Topology
.
Figure 10-17: DHCP Snooping topology
Configuration Guidelines
When configuring DHCP snooping, follow these guidelines:
• DHCP snooping is not active until you enable the feature on at least one VLAN, and enable DHCP snooping globally on the switch.
• Before globally enabling DHCP snooping on the switch, make sure that the device acting as the DHCP server is configured and enabled.
• If a Layer 2 LAN port is connected to a DHCP server, configure the port as trusted by entering the ip dhcp snooping trust interface configuration command.
• If a Layer 2 LAN port is connected to a DHCP client, configure the port as un-trusted by entering the no ip dhcp snooping trust interface configuration command.
Procedures
The following subsections provide examples of how to enable and configure DHCP Snooping.
Enable the Ingress DHCP-snoop TCAM group
#configure terminal | Enter Configure mode. |
(config)#hardware-profile filter dhcp-snoop enable | Enable the ingress DHCP-snoop TCAM group |
(config)#commit | Commit Candidate config to running-config |
Disable the Ingress DHCP-snoop TCAM group
#configure terminal | Enter Configure mode. |
(config)# hardware-profile filter dhcp-snoop disable | Disable the ingress DHCP-snoop TCAM group |
(config)#commit | Commit Candidate config to running-config |
Enable the Ingress DHCP-snoop-IPv6 TCAM group
#configure terminal | Enter Configure mode. |
(config)#hardware-profile filter dhcp-snoop-ipv6 enable | Enable the ingress DHCP-snoop-IPv6 TCAM group |
(config)#commit | Commit Candidate config to running-config |
Disable the Ingress DHCP-snoop-IPv6 TCAM group
#configure terminal | Enter Configure mode. |
(config)# hardware-profile filter dhcp-snoop-ipv6 disable | Disable the ingress DHCP-snoop-IPv6 TCAM group |
(config)#commit | Commit Candidate config to running-config |
Enable DHCP Snooping Globally
#configure terminal | Enter Configure mode. |
(config)#bridge 1 protocol mstp | Create MSTP or IEEE VLAN-bridge. |
(config)#ip dhcp snooping bridge 1 | Enable DHCP Snooping on the bridge |
(config)#commit | Commit Candidate config to running-config |
Enable DHCP Snooping on a VLAN
#configure terminal | Enter Configure mode. |
(config)#vlan 2 bridge 1 | Configure a VLAN for the bridge. |
(config)#ip dhcp snooping vlan 2 bridge 1 | Enable DHCP Snooping on the VLAN 2 |
(config)#commit | Commit Candidate config to running-config |
Validation
OcNOS#show hardware-profile filters
Note: Shared count is the calculated number from available resources.
Dedicated count provides allocated resource to the group.
If group shares the dedicated resource with other groups, then dedicated
count of group will reduce with every resource usage by other groups.
+--------------------+---------+---------------+----------------------------+
| | Free | Used | Total Entries |
| Unit - TCAMS | Entries |---------------|----------------------------|
| | | % | Entries | Total | Dedicated | shared |
+--------------------+---------+-----+---------+-------+-----------+--------+
0 DHCP-SNOOP 9717 0 5 9722 1018 8704
0 DHCP-SNOOP-IPV6 9717 0 6 9723 1019 8704
Configuring the Ports Connected to DHCP Server and DHCP Client
#configure terminal | Enter Configure mode. |
(config)#interface xe1 | Specify the interface xe1 to be configured, and Enter interface mode |
(config-if)#switchport | Configure the interface as a switch port. |
(config-if)#bridge-group 1 | Associate the interface xe1 with bridge-group 1. |
(config-if)#switchport mode access | Configure the port as an access port |
(config-if)#switchport access vlan 2 | Bind the interface VLAN 2 to the port |
(config-if)#exit | Exit interface mode. |
(config)#interface xe2 | Specify interface xe2 to be configured connected to server. |
(config-if)#switchport | Configure the interface as a switch port |
(config-if)#bridge-group 1 | Associate interface xe2 with bridge-group 1. |
(config-if)#switchport mode access | Configure the port as an access port. |
(config-if)#switchport access vlan 2 | Bind the interface VLAN 2 to the port |
(config-if)#exit | Exit the config mode. |
(config)#commit | Commit Candidate config to running-config |
(config)#exit | Exit the config mode. |
Configuring Trusted and Un-trusted Ports
Usually the port connected to server is configured as trusted port and the ports connected to client is configured as un-trusted port.
In this example, xe2 is connected to the DHCP client and xe1 is connected to the DHCP server.
• Configure xe2 connected to DHCP client as un-trusted port.
• Configure xe1 connected to the DHCP server as trusted port.
#configure terminal | Enter Configure mode. |
(config)#interface xe1 | Specify the interface to be configured |
(config-if)#ip dhcp snooping trust | Enable the port as trusted. |
(config)#commit | Commit Candidate config to running-config |
(config)#interface xe2 | Specify the interface to be configured |
(config-if)#no ip dhcp snooping trust | Disable the port as trusted. |
(config-if)#exit | Exit interface mode |
(config)#commit | Commit Candidate config to running-config |
Last modified date: 08/28/2023