Configuring DHCP Snooping

DHCP snooping is disabled on the switch by default.

To enable DHCP snooping on the switch, use the command:
enable ip-security dhcp-snooping [dynamic | {vlan} vlan_name] ports [all | ports] violation-action [drop-packet {[block-mac | block-port] [duration duration_in_seconds | permanently] | none]}] {snmp-trap}
Note
Snooping IP fragmented DHCP packets is not supported.

The violation action setting determines what action(s) the switch takes when a rogue DHCP server packet is seen on an untrusted port or the IP address of the originating server is not among those of the configured trusted DHCP servers.

The DHCP server packets are DHCP OFFER, ACK and NAK. The following list describes the violation actions:

block-mac

The switch automatically generates an ACL to block the MAC address on that port. The switch does not blackhole that MAC address in the FDB. The switch can either temporarily or permanently block the MAC address.

block-port

The switch blocks all traffic on that port by disabling the port either temporarily or permanently.

none

The switch takes no action to drop the rogue DHCP packet or block the port, and so on. In this case, DHCP snooping continues to build and manage the DHCP bindings database and DHCP forwarding will continue in hardware as before. This option can be used when the intent is only to monitor the IP addresses being assigned by the DHCP server.

Note
You must enable DHCP snooping on both the DHCP server port as well as on the client port. The latter ensures that DHCP client packets (DHCP Request, DHCP Release etc.) are processed appropriately.

Note
DHCP snooping does not work when the client and server are in different VRs and server reachability is established by inter-VR leaked routes on client VR.

Note
Enabling DHCP snooping and source IP lockdown on the same port applies ACL rules with the same match conditions, but different actions. The rule with deny action takes precedence, so packets are dropped if the these ACL rules are installed on different slices. Many factors influence which slice rules are installed on. To see which slice these rules are installed on, use the command show access-list usage acl-slice port port or show access-list usage acl-rule port port .

Any violation that occurs causes the switch to generate an EMS log message. You can configure to suppress the log messages by configuring EMS log filters. For more information about EMS, see Using the Event Management System/Logging.
To disable DHCP snooping on the switch, use the command:
disable ip-security dhcp-snooping [dynamic | {vlan} vlan_name] ports [all | ports]