Print
this page
Email this topic
Feedback
View PDF
Download EPUBenable ip-security dhcp-snooping
Description
Enables DHCP snooping for the specified VLAN and ports.
Syntax Description
| vlan_name | Specifies the name of the DHCP-snooping VLAN. Create and configure the VLAN before enabling DHCP snooping. |
| all | Specifies all ports to receive DHCP packets. |
| ports | Specifies one or more ports to receive DHCP packets. |
| drop-packet | Indicates that the switch drop the rogue DHCP packet received on the specified port. |
| block-mac | Indicates that the switch blocks rogue DHCP packets from the specified MAC address on the specified port. The MAC address is added to the DHCP bindings database. |
| block-port | Indicates that the switch blocks rogue DHCP packets on the specified port. The port is added to the DHCP bindings database. |
| duration_in_seconds | Specifies that the switch
temporarily disable the specified port upon receiving a rogue DHCP
packet. The range is seconds. |
| permanently | Specifies that the switch to permanently disable the specified port upon receiving a rogue DHCP packet. |
| none | Specifies that the switch takes no action when receiving a rogue DHCP packet; the switch does not drop the packet. |
| snmp-trap | Specifies the switch to send an SNMP trap when an event occurs. |
Default
By default, DHCP snooping is disabled.
Usage Guidelines
Use this command to enable DHCP snooping on the switch.
Note
Snooping IP fragmented DHCP packets is not supported.
- block-mac—The switch automatically generates an ACL to block the MAC address on that port. The switch does not blackhole that MAC address in the FDB. The switch can either temporarily or permanently block the MAC address.
- block-port—The switch blocks all incoming rogue DHCP packets on that port. The switch disables the port either temporarily or permanently to block the traffic on that port.
- none—The switch takes no action to drop the rogue DHCP packet or block the port, and so on. In this case, DHCP snooping continues to build and manage the DHCP bindings database and DHCP forwarding will continue in hardware as before.
Any violation that occurs causes the switch to generate an Event Management System (EMS) log message. You can configure to suppress the log messages by configuring EMS log filters.
Displaying DHCP Snooping Information
To display the DHCP snooping configuration settings, use the following command:
show ip-security dhcp-snooping {vlan} vlan_nameTo display the DHCP bindings database, use the following command:
show ip-security dhcp-snooping entries {vlan} vlan_nameTo display any violations that occur, use the following command:
show ip-security dhcp-snooping violations {vlan} vlan_nameExample
The following example enables DHCP snooping on the switch and has the switch block DHCP packets from port 1:1:
enable ip-security dhcp-snooping vlan snoop ports 1:1 violation-action drop-packet block-port
History
This command was first available in ExtremeXOS 11.6.
Platform Availability
This command is available on Summit X440-G2, X450-G2, X460-G2, X620, X670-G2, X770 series switches.