
Source mac not equal to chaddr
Binding mismatch
Insertion of opt82 fail
Interface Down
Unknown output interface
OL-8552-07
shows the DHCP snooping statistics and their descriptions:
Description
Total number of packets handled by DHCP snooping, including forwarded and
dropped packets.
Number of errors when the input interface of the packet cannot be determined.
Number of errors when an internal queue used to process the packets is full. This
might happen if DHCP packets are received at an excessively high rate and rate
limiting is not enabled on the ingress ports.
Number of times a packet was received on a port that has been marked as error
disabled. This might happen if packets are in the processing queue when a port is
put into the error-disabled state and those packets are subsequently processed.
Number of times the rate limit configured on the port was exceeded and the
interface was put into the error-disabled state.
Number of times a DHCP server packet (OFFER, ACK, NAK, or LEASEQUERY)
was received on an untrusted port and was dropped.
Number of times the relay agent address field (giaddr) in the DHCP packet received
on an untrusted port was not zero, or the no ip dhcp snooping information option
allow-untrusted global configuration command is not configured and a packet
received on an untrusted port contained option-82 data.
Number of times the client MAC address field of the DHCP packet (chaddr) does
not match the packet source MAC address and the ip dhcp snooping verify
mac-address global configuration command is configured.
Number of times a RELEASE or DECLINE packet was received on a port that is
different than the port in the binding for that MAC address-VLAN pair. This
indicates someone might be trying to spoof the real client, or it could mean that the
client has moved to another port on the switch and issued a RELEASE or
DECLINE. The MAC address is taken from the chaddr field of the DHCP packet,
not the source MAC address in the Ethernet header.
Number of times the option-82 insertion into a packet failed. The insertion might
fail if the packet with the option-82 data exceeds the size of a single physical packet
on the internet.
Number of times the packet is a reply to the DHCP relay agent, but the SVI interface
for the relay agent is down. This is an unlikely error that occurs if the SVI goes
down between sending the client request to the DHCP server and receiving the
response.
Number of times the output interface for a DHCP reply packet cannot be determined
by either option-82 data or a lookup in the MAC address table. The packet is
dropped. This can happen if option 82 is not used and the client MAC address has
aged out. If IPSG is enabled with the port-security option and option 82 is not
enabled, the MAC address of the client is not learned, and the reply packets will be
dropped.
show ip dhcp snooping statistics
Catalyst 3750 Switch Command Reference
2-591