Enables DHCP snooping for the specified VLAN and ports.
vlan_name | Specifies the name of the DHCP-snooping VLAN. Create and configure the VLAN before enabling DHCP snooping. |
all | Specifies all ports to receive DHCP packets. |
ports | Specifies one or more ports to receive DHCP packets. |
drop-packet | Indicates that the switch drop the rogue DHCP packet received on the specified port. |
block-mac | Indicates that the switch blocks rogue DHCP packets from the specified MAC address on the specified port. The MAC address is added to the DHCP bindings database. |
block-port | Indicates that the switch blocks rogue DHCP packets on the specified port. The port is added to the DHCP bindings database. |
duration_in_seconds | Specifies that the switch
temporarily disable the specified port upon receiving a rogue DHCP
packet. The range is seconds. |
permanently | Specifies that the switch to permanently disable the specified port upon receiving a rogue DHCP packet. |
none | Specifies that the switch takes no action when receiving a rogue DHCP packet; the switch does not drop the packet. |
snmp-trap | Specifies the switch to send an SNMP (Simple Network Management Protocol) trap when an event occurs. |
By default, DHCP snooping is disabled.
Use this command to enable DHCP snooping on the switch.
Note
Snooping IP fragmented DHCP packets is not supported.Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters.
To display the DHCP snooping configuration settings, use the following command:
show ip-security dhcp-snooping {vlan} vlan_nameTo display the DHCP bindings database, use the following command:
show ip-security dhcp-snooping entries {vlan} vlan_nameTo display any violations that occur, use the following command:
show ip-security dhcp-snooping violations {vlan} vlan_nameThe following example enables DHCP snooping on the switch and has the switch block DHCP packets from port 1:1:
enable ip-security dhcp-snooping vlan snoop ports 1:1 violation-action drop-packet block-port
This command was first available in ExtremeXOS 11.6.
This command is available on the Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X440-G2, X590, X620, X690, X870 series switches.