NoteSnooping IP fragmented DHCP packets is not supported.
The violation action setting determines what action(s) the switch takes when a rogue DHCP server packet is seen on an untrusted port or the IP address of the originating server is not among those of the configured trusted DHCP servers.
The DHCP server packets are DHCP OFFER, ACK and NAK. The following list describes the violation actions:
NoteYou must enable DHCP snooping on both the DHCP server port as well as on the client port. The latter ensures that DHCP client packets (DHCP Request, DHCP Release etc.) are processed appropriately.
NoteDHCP snooping does not work when the client and server are in different VRs and server reachability is established by inter-VR leaked routes on client VR.
NoteEnabling DHCP snooping and source IP lockdown on the same port applies ACL rules with the same match conditions, but different actions. The rule with deny action takes precedence, so packets are dropped if the these ACL rules are installed on different slices. Many factors influence which slice rules are installed on. To see which slice these rules are installed on, use the command show access-list usage acl-slice port port or show access-list usage acl-rule port port .
Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters. For more information about EMS, see Using the Event Management System/Logging.