Configuring DHCP

Finding Feature Information

Your software release may not support all the features documented in this chapter. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Configuring DHCP

This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping and option-82 data insertion, and the DHCP server port-based address allocation features on the switch. It also describes how to configure the IP source guard feature.

DHCP Snooping

DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server, which significantly reduces the overhead of administration of IP addresses. DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts; only those hosts that are connected to the network consume IP addresses.

DHCP Server

The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it forwards the request to one or more secondary DHCP servers defined by the network administrator.

DHCP Relay Agent

A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams are switched transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces.

DHCP Snooping

DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

note.gif

Noteblank.gif For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.


An untrusted DHCP message is a message that is received from outside the network or firewall. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer’s switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.

The DHCP snooping binding database has the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not have information regarding hosts interconnected with a trusted interface.

In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network.

When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

The switch drops a DHCP packet when one of these situations occurs:

  • A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.
  • A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
  • The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.
  • A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.

When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.

Option-82 Data Insertion

In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified.

note.gif

Noteblank.gif The DHCP option-82 feature is supported only when DHCP snooping is globally enabled and on the VLANs to which subscriber devices using this feature are assigned.


Figure 25-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.

Figure 25-1 DHCP Relay Agent in a Metropolitan Ethernet Network

 

98813.ps

When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs:

  • The host (DHCP client) generates a DHCP request and broadcasts it on the network.
  • When the switch receives the DHCP request, it adds the option-82 information in the packet. By default, the remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier, vlan-mod-port, from which the packet is received.
  • If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.
  • The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
  • The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then repeats the option-82 field in the DHCP reply.
  • The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.

In the default suboption configuration, when the described sequence of events occurs, the values in these fields in Figure 25-2 do not change:

  • Circuit-ID suboption fields

blank.gif Suboption type

blank.gif Length of the suboption type

blank.gif Circuit-ID type

blank.gif Length of the circuit-ID type

  • Remote-ID suboption fields

blank.gif Suboption type

blank.gif Length of the suboption type

blank.gif Remote-ID type

blank.gif Length of the remote-ID type

In the port field of the circuit-ID suboption, the port numbers start at 3. For example, on a switch with eight 10/100 ports and small form-factor pluggable (SFP) module slots, port 3 is the Fast Ethernet 1/1 port, port 4 is the Fast Ethernet 1/2 port, and so forth. Port 11 is the SFP module slot 1/1, and so forth.

Figure 25-2 shows the packet formats for the remote-ID suboption and the circuit-ID suboption when the default suboption configuration is used. The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command.

Figure 25-2 Suboption Packet Formats

 

116300.ps

shows the packet formats for user-configured remote-ID and circuit-ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote-id global configuration command and the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command are entered.

The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions:

  • Circuit-ID suboption fields

blank.gif The circuit-ID type is 1.

blank.gif The length values are variable, depending on the length of the string that you configure.

  • Remote-ID suboption fields

blank.gif The remote-ID type is 1.

blank.gif The length values are variable, depending on the length of the string that you configure.

Figure 25-3 User-Configured Suboption Packet Formats

 

145774.ps

Cisco IOS DHCP Server Database

During the DHCP-based autoconfiguration process, the designated DHCP server uses the Cisco IOS DHCP server database. It has IP addresses, address bindings, and configuration parameters, such as the boot file.

An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.

DHCP Snooping Binding Database

When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 8192 bindings.

Each database entry ( binding) has an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file at a configured location. At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry. Each entry is 72 bytes, followed by a space and then the checksum value.

To keep the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing attacks.

When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes.

When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.

This is the format of the file with bindings:

<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
...
...
<entry-n> <checksum-1-2-..-n>
END
 

Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file. The initial-checksum entry on the first line distinguishes entries associated with the latest file update from entries associated with a previous file update.

This is an example of a binding file:

2bb4c2a1
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
192.1.168.1 3 0003.47d8.c91f 2BB6488E interface-id 21ae5fbb
192.1.168.3 3 0003.44d6.c52f 2BB648EB interface-id 1bdb223f
192.1.168.2 3 0003.47d9.c8f1 2BB648AB interface-id 584a38f0
END
 

When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores an entry when one of these situations occurs:

  • The switch reads the entry and the calculated checksum value does not equal the stored checksum value. The entry and the ones following it are ignored.
  • An entry has an expired lease time (the switch might not remove a binding entry when the lease time expires).
  • The interface in the entry no longer exists on the system.
  • The interface is a routed interface or a DHCP snooping-trusted interface.

Default DHCP Snooping Settings

 

Table 25-1 Default DHCP Snooping Settings

Feature
Default Setting

DHCP server

Enabled in Cisco IOS software, requires configuration1

DHCP relay agent

Enabled2

DHCP packet forwarding address

None configured

Checking the relay agent information

Enabled (invalid messages are dropped) 2

DHCP relay agent forwarding policy

Replace the existing relay agent information 2

DHCP snooping enabled globally

Disabled

DHCP snooping information option

Enabled

DHCP snooping option to accept packets on untrusted input interfaces3

Disabled

DHCP snooping limit rate

None configured

DHCP snooping trust

Untrusted

DHCP snooping VLAN

Disabled

DHCP snooping MAC address verification

Enabled

Cisco IOS DHCP server binding database

Enabled in Cisco IOS software, requires configuration.

Note The switch gets network addresses and configuration parameters only from a device configured as a DHCP server.

DHCP snooping binding database agent

Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured.

1.The switch responds to DHCP requests only if it is configured as a DHCP server.

2.The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client.

3.Use this feature when the switch is an aggregation switch that receives packets with option-82 information from an edge switch.

DHCP Snooping Configuration Guidelines

  • You must globally enable DHCP snooping on the switch.
  • DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
  • Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
  • Before configuring the DHCP snooping information option on your switch, be sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, or you must configure DHCP options for these devices.
  • When configuring a large number of circuit IDs on a switch, consider the impact of lengthy character serstrings on the NVRAM or the flash memory. If the circuit-ID configurations, combined with other data, exceed the capacity of the NVRAM or the flash memory, an error message appears.
  • Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent.
  • If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.
  • If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.
  • If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
  • Do not enter the ip dhcp snooping information option allow-untrusted command on an aggregation switch to which an untrusted device is connected. If you enter this command, an untrusted device might spoof the option-82 information.
  • You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command.
note.gif

Noteblank.gif Do not enable DHCP snooping on RSPAN VLANs. If DHCP snooping is enabled on RSPAN VLANs, DHCP packets might not reach the RSPAN destination port.


DHCP Snooping Binding Database Guidelines

  • Because both NVRAM and the flash memory have limited storage capacity, we recommend that you store the binding file on a TFTP server.
  • For network-based URLs (such as TFTP and FTP), you must create an empty file at the configured URL before the switch can write bindings to the binding file at that URL. See the documentation for your TFTP server to determine whether you must first create an empty file on the server; some TFTP servers cannot be configured this way.
  • To ensure that the lease time in the database is accurate, we recommend that you enable and configure NTP. For more information, see the “Configuring Time and Date Manually” section.
  • If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.

Packet Forwarding Address

If the DHCP server and the DHCP clients are on different networks or subnets, you must configure the switch with the ip helper-address address interface configuration command. The general rule is to configure the command on the Layer 3 interface closest to the client. The address used in the ip helper-address command can be a specific DHCP server IP address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables any DHCP server to respond to requests.

DHCP Server Port-Based Address Allocation

DHCP server port-based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address.

When Ethernet switches are deployed in the network, they offer connectivity to the directly connected devices. In some environments, such as on a factory floor, if a device fails, the replacement device must be working immediately in the existing network. With the current DHCP implementation, there is no guarantee that DHCP would offer the same IP address to the replacement device. Control, monitoring, and other software expect a stable IP address associated with each device. If a device is replaced, the address assignment should remain stable even though the DHCP client has changed.

When configured, the DHCP server port-based address allocation feature ensures that the same IP address is always offered to the same connected port even as the client identifier or client hardware address changes in the DHCP messages received on that port. The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet. Clients that do not include the client identifier option are identified by the client hardware address. When you configure this feature, the port name of the interface overrides the client identifier or hardware address and the actual point of connection, the switch port, becomes the client identifier.

In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device.

The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.

By default, DHCP server port-based address allocation is disabled.

How to Configure DHCP

Configuring the DHCP Relay Agent

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

service dhcp

Enables the DHCP server and relay agent on your switch. By default, this feature is enabled.

Step 3

end

Returns to privileged EXEC mode.

Specifying the Packet Forwarding Address

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

interface vlan vlan-id

Creates a switch virtual interface by entering a VLAN ID, and enters interface configuration mode.

Step 3

ip address ip-address subnet-mask

Configures the interface with an IP address and an IP subnet.

Step 4

ip helper-address address

Specifies the DHCP packet forwarding address.

The helper address can be a specific DHCP server address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables other servers to respond to DHCP requests.

If you have multiple servers, you can configure one helper address for each server.

Step 5

exit

Returns to global configuration mode.

Step 6

interface range port-range

or

interface interface-id

Configures multiple physical ports that are connected to the DHCP clients, and enters interface range configuration mode.

or

Configures a single physical port that is connected to the DHCP client, and enters interface configuration mode.

Step 7

switchport mode access

Defines the VLAN membership mode for the port.

Step 8

switchport access vlan vlan-id

Assigns the ports to the same VLAN as configured in Step 2.

Step 9

end

Returns to privileged EXEC mode.

Enabling DHCP Snooping and Option 82

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ip dhcp snooping

Enables DHCP snooping globally.

Step 3

ip dhcp snooping vlan vlan-range

Enables DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4096.

You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

Step 4

ip dhcp snooping information option

Enables the switch to insert and to remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server. This is the default setting.

Step 5

ip dhcp snooping information option format remote-id [string ASCII-string | hostname ]

(Optional) Configures the remote-ID suboption.

You can configure the remote ID as

  • String of up to 63 ASCII characters (no spaces)
  • Hostname for the switch

Note If the hostname is longer than 63 characters, it is truncated to 63 characters in the remote-ID configuration.

The default remote ID is the switch MAC address.

Step 6

ip dhcp snooping information option allow-untrusted

(Optional) If the switch is an aggregation switch connected to an edge switch, enable the switch to accept incoming DHCP snooping packets with option-82 information from the edge switch.

The default setting is disabled.

Note Enter this command only on aggregation switches that are connected to trusted devices.

Step 7

interface interface-id

Specifies the interface to be configured, and enters interface configuration mode.

Step 8

ip dhcp snooping vlan vlan information option format-type circuit-id [override] string ASCII-string

(Optional) Configures the circuit-ID suboption for the specified interface.

Specifies the VLAN and port identifier, using a VLAN ID in the range of 1 to 4096. The default circuit ID is the port identifier in the format vlan-mod-port.

You can configure the circuit ID to be a string of 3 to 63 ASCII characters (no spaces).

(Optional) Use the override keyword when you do not want the circuit-ID suboption inserted in TLV format to define subscriber information.

Step 9

ip dhcp snooping trust

(Optional) Configures the interface as trusted or as untrusted. Use the no keyword to configure an interface to receive messages from an untrusted client. The default setting is untrusted.

Step 10

ip dhcp snooping limit rate rate

(Optional) Configures the number of DHCP packets per second that an interface can receive. The range is 1 to 2048. By default, no rate limit is configured.

Note We recommend an untrusted rate limit of not more than 100 packets per second. If you configure rate limiting for trusted interfaces, you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN with DHCP snooping.

Step 11

exit

Returns to global configuration mode.

Step 12

ip dhcp snooping verify mac-address

(Optional) Configures the switch to verify that the source MAC address in a DHCP packet received on untrusted ports matches the client hardware address in the packet. The default is to verify that the source MAC address matches the client hardware address in the packet.

Step 13

end

Returns to privileged EXEC mode.

Enabling the DHCP Snooping Binding Database Agent

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ip dhcp snooping database { flash:/ filename | ftp:// user : password@host / filename | http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ]
/ image-name .tar | rcp:// user@host / filename }| tftp:// host / filename

Specifies the URL for the database agent or the binding file by using one of these forms:

  • flash:/ filename
  • ftp:// user : password @ host / filename
  • http:// [[ username : password ]@]{ hostname | host-ip }[/ directory ]
    / image-name .tar
  • rcp:// user @ host / filename
  • tftp:// host / filename

Step 3

ip dhcp snooping database timeout seconds

Specifies (in seconds) how long to wait for the database transfer process to finish before stopping the process.

The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the transfer indefinitely.

Step 4

ip dhcp snooping database write-delay seconds

Specifies the duration for which the transfer should be delayed after the binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes).

Step 5

end

Returns to privileged EXEC mode.

Step 6

ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds

(Optional) Adds binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.

Enter this command for each entry that you add.

Note Use this command when you are testing or debugging the switch.

Enabling DHCP Server Port-Based Address Allocation

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ip dhcp use subscriber-id client-id

Configures the DHCP server to globally use the subscriber identifier as the client identifier on all incoming DHCP messages.

Step 3

ip dhcp subscriber-id interface-name

Automatically generates a subscriber identifier based on the short name of the interface.

A subscriber identifier configured on a specific interface takes precedence over this command.

Step 4

interface interface-id

Specifies the interface to be configured, and enters interface configuration mode.

Step 5

ip dhcp server use subscriber-id client-id

Configures the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interface.

Step 6

end

Returns to privileged EXEC mode.

Preassigning an IP Address

 

Command
Purpose

Step 1

configure terminal

Enters global configuration mode.

Step 2

ip dhcp pool poolname

Enters DHCP pool configuration mode, and defines the name for the DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).

Step 3

network network-number [ mask | /prefix-length ]

Specifies the subnet network number and mask of the DHCP address pool.

Step 4

address ip-address client-id string [ ascii ]

Reserves an IP address for a DHCP client identified by the interface name.

string —Can be an ASCII value or a hexadecimal value.

Step 5

reserved-only

(Optional) Uses only reserved addresses in the DHCP address pool. The default is to not restrict pool addresses.

Step 6

end

Returns to privileged EXEC mode.

Monitoring and Maintaining DHCP

 

Command
Purpose

show interface interface id

Displays the status and configuration of a specific interface.

show ip dhcp pool

Displays the DHCP address pools.

show ip dhcp binding

Displays address bindings on the Cisco IOS DHCP server.

ip dhcp snooping database timeout seconds

Specifies (in seconds) how long to wait for the database transfer process to finish before stopping.

ip dhcp snooping database write-delay seconds

Specifies (in seconds) the duration for which the transfer should be delayed after the binding database changes.

clear ip dhcp snooping database statistics

Clears the DHCP snooping binding database agent statistics.

renew ip dhcp snooping database

Renews the DHCP snooping binding database.

show ip dhcp snooping database [ detail ]

Displays the status and statistics of the DHCP snooping binding database agent.

show ip dhcp snooping

Displays the DHCP snooping configuration for a switch

show ip dhcp snooping binding

Displays only the dynamically configured bindings in the DHCP snooping binding database, also referred to as a binding table.

show ip dhcp snooping database

Displays the DHCP snooping binding database status and statistics.

show ip dhcp pool

Verifies DHCP pool configuration.

copy running-config startup-config

Saves your entries in the configuration file.

Configuration Examples for Configuring DHCP

Enabling DHCP Server Port-Based Address Allocation: Examples

In this example, a subscriber identifier is automatically generated, and the DHCP server ignores any client identifier fields in the DHCP messages and uses the subscriber identifier instead. The subscriber identifier is based on the short name of the interface and the client preassigned IP address 10.1.1.7.

switch# show running config
Building configuration...
Current configuration : 4899 bytes
!
version 12.2
!
hostname switch
!
no aaa new-model
clock timezone EST 0
ip subnet-zero
ip dhcp relay information policy removal pad
no ip dhcp use vrf connected
ip dhcp use subscriber-id client-id
ip dhcp subscriber-id interface-name
ip dhcp excluded-address 10.1.1.1 10.1.1.3
!
ip dhcp pool dhcppool
network 10.1.1.0 255.255.255.0
address 10.1.1.7 client-id “Et1/0” ascii
<output truncated>
 

This example shows that the preassigned address was correctly reserved in the DHCP pool:

switch# show ip dhcp pool dhcppool
Pool dhcp pool:
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Excluded addresses : 4
Pending event : none
1 subnet is currently in the pool:
Current index IP address range Leased/Excluded/Total
10.1.1.1 10.1.1.1 - 10.1.1.254 0 / 4 / 254
1 reserved address is currently in the pool
Address Client
10.1.1.7 Et1/0

Enabling DHCP Snooping: Example

This example shows how to enable DHCP snooping globally and on VLAN 10 and to configure a rate limit of 100 packets per second on a port:

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ip dhcp snooping information option
Switch(config)# interface gigabitethernet1/1
Switch(config-if)# ip dhcp snooping limit rate 100

Additional References

The following sections provide references related to switch administration:

Related Documents

Related Topic
Document Title

Cisco IE 2000 commands

Cisco IE 2000 Switch Command Reference, Release 15.0(2)EA

Cisco IOS basic commands

Cisco IOS Configuration Fundamentals Command Reference

Cisco IOS DHCP Commands

Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services

Cisco IOS DHCP Configuration

Cisco IOS DHCP server port-based address allocation

“IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide

Cisco IOS DHCP Configuration Task List

“Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.