- Preface
- Product Overview
- Configuring the Router for the First Time
- Configuring a Supervisor Engine 720
- Configuring a Route Switch Processor 720
- Configuring NSF with SSO Supervisor Engine Redundancy
- ISSU and eFSU on Cisco 7600 Series Routers
- Configuring RPR and RPR+ Supervisor Engine Redundancy
- Configuring Interfaces
- Configuring a Supervisor Engine 32
- Configuring LAN Ports for Layer 2 Switching
- Configuring Flex Links
- Configuring EtherChannels
- Configuring VTP
- Configuring VLANs
- Configuring Private VLANs
- Configuring Cisco IP Phone Support
- Configuring IEEE 802.1Q Tunneling
- Configuring Layer 2 Protocol Tunneling
- Configuring L2TPv3
- Configuring STP and MST
- Configuring Optional STP Features
- Configuring Layer 3 Interfaces
- Configuring GTP-SLB IPV6 Support
- IP Subscriber Awareness over Ethernet
- Configuring UDE and UDLR
- Configuring Multiprotocol Label Switching on the PFC
- Configuring IPv4 Multicast VPN Support
- Configuring Multicast VPN Extranet Support
- Configuring IP Unicast Layer 3 Switching
- Configuring IPv6 Multicast PFC3 and DFC3 Layer 3 Switching
- Configuring IPv4 Multicast Layer 3 Switching
- Configuring MLDv2 Snooping for IPv6 Multicast Traffic
- Configuring IGMP Snooping for IPv4 Multicast Traffic
- Configuring PIM Snooping
- Configuring Network Security
- Understanding Cisco IOS ACL Support
- Configuring VRF aware 6RD Tunnels
- Configuring VLAN ACLs
- Private Hosts (Using PACLs)
- Configuring IPv6 PACL
- IPv6 First-Hop Security Features
- Configuring Online Diagnostics
- Configuring Denial of Service Protection
- Configuring DHCP Snooping
- Configuring Dynamic ARP Inspection
- Configuring Traffic Storm Control
- Unknown Unicast Flood Blocking
- Configuring PFC QoS
- Configuring PFC QoS Statistics Data Export
- Configuring MPLS QoS on the PFC
- Configuring LSM MLDP based MVPN Support
- Configuring IEEE 802.1X Port-Based Authentication
- Configuring IEEE 802.1ad
- Configuring Port Security
- Configuring UDLD
- Configuring NetFlow and NDE
- Configuring Local SPAN, RSPAN, and ERSPAN
- Configuring SNMP IfIndex Persistence
- Power Management and Environmental Monitoring
- Configuring Web Cache Services Using WCCP
- Using the Top N Utility
- Using the Layer 2 Traceroute Utility
- Configuring Bidirectional Forwarding and Detection over Switched Virtual Interface
- Configuring Call Home
- Configuring IPv6 Policy Based Routing
- Using the Mini Protocol Analyzer
- Configuring Resilient Ethernet Protocol
- Configuring Synchronous Ethernet
- Configuring Link State Tracking
- Configuring BGP PIC Edge and Core for IP and MPLS
- Configuring VRF aware IPv6 tunnels over IPv4 transport
- ISIS IPv4 Loop Free Alternate Fast Reroute (LFA FRR)
- Multicast Service Reflection
- Y.1731 Performance Monitoring
- Online Diagnostic Tests
- Acronyms
- Cisco IOS Release 15S Software Images
- Index
- Understanding DHCP Snooping
- Default Configuration for DHCP Snooping
- DHCP Snooping Configuration Restrictions and Guidelines
- Configuring DHCP Snooping
- Enabling DHCP Snooping Globally
- Enabling DHCP Option-82 Data Insertion
- Enabling the DHCP Option-82 on Untrusted Port Feature
- Enabling DHCP Snooping MAC Address Verification
- Enabling DHCP Snooping on VLANs
- Configuring the DHCP Trust State on Layer 2 LAN Interfaces
- Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces
- Configuring the DHCP Snooping Database Agent
- Configuration Examples for the Database Agent
- Displaying a Binding Table
Configuring DHCP Snooping
This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Cisco 7600 series routers.
Note
The DHCP snooping feature requires PFC3 and Release 12.2(18)SXE and later releases. The PFC2 does not support DHCP snooping.
This chapter consists of the following major sections:
- Understanding DHCP Snooping
- Default Configuration for DHCP Snooping
- DHCP Snooping Configuration Restrictions and Guidelines
- Configuring DHCP Snooping
Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco 7600 Series Routers Command References at this URL:
http://www.cisco.com/en/US/products/hw/routers/ps368/prod_command_reference_list.html
Understanding DHCP Snooping
These sections describe the DHCP snooping feature:
- Overview of DHCP Snooping
- Trusted and Untrusted Sources
- DHCP Snooping Binding Database
- Packet Validation
- DHCP Snooping Option-82 Data Insertion
- Overview of the DHCP Snooping Database Agent
Overview of DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
- Validates DHCP messages received from untrusted sources and filters out invalid messages.
- Rate-limits DHCP traffic from trusted and untrusted sources.
- Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.
- Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.
The DHCP snooping feature is implemented in software on the MSFC. Therefore, all DHCP messages for enabled VLANs are intercepted in the PFC and directed to the MSFC for processing.
Trusted and Untrusted Sources
The DHCP snooping feature determines whether traffic sources are trusted or untrusted. An untrusted source may initiate traffic attacks or other hostile actions. To prevent such attacks, the DHCP snooping feature filters messages and rate-limits traffic from untrusted sources.
In an enterprise network, devices under your administrative control are trusted sources. These devices include the switches, routers and servers in your network. Any device beyond the firewall or outside your network is an untrusted source. Host ports are generally treated as untrusted sources.
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources.
In the Catalyst 6500 series switch, you indicate that a source is trusted by configuring the trust state of its connecting interface.
The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted. You can also configure other interfaces as trusted if they connect to devices (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.
Note For DHCP snooping to function properly, all DHCP servers must be connected to the router through trusted interfaces.
DHCP Snooping Binding Database
The DHCP snooping binding database is also referred to as the DHCP snooping binding table.
The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.
The DHCP snooping feature updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.
Packet Validation
The router validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
- The router receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
- The router receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
- The router receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
- The router receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
In releases earlier than Release 12.2(18)SXF1, the router drops DHCP packets that include option-82 information that are received on untrusted ports. With Release 12.2(18)SXF1 and later releases, to support trusted edge routers that are connected to untrusted aggregation-router ports, you can enable the DHCP option-82 on untrusted port feature, which enables untrusted aggregation-router ports to accept DHCP packets that include option-82 information. Configure the port on the edge router that connects to the aggregation switch as a trusted port.
Note With the DHCP option-82 on untrusted port feature enabled, use dynamic ARP inspection on the aggregation router to protect untrusted input interfaces.
DHCP Snooping Option-82 Data Insertion
In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP snooping option-82 feature is enabled on the router, a subscriber device is identified by the router port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access router and are uniquely identified.
Figure 44-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the router at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.
Figure 44-1 DHCP Relay Agent in a Metropolitan Ethernet Network
When you enable the DHCP snooping information option-82 on the router, this sequence of events occurs:
- The host (DHCP client) generates a DHCP request and broadcasts it on the network.
- When the router receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the router MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption).
- If the IP address of the relay agent is configured, the router adds the IP address in the DHCP packet.
- The router forwards the DHCP request that includes the option-82 field to the DHCP server.
- The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.
- The DHCP server unicasts the reply to the router if the request was relayed to the server by the router. When the client and server are on the same subnet, the server broadcasts the reply. The router verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The router removes the option-82 field and forwards the packet to the router port that connects to the DHCP client that sent the DHCP request.
When the previously described sequence of events occurs, the values in these fields in Figure 44-2 do not change:
– Length of the suboption type
– Length of the circuit ID type
– Length of the suboption type
– Length of the circuit ID type
Figure 44-2 shows the packet formats for the remote ID suboption and the circuit ID suboption. The router uses the packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option global configuration command is entered. For the circuit ID suboption, the module field is the slot number of the module.
Figure 44-2 Suboption Packet Formats
Overview of the DHCP Snooping Database Agent
To retain the bindings across reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well.
The database agent stores the bindings in a file at a configured location. Upon reload, the router reads the file to build the database for the bindings. The router keeps the file current by writing to the file as the database changes.
The format of the file that contains the bindings is as follows:
Each entry in the file is tagged with a checksum that is used to validate the entries whenever the file is read. The <initial-checksum> entry on the first line helps distinguish entries associated with the latest write from entries that are associated with a previous write.
This is a sample bindings file:
Each entry holds an IP address, VLAN, MAC address, lease time (in hex), and the interface associated with a binding. At the end of each entry is a checksum that is based on all the bytes from the start of the file through all the bytes associated with the entry. Each entry consists of 72 bytes of data, followed by a space, followed by a checksum.
Upon bootup, when the calculated checksum equals the stored checksum, the router reads entries from the file and adds the bindings to the DHCP snooping database. If the calculated checksum does not equal the stored checksum, the entry read from the file is ignored and so are all the entries following the failed entry. The router also ignores all those entries from the file whose lease time has expired. (This is possible because the lease time might indicate an expired time.) An entry from the file is also ignored if the interface referred to in the entry no longer exists on the system, or if it is a router port or a DHCP snooping-trusted interface.
When the router learns of new bindings or when it loses some bindings, the router writes the modified set of entries from the snooping database to the file. The writes are performed with a configurable delay to batch as many changes as possible before the actual write happens. Associated with each transfer is a timeout after which a transfer is aborted if it is not completed. These timers are referred to as the write delay and abort timeout.
Default Configuration for DHCP Snooping
Table 44-1 shows all the default configuration values for each DHCP snooping option.
|
|
|
|---|---|
DHCP Snooping Configuration Restrictions and Guidelines
These sections provide DHCP snooping configuration restrictions and guidelines:
- DHCP Snooping Configuration Restrictions
- DHCP Snooping Configuration Guidelines
- Minimum DHCP Snooping Configuration
DHCP Snooping Configuration Restrictions
When configuring DHCP snooping, note these restrictions:
- The PFC2 does not support DHCP snooping.
- With releases earlier than Release 12.2(18)SXF5, the DHCP snooping database stores a maximum of 512 bindings. If the database attempts to add more than 512 DHCP bindings, all bindings are removed from the database.
- With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 bindings.
- With Release 12.2(18)SRA and later releases, the DHCP snooping database stores at least 64,000 bindings.
DHCP Snooping Configuration Guidelines
When configuring DHCP snooping, follow these guidelines:
- DHCP snooping is not active until you enable the feature on at least one VLAN as well as globally on the router. Ensure that service DHCP is enabled (service DHCP is enabled by default).
- Before globally enabling DHCP snooping on the router, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
- For DHCP server configuration information, refer to “Configuring DHCP” in the Cisco IOS IP and IP Routing Configuration Guide at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm
- If a Layer 2 LAN port is connected to a DHCP server, configure the port as trusted by entering the ip dhcp snooping trust interface configuration command.
- If a Layer 2 LAN port is connected to a DHCP client, configure the port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
- You can enable DHCP snooping on private VLANs:
– If DHCP snooping is enabled, any primary VLAN configuration is propagated to its associated secondary VLANs.
– If DHCP snooping is configured on the primary VLAN and you configure DHCP snooping with different settings on an associated secondary VLAN, the configuration on the secondary VLAN does not take effect.
– If DHCP snooping is not configured on the primary VLAN and you configure DHCP snooping on a secondary VLAN, the configuration takes affect only on the secondary VLAN.
– When you manually configure DHCP snooping on a secondary VLAN, this message appears:
– The show ip dhcp snooping command displays all VLANs (both primary and secondary) that have DHCP snooping enabled.
Minimum DHCP Snooping Configuration
The minimum configuration steps for the DHCP snooping feature are as follows:
1. Define and configure the DHCP server.
For DHCP server configuration information, refer to “Configuring DHCP” in the Cisco IOS IP and IP Routing Configuration Guide at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr_c/ipcprt1/1cfdhcp.htm
2. Enable DHCP snooping on at least one VLAN.
By default, DHCP snooping is inactive on all VLANs. Refer to the “Enabling DHCP Snooping on VLANs” section
3. Ensure that DHCP server is connected through a trusted interface.
By default, the trust state of all interfaces is untrusted. Refer to the “Configuring the DHCP Trust State on Layer 2 LAN Interfaces” section
4. Configure the DHCP snooping database agent.
This step ensures that database entries are restored after a restart or switchover. Refer to the “Configuring the DHCP Snooping Database Agent” section
5. Enable DHCP snooping globally.
The feature is not active until you complete this step. Refer to the “Enabling DHCP Snooping Globally” section
If you are configuring the switch for DHCP relay, the following additional steps are required:
1. Define and configure the DHCP relay agent IP address.
If the DHCP server is in a different subnet from the DHCP clients, configure the server IP address in the helper address field of the client side VLAN.
2. Configure DHCP option-82 on untrusted port.
Refer to the “Enabling the DHCP Option-82 on Untrusted Port Feature” section
Configuring DHCP Snooping
These sections describe how to configure DHCP snooping:
- Enabling DHCP Snooping Globally
- Enabling DHCP Option-82 Data Insertion
- Enabling the DHCP Option-82 on Untrusted Port Feature
- Enabling DHCP Snooping MAC Address Verification
- Enabling DHCP Snooping on VLANs
- Configuring the DHCP Trust State on Layer 2 LAN Interfaces
- Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces
- Configuring the DHCP Snooping Database Agent
- Configuration Examples for the Database Agent
- Displaying a Binding Table
Enabling DHCP Snooping Globally
Note Configure this command as the last configuration step (or enable the DHCP feature during a scheduled maintenance period) because after you enable DHCP snooping globally, the router drops DHCP requests until you configure the ports.
To enable DHCP snooping globally, perform this task:
|
|
|
|
|---|---|---|
This example shows how to enable DHCP snooping globally:
Enabling DHCP Option-82 Data Insertion
To enable DHCP option-82 data insertion, perform this task:
|
|
|
|
|---|---|---|
This example shows how to disable DHCP option-82 data insertion:
This example shows how to enable DHCP option-82 data insertion:
Enabling the DHCP Option-82 on Untrusted Port Feature
Note With the DHCP option-82 on untrusted port feature enabled, the router does not drop DHCP packets that include option-82 information that are received on untrusted ports. Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation router to which any untrusted devices are connected.
With Release 12.2(18)SXF1 and later releases, to enable untrusted ports to accept DHCP packets that include option-82 information, perform this task:
This example shows how to enable the DHCP option-82 on untrusted port feature:
Enabling DHCP Snooping MAC Address Verification
With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet.
To enable DHCP snooping MAC address verification, perform this task:
|
|
|
|
|---|---|---|
This example shows how to disable DHCP snooping MAC address verification:
This example shows how to enable DHCP snooping MAC address verification:
Enabling DHCP Snooping on VLANs
By default, the DHCP snooping feature is inactive on all VLANs. You may enable the feature on a single VLAN or a range of VLANs.
When enabled on a VLAN, the DHCP snooping feature creates four entries in the VACL table in the MFC3. These entries cause the PFC3 to intercept all DHCP messages on this VLAN and send them to the MSFC. The DHCP snooping feature is implemented in MSFC software.
To enable DHCP snooping on VLANs, perform this task:
|
|
|
|
|---|---|---|
Router(config)# ip dhcp snooping vlan {{ vlan_ID [ vlan_ID ]} | { vlan_range } |
||
You can configure DHCP snooping for a single VLAN or a range of VLANs:
- To configure a single VLAN, enter a single VLAN number.
- To configure a range of VLANs, enter a beginning and an ending VLAN number or a dash-separated pair of VLAN numbers.
- You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN numbers.
This example shows how to enable DHCP snooping on VLANs 10 through 12:
This example shows another way to enable DHCP snooping on VLANs 10 through 12:
This example shows another way to enable DHCP snooping on VLANs 10 through 12:
This example shows how to enable DHCP snooping on VLANs 10 through 12 and VLAN 15:
This example shows how to verify the configuration:
Configuring the DHCP Trust State on Layer 2 LAN Interfaces
To configure DHCP trust state on a Layer 2 LAN interface, perform this task:
|
|
|
|
|---|---|---|
Router(config)# interface { type 1 slot/port | port-channel number } |
Selects the interface to configure. Note Select only LAN ports configured with the switchport command or Layer 2 port-channel interfaces. |
|
|
1.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
This example shows how to configure Fast Ethernet port 5/12 as trusted:
This example shows how to configure Fast Ethernet port 5/12 as untrusted:
Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces
To configure DHCP snooping rate limiting on a Layer 2 LAN interface, perform this task:
|
|
|
|
|---|---|---|
Router(config)# interface { type 2 slot/port | port-channel number } |
Selects the interface to configure. Note Select only LAN ports configured with the switchport command or Layer 2 port-channel interfaces. |
|
|
2.type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet |
When configuring DHCP snooping rate limiting on a Layer 2 LAN interface, note the following information:
- We recommend an untrusted rate limit of not more than 100 packets per second (pps).
- If you configure rate limiting for trusted interfaces, you might need to increase the rate limit on trunk ports carrying more than one VLAN on which DHCP snooping is enabled.
- DHCP snooping puts ports where the rate limit is exceeded into the error-disabled state.
This example shows how to configure DHCP packet rate limiting to 100 pps on Fast Ethernet port 5/12:
Configuring the DHCP Snooping Database Agent
To configure the DHCP snooping database agent, perform one or more of the following tasks:
When configuring the DHCP snooping database agent, note the following information:
- With releases earlier than Release 12.2(18)SXF5, the DHCP snooping database stores a maximum of 512 bindings. If the database attempts to add more than 512 DHCP bindings, all bindings are removed from the database.
- With Release 12.2(18)SXF5 and later releases, the DHCP snooping database stores at least 8,000 bindings.
- Store the file on a TFTP server to avoid consuming storage space on the router storage devices.
- When a switchover occurs, if the file is stored in a remote location accessible through TFTP, the newly active supervisor engine can use the binding list.
- Network-based URLs (such as TFTP and FTP) require that you create an empty file at the configured URL before the router can write the set of bindings for the first time.
Configuration Examples for the Database Agent
Example 1: Enabling the Database Agent
The following example shows how to configure the DHCP snooping database agent to store the bindings at a given location and to view the configuration and operating state:
The first three lines of output show the configured URL and related timer-configuration values. The next three lines show the operating state and the amount of time left for expiry of write delay and abort timers.
Among the statistics shown in the output, startup failures indicate the number of attempts to read or create the file that failed on bootup.
Note Create a temporary file on the TFTP server with the touch command in the TFTP server daemon directory. With some UNIX implementations, the file should have full read and write access permissions (777).
DHCP snooping bindings are keyed on the MAC address and VLAN combination. If an entry in the remote file has an entry for a given MAC address and VLAN set for which the router already has a binding, the entry from the remote file is ignored when the file is read. This condition is referred to as the binding collision.
An entry in a file may no longer be valid because the lease indicated by the entry may have expired by the time it is read. The expired leases counter indicates the number of bindings that are ignored because of this condition. The Invalid interfaces counter refers to the number of bindings that have been ignored when the interface referred by the entry either does not exist on the system or is a router or DHCP snooping trusted interface (if it exists) when the read happened. Unsupported VLANs refers to the number of entries that have been ignored because the indicated VLAN is not supported on the system. The Parse failures counter provides the number of entries that have been ignored when the router is unable to interpret the meaning of the entries from the file.
The router maintains two sets of counters for these ignored bindings. One provides the counters for a read that has at least one binding ignored by at least one of these conditions. These counters are shown as the “Last ignored bindings counters.” The total ignored bindings counters provides a sum of the number of bindings that have been ignored because of all the reads since the router bootup. These two sets of counters are cleared by the clear command. The total counter set may indicate the number of bindings that have been ignored since the last clear.
Example 2: Reading Binding Entries from a TFTP File
To manually read the entries from a TFTP file, perform this task:
|
|
|
|
|---|---|---|
|
|
||
|
|
||
|
|
||
|
|
This is an example of how to manually read entries from the tftp://10.1.1.1/directory/file:
Example 3: Adding Information to the DHCP Snooping Database
To manually add a binding to the DHCP snooping database, perform the following task:
|
|
|
|
|---|---|---|
|
|
||
|
|
||
|
|
This example shows how to manually add a binding to the DHCP snooping database:
Displaying a Binding Table
The DHCP snooping binding table for each router contains binding entries that correspond to untrusted ports. The table does not contain information about hosts interconnected with a trusted port because each interconnected router will have its own DHCP snooping binding table.
This example shows how to display the DHCP snooping binding information for a router:
Table 44-2 describes the fields in the show ip dhcp snooping binding command output.
|
|
|
|---|---|
Binding type: dynamic binding learned by DHCP snooping or statically-configured binding |
|
Feedback