enable ip-security dhcp-snooping

enable ip-security dhcp-snooping [dynamic | {vlan} vlan_name] ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}

Description

Enables DHCP snooping for the specified VLAN and ports.

Syntax Description

vlan_name Specifies the name of the DHCP-snooping VLAN. Create and configure the VLAN before enabling DHCP snooping.
dynamic Configuration options for dynamically created VLANs.
all Specifies all ports to receive DHCP packets.
ports Specifies one or more ports to receive DHCP packets.
drop-packet Indicates that the switch drop the rogue DHCP packet received on the specified port.
block-mac Indicates that the switch blocks rogue DHCP packets from the specified MAC address on the specified port. The MAC address is added to the DHCP bindings database.
block-port Indicates that the switch blocks rogue DHCP packets on the specified port. The port is added to the DHCP bindings database.
duration_in_seconds Specifies that the switch temporarily disable the specified port upon receiving a rogue DHCP packet.

The range is seconds.

permanently Specifies that the switch to permanently disable the specified port upon receiving a rogue DHCP packet.
none Specifies that the switch takes no action when receiving a rogue DHCP packet; the switch does not drop the packet.
snmp-trap Specifies the switch to send an SNMP trap when an event occurs.

Default

By default, DHCP snooping is disabled.

Usage Guidelines

Use this command to enable DHCP snooping on the switch.

Note

Note

Snooping IP fragmented DHCP packets is not supported.
The violation action setting determines what action(s) the switch takes when a rouge DHCP server packet is seen on an untrusted port or the IP address of the originating server is not among those of the configured trusted DHCP servers. The DHCP server packets are DHCP OFFER, ACK and NAK. The following list describes the violation actions:
  • block-mac—The switch automatically generates an ACL to block the MAC address on that port. The switch does not blackhole that MAC address in the FDB. The switch can either temporarily or permanently block the MAC address.
  • block-port—The switch blocks all incoming rogue DHCP packets on that port. The switch disables the port either temporarily or permanently to block the traffic on that port.
  • none—The switch takes no action to drop the rogue DHCP packet or block the port, and so on. In this case, DHCP snooping continues to build and manage the DHCP bindings database and DHCP forwarding will continue in hardware as before.

Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters.

Displaying DHCP Snooping Information

To display the DHCP snooping configuration settings, use the following command:

show ip-security dhcp-snooping {vlan} vlan_name

To display the DHCP bindings database, use the following command:

show ip-security dhcp-snooping entries {vlan} vlan_name

To display any violations that occur, use the following command:

show ip-security dhcp-snooping violations {vlan} vlan_name

Example

The following example enables DHCP snooping on the switch and has the switch block DHCP packets from port 1:1:

enable ip-security dhcp-snooping vlan snoop ports 1:1 violation-action drop-packet block-port

History

This command was first available in ExtremeXOS 11.6.

Dynamic VLAN option added in ExtremeXOS 30.2.

Platform Availability

This command is available on ExtremeSwitching X435, X440-G2, X450-G2, X460-G2, X465, X590, X620, X670-G2, X690, X695, X870, 5320, 5420, and 5520 series switches.