This section describes commands you use to configure DHCP Snooping.
ip dhcp snooping
Use this command to enable DHCP Snooping globally.
Default: disabled
Format: ip dhcp snooping
Mode: Global Config
no ip dhcp snooping
Use this command to disable DHCP Snooping globally.
Format: no ip dhcp snooping
Mode: Global Config
ip dhcp snooping vlan
Use this command to enable DHCP Snooping on a list of comma-separated VLAN ranges.
Default: disabled
Format: ip dhcp snooping vlan <vlan-list>
Mode: Global Config
no ip dhcp snooping vlan
Use this command to disable DHCP Snooping on VLANs.
Format: no ip dhcp snooping vlan <vlan-list>
Mode: Global Config
ip dhcp snooping verify mac-address
Use this command to enable verification of the source MAC address with the client hardware address in the received DCHP message.
Default: enabled
Format: ip dhcp snooping verify mac-address
Mode: Global Config
no ip dhcp snooping verify mac-address
Use this command to disable verification of the source MAC address with the client hardware address.
Format: no ip dhcp snooping verify mac-address
Mode: Global Config
ip dhcp snooping database
Use this command to configure the persistent location of the DHCP Snooping database. This can be local or a remote file on a given IP machine.
Default: local
Format: ip dhcp snooping database {local|tftp://hostIP/filename}
Mode: Global Config
ip dhcp snooping database write-delay
Use this command to configure the interval in seconds at which the DHCP Snooping database will be persisted. The interval value ranges from 15 to 86400 seconds.
Default: 300 seconds
Format: ip dhcp snooping database write-delay in seconds
Mode: Global Config
no ip dhcp snooping database write-delay
Use this command to set the write delay value to the default value.
Format: no ip dhcp snooping database write-delay
Mode: Global Config
ip dhcp snooping binding
Use this command to configure static DHCP Snooping binding.
Use this command to remove the IPSG static entry from the IPSG database.
Format: no ip verify binding <mac-address> vlan<vlan id> <ip address> interface <interface id>
Mode: Global Config
ip dhcp snooping limit
Use this command to control the rate at which the DHCP Snooping messages come on an interface or range of interfaces. By default, rate limiting is disabled. When enabled, the rate can range from 0 to 30 packets per second. The burst level range is 1 to 15 seconds.
Default: disabled (no limit)
Format: ip dhcp snooping limit {rate pps [<burst> <interval> <seconds>]}
Mode: Interface Config
no ip dhcp snooping limit
Use this command to set the rate at which the DHCP Snooping messages come, and the burst level, to the defaults.
Format: no ip dhcp snooping limit
Mode: Interface Config
ip dhcp snooping log-invalid
Use this command to control the logging DHCP messages filtration by the DHCP Snooping application. This command can be used to configure a single interface or a range of interfaces.
Default: disabled
Format: ip dhcp snooping log-invalid
Mode: Interface Config
no ip dhcp snooping log-invalid
Use this command to disable the logging DHCP messages filtration by the DHCP Snooping application.
Format: no ip dhcp snooping log-invalid
Mode: Interface Config
ip dhcp snooping trust
Use this command to configure an interface or range of interfaces as trusted.
Default: disabled
Format: ip dhcp snooping trust
Mode: Interface Config
no ip dhcp snooping trust
Use this command to configure the port as untrusted.
Format: no ip dhcp snooping trust
Mode: Interface Config
ip verify source
Use this command to configure the IPSG source ID attribute to filter the data traffic in the hardware. Source ID is the combination of IP address and MAC address. Normal command allows data traffic filtration based on the IP address. With the "port-security" option, the data traffic will be filtered based on the IP and MAC addresses.
This command can be used to configure a single interface or a range of interfaces.
Default: the source ID is the IP address
Format: ip verify source {port-security}
Mode: Interface Config
no ip verify source
Use this command to disable the IPSG configuration in the hardware. You cannot disable port-security alone if it is configured.
Format: no ip verify source
Mode: Interface Config
show ip dhcp snooping
Use this command to display the DHCP Snooping global configurations and per port configurations.
Format: show ip dhcp snooping
Mode:
Privileged EXEC
User EXEC
The display parameters for above command are:
Interface: The interface for which data is displayed.
Trusted: If it is enabled, DHCP snooping considers the port as trusted. The factory default is disabled.
Log Invalid Pkts: If it is enabled, DHCP snooping application logs invalid packets on the specified interface.
show ip dhcp snooping binding
Use this command to display the DHCP Snooping binding entries. To restrict the output, use the following options:
Dynamic: Restrict the output based on DCHP snooping.
Interface: Restrict the output based on a specific interface.
Static: Restrict the output based on static entries.
VLAN: Restrict the output based on VLAN.
Format: show ip dhcp snooping binding [{static/dynamic}] [interface<unit/slot/port>] [vlan id]
Mode:
Privileged EXEC
User EXEC
The display parameters for above command are:
MAC Address: Displays the MAC address for the binding that was added. The MAC address is the key to the binding database.
IP Address: Displays the valid IP address for the binding rule.
VLAN: The VLAN for the binding rule.
Interface: The interface to add a binding into the DHCP snooping interface.
Type: Binding type; statically configured from the CLI or dynamically learned.
Lease (sec): The remaining lease time for the entry.
show ip dhcp snooping database
Use this command to display the DHCP Snooping configuration related to the database persistency.
Format: show ip dhcp snooping database
Mode:
Privileged EXEC
User EXEC
The display parameters for above command are:
Agent URL: Bindings database agent URL.
Write Delay: The maximum write time to write the database into local or remote.
show ip dhcp snooping interfaces
Use this command to show the DHCP Snooping status of the interfaces.
Format: show ip dhcp snooping interfaces
Mode: Privileged EXEC
show ip dhcp snooping statistics
Use this command to list statistics for DHCP Snooping security violations on untrusted ports.
Format: show ip dhcp snooping statistics
Mode:
Privileged EXEC
User EXEC
The display parameters for above command are:
Interface: Interface in <unit/slot/port> format.
MAC Verify Failures: Represents the number of DHCP messages that were filtered on an untrusted interface because of source MAC address and client HW address mismatch.
Client Ifc Mismatch: Represents the number of DHCP release and Deny messages received on the different ports than learned previously.
DHCP Server Msgs Dropped: Represents the number of DHCP server messages dropped on Untrusted ports.
clear ip dhcp snooping binding{static/dynamic}
Use this command to clear all DHCP snooping bindings on all interfaces based on static or dynamic type.
Format: clear ip dhcp snooping binding [static/dynamic]
Mode:
Privileged EXEC
User EXEC
clear ip dhcp snooping binding interface-number
Use this command to clear all DHCP snooping bindings on a specific interface or clear based on static or dynamic type for a specific interface.
Format: clear ip dhcp snooping binding [interface<unit/slot/port>]{static/dynamic}
Mode:
Privileged EXEC
User EXEC
clear ip dhcp snooping binding vlan-id
Use this command to clear all DHCP snooping bindings on a specific vlan or clear based on static or dynamic type for a specific vlan.
Format: clear ip dhcp snooping binding vlan-id <1-4093>{static/dynamic}
Mode:
Privileged EXEC
User EXEC
clear ip dhcp snooping statistics
Use this command to clear all DHCP Snooping statistics.
Format: clear ip dhcp snooping statistics
Mode:
Privileged EXEC
User EXEC
show ip verify source
Use this command to display the IPSG configurations on all ports.
ip-mac: User has configured MAC address filtering on this interface.
ip: Only IP address filtering on this interface.
IP Address: IP address of the interface
MAC Address: If MAC address filtering is not configured on the interface, the MAC Address field is empty.If port security is disabled on the interface, then the MAC Address field displays "permit-all."
VLAN: The VLAN for the binding rule.
show ip verify interface
Use this command to display the IPSG filter type for a specific interface.
Format: show ip verify interface <unit/slot/port>
Mode:
Privileged EXEC
User EXEC
The display parameters for above command are:
Interface: Interface address in <unit/slot/port> format.
Filter Type: Is one of two values:
ip-mac: User has configured MAC address filtering on this interface.
ip: Only IP address filtering on this interface.
show ip source binding
Use this command to display the IPSG bindings.
Format: show ip source binding [{static/dynamic}] [interface <unit/slot/port>] [vlan id]
Mode:
Privileged EXEC
User EXEC
The display parameters for above command are:
MAC Address: The MAC address for the entry that is added.
IP Address: The IP address of the entry that is added.
Type: Entry type; statically configured from CLI or dynamically learned from DHCP Snooping.
VLAN: VLAN for the entry.
Interface: IP address of the interface in <unit/slot/port> format.
