dhcp snooping

Unanswered Question
Jun 4th, 2008
User Badges:

there is no vlans, no radius server yet.

dhcp snooping should be done in a network that contains

2960s and a 4506.

What should be itenarary and

the commands should be inserted the switches

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ryan Carretta Wed, 06/04/2008 - 23:24
User Badges:
  • Bronze, 100 points or more

There are several configuration action items:

* Enable DHCP snooping globally


Switch#config t

Switch(config)#ip dhcp snooping

* Enable DHCP snooping on the desired VLAN(s)

Switch(config)#ip dhcp snooping vlan

* Configure injection of option-82

Switch(config)#ip dhcp snooping information option

* Configure where you want to store the database bindings

Switch(config)#ip dhcp snooping database :

* If an aggregation switch, configure allowing receipt of DHCP packets from untrusted interfaces when option-82 is present

Switch(config)ip dhcp snooping information option allow-untrusted

* Optionally configure mac-address verification. This will verify that the layer-2 header source mac of a received DHCP packet matches the client address in the dhcp header.

Switch(config)#ip dhcp snooping verify mac-address

* Configure the upstream (direction of DHCP server) interface as a trusted port

Switch(config)#int gig0/1

Switch(config-if)#ip dhcp snooping trust

* Optionally configure the number of packets per second an interface should be able to inspect. Configuration of this can protect the control plane of the CPU from a denial of service attack initiated by faulty DHCP client/server software or by a malicious user. We recommend not allowing more than 100 packets/sec from untrusted interfaces.

Switch(config-if)#ip dhcp snooping limit rate

For the database binding agent, refer to these links:




This Discussion