The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
To clear the DHCP snooping binding entries for all addresses or for specific IP address, use the clear ip dhcp snooping binding Privileged EXEC mode command.
clear ip dhcp snooping binding {* | IPv4-Addr}
*—Clears all dynamic entries
IPv4-Addr—The entry for an IPv4 address.
Privileged EXEC mode
switchxxxxxx# clear ip dhcp snooping binding 192.168.1.1To clear the DHCP snooping binding entries for specific interfaces, use the clear ip dhcp snooping binding interface Privileged EXEC mode command.
clear ip dhcp snooping binding interface interface-id
interface-id—The interface ID, which can be one of these types: Ethernet port or port channel.
Privileged EXEC mode
switchxxxxxx# clear ip dhcp snooping binding interface fa5To clear the DHCP snooping binding entries for specific VLANs, use the clear ip dhcp snooping binding vlan Privileged EXEC mode command.
clear ip dhcp snooping binding vlan vlan-id
vlan-id—The VLAN ID.
Privileged EXEC mode
switchxxxxxx# clear ip dhcp snooping binding vlan 1To clear the DHCP snooping database statistics, use the clear ip dhcp snooping database statistics Privileged EXEC mode command.
clear ip dhcp snooping database statistics
N/A
Privileged EXEC mode
switchxxxxxx# clear ip dhcp snooping database statisticsTo clear the DHCP snooping database statistics for specific interfaces, use the clear ip dhcp snooping interfaces statistics Privileged EXEC mode command.
clear ip dhcp snooping interfaces interface-id statistics
interface-id—An interface ID or a list of interfaces. The interfaces can be one of these types: Ethernet port or port channel.
Privileged EXEC mode
switchxxxxxx# clear ip dhcp snooping interfaces fa5 statisticsTo enable DHCP snooping globally on the switch, use the ip dhcp snooping Global Configuration mode command.
To disable DHCP snooping globally, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
N/A
DHCP snooping is disabled.
Global Configuration mode
To apply any DHCP snooping configuration, you must enable DHCP snooping globally on the switch. DHCP snooping is not active until you enable DHCP snooping on a VLAN by using the ip dhcp snooping vlan Global Configuration mode command.
switchxxxxxx(config)# ip dhcp snoopingTo configure the DHCP snooping binding database agent, use the ip dhcp snooping database Global Configuration mode command.
To disable the agent, reset the timeout value, or reset the write-delay value, use the no form of this command.
ip dhcp snooping database {flash | tftp {IPv4-ADDR NAME | HOSTNAME NAME} | timeout VALUE | write-delay VALUE }
no ip dhcp snooping database [timeout | write-delay]
flash—Specifies that the database agent is in the flash memory.
tftp IPv4-ADDR NAME—Specifies the IP address of the remote TFTP server and the file name of the backup file.
tftp HOSTNAME NAME—Specifies the hostname of the remote TFTP server and the file name of the backup file.
timeout VALUE—Specifies the timeout in seconds when to stop the database transfer process after the DHCP snooping binding database changes. (Range: 0 to 86400 seconds. Use 0 to define an infinite duration.)
write-delay VALUE—Specifies the duration in seconds for which the transfer should be delayed after the binding database changes. (Range: 15 to 86400 seconds)
The URL for the database agent is not defined.
The default timeout is 300 seconds (5 minutes).
The default write-delay is 300 seconds (5 minutes).
Global Configuration mode
The DHCP snooping binding database can have up to 256 bindings. Because both NVRAM and flash memory have limited storage capacity, we recommend that you store a binding file on a TFTP server. You must create an empty file at the configured URL on network-based URLs (such as TFTP and FTP) before the switch can write bindings to the binding file at that URL for the first time.
To save the DHCP snooping binding database in the switch NVRAM, use the ip dhcp snooping database flash command.
To disable the agent, use the no ip dhcp snooping database command.
To reset the timeout value, use the no ip dhcp snooping database timeout command.
To reset the write-delay value, use the no ip dhcp snooping database write-delay command.
switchxxxxxx(config)# ip dhcp snooping database flash
switchxxxxxx(config)# ip dhcp snooping database tftp 192.168.1.20 test1
switchxxxxxx(config)# ip dhcp snooping database tftp test-host test2
switchxxxxxx(config)# ip dhcp snooping database timeout 1200
switchxxxxxx(config)# ip dhcp snooping database write-delay 3000To enable DHCP option-82 data insertion, use the ip dhcp snooping information option Global Configuration mode command.
To disable DHCP option-82 data insertion, use the no form of this command.
ip dhcp snooping information option [format remote-id STRING]
no ip dhcp snooping information option [format remote-id]
format remote-id STRING—(Optional) Enables the remote ID string. (String length: 1 to 63 characters)
DHCP option-82 data insertion is disabled.
Global Configuration mode
You must enable DHCP snooping globally by using the ip dhcp snooping Global Configuration mode command to apply any DHCP snooping configuration.
When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.
The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When both the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sends the DHCP request.
switchxxxxxx(config)# ip dhcp snooping information option
switchxxxxxx(config)# ip dhcp snooping information option format remote-id testTo configure an aggregation switch to accept DHCP packets with option-82 information which are received on the untrusted ports that might be connected to an edge switch, use the ip dhcp snooping information option allow-untrusted Interface Configuration mode command.
To configure the switch to drop these packets from the edge switch, use the no form of this command.
ip dhcp snooping information option allow-untrusted [replace]
no ip dhcp snooping information option allow-untrusted
replace—(Optional) Replaces DHCP packets with option-82 information.
The switch drops DHCP packets with option-82 information which are received on the untrusted ports that might be connected to an edge switch.
Interface Configuration mode
You may want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You may also want to enable the DHCP security features, such as DHCP snooping, IP source guard, or dynamic ARP inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information, and you want to use DHCP snooping on an aggregation switch, enter the ip dhcp snooping information option allow-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable the DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.
switchxxxxxx(config)# interface fa3
switchxxxxxx(config-if)# ip dhcp snooping information option allow-untrustedTo configure the number of DHCP messages that an interface can receive per second, use the ip dhcp snooping limit rate Interface Configuration mode command.
To revert to its default setting, use the no form of this command.
ip dhcp snooping limit rate VALUE
no ip dhcp snooping limit rate
VALUE—Number of DHCP messages that an interface can receive per second.
DHCP snooping rate limiting is disabled.
Interface Configuration mode
The rate limit normally applies to untrusted interfaces. If you want to configure rate limiting for trusted interfaces, trusted interfaces may aggregate DHCP traffic on multiple VLANs (some of which may not be snooped) on the switch, and you will need to adjust the interface rate limit to a higher value.
If the rate limit is exceeded, the interface is error-disabled. If you enable error recovery by entering the errdisable recovery cause dhcp-rate-limit Global Configuration mode command, the interface retries the operation again when all causes have timed out. If the error recovery function is not enabled, the interface stays in the error-disabled state until you enter the shutdown and no shutdown Interface Configuration mode commands.
switchxxxxxx(config)# interface fa7
switchxxxxxx(config-if)# ip dhcp snooping limit rate 100To configure a port as trusted for DHCP snooping purposes, use the ip dhcp snooping trust Interface Configuration mode command.
To revert to its default setting, use the no form of this command.
ip dhcp snooping trust
no ip dhcp snooping trust
N/A
DHCP snooping trust is disabled.
Interface Configuration mode
Configure the ports that are connected to a DHCP server or to other switches or routers as trusted ports. Configure the ports that are connected to DHCP clients as untrusted ports.
switchxxxxxx(config)# interface fa3
switchxxxxxx(config-if)# ip dhcp snooping trustTo configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address, use the ip dhcp snooping verify mac-address Global Configuration mode command.
To configure the switch to not verify the MAC addresses, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
N/A
Disabled
Global Configuration mode
In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies whether the source MAC address and the DHCP client hardware address can match or not. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
switchxxxxxx(config)# ip dhcp snooping verify mac-addressTo enable DHCP snooping on specific VLANs, use the ip dhcp snooping vlan Global Configuration mode command.
To disable DHCP snooping on specific VLANs, use the no form of this command.
ip dhcp snooping vlan VLAN-LIST
no ip dhcp snooping vlan VLAN-LIST
VLAN-LIST—A VLAN ID or a range of VLAN IDs.
DHCP snooping is disabled on all VLANs.
Global Configuration mode
You must first globally enable DHCP snooping on the switch before enabling DHCP snooping on a VLAN.
switchxxxxxx(config)# ip dhcp snooping vlan 7To configure the option-82 circuit-ID suboption, use the ip dhcp snooping vlan information option circuit-id Interface Configuration mode command.
To revert to its default setting, use the no form of this command.
ip dhcp snooping vlan VLAN-LIST information option circuit-id STRING
no ip dhcp snooping vlan VLAN-LIST information option circuit-id
VLAN-LIST—A VLAN ID or a list of VLAN IDs. (Range:1 to 4094)
STRING—A circuit ID, using from 1 to 64 ASCII characters (no spaces).
N/A
Interface Configuration mode
You must globally enable DHCP snoopingDHCP snooping on the switch by using the ip dhcp snooping Global Configuration mode command to apply any DHCP snooping configuration.
When the option-82 feature is enabled, the default circuit-ID suboption is the switch VLAN and port identifier in the format of vlan-mod-port. This command allows you to configure a string of ASCII characters to be the circuit ID. When you want to override the vlan-mod-port format type and use the circuit ID to define the subscriber information, use the override keyword.
switchxxxxxx(config)# interface fa7
switchxxxxxx(config-if)# ip dhcp snooping vlan 3 information option circuit-id testTo renew the DHCP snooping binding database, use the renew ip dhcp snooping database Privileged EXEC command.
renew ip dhcp snooping database
N/A
Privileged EXEC mode
switchxxxxxx# renew ip dhcp snooping databaseTo display the DHCP snooping configuration, use the show ip dhcp snooping Privileged EXEC command.
show ip dhcp snooping
N/A
Privileged EXEC mode
switchxxxxxx# show ip dhcp snooping
DHCP Snooping : enabled
Enable on following Vlans : None
Verification of hwaddr : disabled
Insertion of option 82 : disabled
circuit-id default format: vlan-port
remote-id: : vlan1_md_fa11To display the DHCP snooping binding configuration for all interfaces, use the show ip dhcp snooping binding Privileged EXEC mode command.
show ip dhcp snooping binding
N/A
Privileged EXEC mode
switchxxxxxx# show ip dhcp snooping binding
Bind Table: Maximum Binding Entry Number 191
Port | VID | MAC Address | IP | Type | Lease Time
--------+------+-------------------+-----------------+-------------+-----------
Total Entry: 0To display the status of the DHCP snooping binding database agent, use the show ip dhcp snooping database Privileged EXEC mode command.
show ip dhcp snooping database
N/A
Privileged EXEC mode
switchxxxxxx# show ip dhcp snooping database
Type : None
FileName :
Write delay Timer : 300 seconds
Abort Timer : 300 seconds
Agent Running : None
Delay Timer Expiry : Not Running
Abort Timer Expiry :Not Running
Last Succeeded Time : None
Last Failed Time : None
Last Failed Reason : No failure recorded.
Total Attempts : 0
Successful Transfers : 0 Failed Transfers : 0
Successful Reads : 0 Failed Reads : 0
Successful Writes : 0 Failed Writes : 0To display the DHCP snooping option 82 format remote ID, use the show ip dhcp snooping information option format remote-id Privileged EXEC mode command.
show ip dhcp snooping information option format remote-id
N/A
Privileged EXEC mode
switchxxxxxx# show ip dhcp snooping information option format remote-id
Remote ID: vlan-md-fa11To display the DHCP snooping configuration for specific interfaces, use the show ip dhcp snooping interfaces Privileged EXEC mode command.
show ip dhcp snooping interfaces interface-id
interface-id—An interface ID or a list of interfaces. The interfaces can be one of these types: Ethernet port or port channel.
Privileged EXEC mode
switchxxxxxx# show ip dhcp snooping interfaces fa1-5
Interfaces | Trust State | Rate (pps)
----------+-------------+-------------
fa1 | Untrusted | None
fa2 | Untrusted | None
fa3 | Untrusted | None
fa4 | Untrusted | None
fa5 | Trusted | 50To display the DHCP snooping statistics for specific interfaces, use the show ip dhcp snooping interfaces statistics Privileged EXEC mode command.
show ip dhcp snooping interfaces interface-id statistics
interface-id—An interface ID or a list of interface IDs. The interfaces can be one of these types: Ethernet port or port channel.
Privileged EXEC mode
switchxxxxxx# show ip dhcp snooping interfaces fa1-5 statistics
Interfaces | Forwarded | Chaddr Check Dropped | Untrust Port Dropped | Untrust Port With Option82 Dropped | Invalid Drop
-----------+-----------+----------------------+----------------------+------------------------------------+--------------
fa1 | 0 | 0 | 0 | 0
| 0
fa2 | 0 | 0 | 0 | 0
| 0
fa3 | 0 | 0 | 0 | 0
| 0
fa4 | 0 | 0 | 0 | 0
| 0
fa5 | 0 | 0 | 0 | 0
| 0
Feedback