Complete DHCP Snooping configuration commands (1)

In the previous article, we explained what DHCP Snooping is. So we have a general understanding of this through the content of the article. Next, we will take a look at the specific operations and steps of DHCP Snooping configuration. The DHCP Snooping function and the DHCP Option 82 function of 1x are mutually exclusive.

DHCP Snooping and DHCP Option82

DHCP Snooping only detects the user's DHCP process. If you want to control the user's access through an IP address allocated by DHCP, you must use the ARP detection function. The ARP detection module must detect all ARP packets, therefore, it will affect the overall performance of the device.

DHCP Snooping configuration enable and disable DHCP Snooping

By default, the DHCP Snooping function of the device is disabled.

The dhcp snooping function is enabled to monitor dhcp packets.

Command description

Switch # configure terminal enters Configuration Mode
Switch (config) # [no] ip dhcp snooping DHCP snooping enable and disable

Below is the configuration to enable the DHCP snooping function of the device:

 
 

  
  
switch# configure terminal   
  
  
switch(config)# ip dhcp snooping   
  
  
switch(config)# end   
  
  
switch# 
 
 

DHCP Snooping configuration: DHCP source MAC check function

After this command is configured, the device checks the MAC address of the source MAC and Client fields for the DHCP Request packets sent from the UNTRUST port, and discards invalid packets with different MAC values.

Check is not performed by default.

Command description

 
 

  
  
Switch # configure terminal enters Configuration Mode
  
  
Switch (config) # [no] ip dhcp snooping
  
  
Verify mac-address
 
 

Enable and disable the source MAC check function

Below is the function of enabling DHCP source MAC check

 
 

  
  
switch# configure terminal   
  
  
switch(config)# ip dhcp snooping verify mac-address   
  
  
switch(config)# end   
  
  
switch# 
 
 

DHCP Snooping configuration: static DHCP snooping user

In some application scenarios, users on some ports can use some IP addresses statically by configuring the user information.

Command description

 
 

  
  
Switch # configure terminal enters Configuration Mode
  
  
Switch (config) # [no] ip dhcp snooping
  
  
Bindingmac-addrees vlan vlan_id ip
  
  
Ip-addressinterface interface-id
 
 

Set static DHCP users to DHCP

Snooping binding Database

Add a static user to port 9 of the device:

 
 

  
  
switch# configure terminal   
  
  
switch(config)# ip dhcp snooping binding 00d0.f801.0101 vlan   
  
  
1 ip 192.168.4.243 interface gigabitEthernet 0/9   
  
  
switch(config)# end   
  
  
switch# 
 
 

DHCP Snooping configuration: periodically write DHCP Snooping database information to flash

To prevent DHCP user information loss caused by power failure and restart, DHCP Snooping provides a configurable command to write DHCP Snooping database information to flash. By default, it is set to 0, that is, writing flash from time to time.

Command description

 
 

  
  
Switch # configure terminal enters Configuration Mode
  
  
Switch (config) # [no] ip dhcp snooping
  
  
Database write-delay [time]
 
 

Sets the time for DHCP to delay flash writing.

Time: 600 s -- 86400s. The default value is 0.

The following section sets the DHCP Snooping delay to 3600 s for flash writing:

 
 

  
  
switch# configure terminal   
  
  
switch(config)# ip dhcp snooping database write-delay 3600   
  
  
switch(config)# end   
  
  
switch# 
 
 

Manually write DHCP snooping database information to flash

To prevent DHCP user information loss caused by device power failure and restart, in addition to configuring timed flash writing, you can also manually write the current DHCP Snooping bound database information to flash as needed.

Command description