To configure the DHCP Snooping feature, first enable DHCP Snooping on a particular VLAN by using the ip dhcp
snooping vlan [vlan-id] command in global configuration mode. (Repeat this command for multiple VLANs.)
Next, enable DHCP Snooping globally by using the ip dhcp snooping command from the global configuration
mode. Both options must be set to enable DHCP snooping.
In Example 4-8, the DHCP server is connected to the FastEthernet0/1 interface and is configured as a trusted
port with a rate limit of 100 packets per second. The rate limit command ensures that a DHCP flood will not
overwhelm the DHCP server. DHCP Snooping is enabled on VLAN 5 and globally activated.
Example 4-8. DHCP Snooping Configuration Example
Switch(config)# interface Fastethernet0/1
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit rate 100
Switch(config-if)# exit
Switch(config)# ip dhcp snooping vlan 5
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping information option
Use the show ip dhcp snooping command to display DHCP snooping settings. Use the show ip dhcp
snooping binding command to display binding entries corresponding to untrusted ports.
IP Source Guard
IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based
on the DHCP snooping binding database or manually configured IP source bindings.
Pages:
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191