Support User Manuals

Cisco Systems 2960 Model Vehicle User Manual

Open as PDF

of 1004

20-12

Catalyst 2960 and 2960-S Switch Software Configuration Guide

OL-8603-09

Chapter 20 Configuring DHCP Features and IP Source Guard Features

Configuring DHCP Snooping

To disable DHCP snooping, use the no ip dhcp snooping global configuration command. To disable

DHCP snooping on a VLAN or range of VLANs, use the no ip dhcp snooping vlan vlan-range global

configuration command. To disable the insertion and the removal of the option-82 field, use the no ip

dhcp snooping information option global configuration command. To configure an aggregation switch

to drop incoming DHCP snooping packets with option-82 information from an edge switch, use the no

ip dhcp snooping information option allow-untrusted global configuration command.

This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate

limit of 100 packets per second on a port:

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 10

Switch(config)# ip dhcp snooping information option

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# ip dhcp snooping limit rate 100

Step 7

ip dhcp snooping trust (Optional) Configure the interface as trusted or as untrusted. Use the no

keyword to configure an interface to receive messages from an untrusted

client. The default setting is untrusted.

Step 8

ip dhcp snooping limit rate rate (Optional) Configure the number of DHCP packets per second that an

interface can receive. The range is 1 to 2048. By default, no rate limit is

configured.

Note We recommend an untrusted rate limit of not more than 100

packets per second. If you configure rate limiting for trusted

interfaces, you might need to increase the rate limit if the port is

a trunk port assigned to more than one VLAN with DHCP

snooping.

Step 9

exit Return to global configuration mode.

Step 10

ip dhcp snooping verify mac-address (Optional) Configure the switch to verify that the source MAC address in

a DHCP packet received on untrusted ports matches the client hardware

address in the packet. The default is to verify that the source MAC

address matches the client hardware address in the packet.

Step 11

end Return to privileged EXEC mode.

Step 12

show running-config Verify your entries.

Step 13

copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

previous next