Catalyst Supervisor Engine 32 PISA IOS Software Configuration Guide, 12.2ZY

Configuring DHCP Snooping

This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 6500 series switches.

This chapter consists of the following major sections:

•Overview of DHCP Snooping

•Default Configuration for DHCP Snooping

•Configuring DHCP Snooping

Note For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst Supervisor Engine 32 PISA Cisco IOS Command Reference, Release 12.2ZY, at this URL:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2ZY/command/reference/cmdref.html

Overview of DHCP Snooping

DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database (also referred to as a DHCP snooping binding table).

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You can use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

Note For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces, as untrusted DHCP messages will be forwarded only to trusted interfaces.

An untrusted message is a message that is received from outside the network or firewall. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer's switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.

The DHCP snooping binding database contains the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. The database does not contain information regarding hosts interconnected with a trusted interface.

In a service-provider network, a trusted interface is connected to a port on a device in the same network. An untrusted interface is connected to an untrusted interface in the network or to an interface on a device that is not in the network.

When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

The switch drops DHCP packets when any of these situations occur:

•The switch receives a packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, from outside the network or firewall.

•The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.

•The switch receives a DHCPRELEASE or DHCPDECLINE message that contains a MAC address in the DHCP snooping binding table, but the interface information in the binding table does not match the interface on which the message was received.

•The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.

To support trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP option 82 on untrusted port feature, which enables untrusted aggregation-switch ports to accept DHCP packets that include option-82 information. Configure the port on the edge switch that connects to the aggregation switch as a trusted port.

Note With the DHCP option 82 on untrusted port feature enabled, use dynamic ARP inspection on the aggregation switch to protect untrusted input interfaces.

DHCP Snooping Option-82 Data Insertion

In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP snooping option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified.

Figure 34-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.

Figure 34-1 DHCP Relay Agent in a Metropolitan Ethernet Network

When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs:

•The host (DHCP client) generates a DHCP request and broadcasts it on the network.

•When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption).

•If the IP address of the relay agent is configured, the switch adds the IP address in the DHCP packet.

•The switch forwards the DHCP request that includes the option-82 field to the DHCP server.

•The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.

•The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.

When the previously described sequence of events occurs, the values in these fields in Figure 34-2 do not change:

•Circuit ID suboption fields

–Suboption type

–Length of the suboption type

–Circuit ID type

–Length of the circuit ID type

•Remote ID suboption fields

–Suboption type

–Length of the suboption type

–Remote ID type

–Length of the circuit ID type

Figure 34-2 shows the packet formats for the remote ID suboption and the circuit ID suboption. The switch uses the packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option global configuration command is entered. For the circuit ID suboption, the module field is the slot number of the module.

Figure 34-2 Suboption Packet Formats

Overview of the DHCP Snooping Database Agent

To retain the bindings across reloads, you must use the DHCP snooping database agent. Without this agent, the bindings established by DHCP snooping are lost upon reload, and connectivity is lost as well.

The database agent stores the bindings in a file at a configured location. Upon reload, the switch reads the file to build the database for the bindings. The switch keeps the file current by writing to the file as the database changes.

The format of the file that contains the bindings is as follows:

<initial-checksum>

TYPE DHCP-SNOOPING

VERSION 1

BEGIN

<entry-1> <checksum-1>

<entry-2> <checksum-1-2>

...

...

<entry-n> <checksum-1-2-..-n>

END

Each entry in the file is tagged with a checksum that is used to validate the entries whenever the file is read. The <initial-checksum> entry on the first line helps distinguish entries associated with the latest write from entries that are associated with a previous write.

This is a sample bindings file:

3ebe1518

TYPE DHCP-SNOOPING

VERSION 1

BEGIN

1.1.1.1 512 0001.0001.0005 3EBE2881 Gi1/1                                e5e1e733

1.1.1.1 512 0001.0001.0002 3EBE2881 Gi1/1                                4b3486ec

1.1.1.1 1536 0001.0001.0004 3EBE2881 Gi1/1                               f0e02872

1.1.1.1 1024 0001.0001.0003 3EBE2881 Gi1/1                               ac41adf9

1.1.1.1 1 0001.0001.0001 3EBE2881 Gi1/1                                  34b3273e

END

Each entry holds an IP address, VLAN, MAC address, lease time (in hex), and the interface associated with a binding. At the end of each entry is a checksum that is based on all the bytes from the start of the file through all the bytes associated with the entry. Each entry consists of 72 bytes of data, followed by a space, followed by a checksum.

Upon bootup, when the calculated checksum equals the stored checksum, the switch reads entries from the file and adds the bindings to the DHCP snooping database. If the calculated checksum does not equal the stored checksum, the entry read from the file is ignored and so are all the entries following the failed entry. The switch also ignores all those entries from the file whose lease time has expired. (This is possible because the lease time might indicate an expired time.) An entry from the file is also ignored if the interface referred to in the entry no longer exists on the system, or if it is a router port or a DHCP snooping-trusted interface.

When the switch learns of new bindings or when it loses some bindings, the switch writes the modified set of entries from the snooping database to the file. The writes are performed with a configurable delay to batch as many changes as possible before the actual write happens. Associated with each transfer is a timeout after which a transfer is aborted if it is not completed. These timers are referred to as the write delay and abort timeout.

Default Configuration for DHCP Snooping

Table 34-1 shows all the default configuration values for each DHCP snooping option.

DHCP Snooping Configuration Guidelines and Restrictions

When configuring DHCP snooping, follow these guidelines and restrictions:

•Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.

•For DHCP server configuration information, refer to "Configuring DHCP" in the Cisco IOS IP and IP Routing Configuration Guide at:

http://www.cisco.com/en/US/docs/ios/12_2/ip/configuration/guide/1cfdhcp.html

•A maximum of 512 bindings are allowed in the DHCP snooping database. If you configure more than 512 DHCP bindings, all bindings will be removed.

•When DHCP snooping is enabled, these Cisco IOS DHCP commands are not available on the switch:

–ip dhcp relay information check global configuration command

–ip dhcp relay information policy global configuration command

–ip dhcp relay information trust-all global configuration command

–ip dhcp relay information option global configuration command

–ip dhcp relay information trusted interface configuration command

If you enter these commands, the switch returns an error message, and the configuration is not applied.

•To use any DHCP snooping features, you must globally enable DHCP snooping on the switch.

•DHCP snooping is not active until DHCP snooping is enabled on a VLAN.

•If a Layer 2 LAN port is connected to a DHCP server, configure the port as trusted by entering the ip dhcp snooping trust interface configuration command.

•If a Layer 2 LAN port is connected to a DHCP client, configure the port as untrusted by entering the no ip dhcp snooping trust interface configuration command.

•You can enable DHCP snooping on private VLANs:

–If DHCP snooping is enabled, any primary VLAN configuration is propagated to its associated secondary VLANs.

–If DHCP snooping is configured on the primary VLAN and you configure DHCP snooping with different settings on an associated secondary VLAN, the configuration on the secondary VLAN does not take effect.

–If DHCP snooping is not configured on the primary VLAN and you configure DHCP snooping on a secondary VLAN, the configuration takes affect only on the secondary VLAN.

–When you manually configure DHCP snooping on a secondary VLAN, this message appears:

DHCP Snooping configuration may not take effect on secondary vlan XXX 

–The show ip dhcp snooping command displays all VLANs (both primary and secondary) that have DHCP snooping enabled.

Configuring DHCP Snooping

These sections describe how to configure DHCP snooping:

•Enabling DHCP Snooping Globally

•Enabling DHCP Option-82 Data Insertion

•Enabling the DHCP Option 82 on Untrusted Port Feature

•Enabling DHCP Snooping MAC Address Verification

•Enabling DHCP Snooping on VLANs

•Configuring the DHCP Trust State on Layer 2 LAN Interfaces

•Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces

•Configuring the DHCP Snooping Database Agent

•Configuration Examples for the Database Agent

•Displaying a Binding Table

Enabling DHCP Snooping Globally

Note Enable this feature during a maintenance window, because after you enable DHCP snooping globally, the switch drops DHCP requests until you configure the ports.

To enable DHCP snooping globally, perform this task:

This example shows how to enable DHCP snooping globally:

Router# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip dhcp snooping 

Router(config)# do show ip dhcp snooping | include Switch 

Switch DHCP snooping is enabled

Router(config)#

Note When DHCP snooping is disabled and DAI is enabled, the switch shuts down all the hosts because all ARP entries in the ARP table will be checked against a nonexistent DHCP database. When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny ARP packets.

Enabling DHCP Option-82 Data Insertion

To enable DHCP option-82 data insertion, perform this task:

This example shows how to disable DHCP option-82 data insertion:

Router# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# no ip dhcp snooping information option 

Router(config)# do show ip dhcp snooping | include 82 

Insertion of option 82 is disabled

Router#(config)

This example shows how to enable DHCP option-82 data insertion:

Router# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip dhcp snooping information option 

Router(config)# do show ip dhcp snooping | include 82 

Insertion of option 82 is enabled

Router#(config)

Enabling the DHCP Option 82 on Untrusted Port Feature

Note With the DHCP option 82 on untrusted port feature enabled, the switch does not drop DHCP packets that include option-82 information that are received on untrusted ports. Do not enter the ip dhcp snooping information option allowed-untrusted command on an aggregation switch to which any untrusted devices are connected.

To enable untrusted ports to accept DHCP packets that include option-82 information, perform this task:

This example shows how to enable the DHCP option 82 on untrusted port feature:

Router# configure terminal 

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)# ip dhcp snooping information option allow-untrusted 

Router#(config)

Enabling DHCP Snooping MAC Address Verification

With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address in DHCP packets that are received on untrusted ports match the client hardware address in the packet.

To enable DHCP snooping MAC address verification, perform this task:

This example shows how to disable DHCP snooping MAC address verification:

Router(config)# no ip dhcp snooping verify mac-address 

Router(config)# do show ip dhcp snooping | include hwaddr 

Verification of hwaddr field is disabled

Router(config)#

This example shows how to enable DHCP snooping MAC address verification:

Router(config)# ip dhcp snooping verify mac-address 

Router(config)# do show ip dhcp snooping | include hwaddr 

Verification of hwaddr field is enabled

Router(config)#

Enabling DHCP Snooping on VLANs

To enable DHCP snooping on VLANs, perform this task:

You can configure DHCP snooping for a single VLAN or a range of VLANs:

•To configure a single VLAN, enter a single VLAN number.

•To configure a range of VLANs, enter a beginning and an ending VLAN number or a dash-separated pair of VLAN numbers.

•You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN numbers.

This example shows how to enable DHCP snooping on VLANs 10 through 12:

Router# configure terminal 

Router(config)# ip dhcp snooping vlan 10 12 

Router(config)# 

This example shows another way to enable DHCP snooping on VLANs 10 through 12:

Router# configure terminal 

Router(config)# ip dhcp snooping vlan 10-12 

This example shows another way to enable DHCP snooping on VLANs 10 through 12:

Router# configure terminal 

Router(config)# ip dhcp snooping vlan 10,11,12 

This example shows how to enable DHCP snooping on VLANs 10 through 12 and VLAN 15:

Router# configure terminal 

Router(config)# ip dhcp snooping vlan 10-12,15 

This example shows how to verify the configuration:

Router(config)# do show ip dhcp snooping 

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

10-12,15

DHCP snooping is operational on following VLANs:

none

DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled

Verification of hwaddr field is enabled

Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

Router# 

Configuring the DHCP Trust State on Layer 2 LAN Interfaces

To configure DHCP trust state on a Layer 2 LAN interface, perform this task:

This example shows how to configure Fast Ethernet port 5/12 as trusted:

Router# configure terminal 

Router(config)# interface FastEthernet 5/12 

Router(config-if)# ip dhcp snooping trust 

Router(config-if)# do show ip dhcp snooping | begin pps 

Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet5/12             yes         unlimited

Router# 

This example shows how to configure Fast Ethernet port 5/12 as untrusted:

Router# configure terminal 

Router(config)# interface FastEthernet 5/12 

Router(config-if)# no ip dhcp snooping trust 

Router(config-if)# do show ip dhcp snooping | begin pps 

Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet5/12             no          unlimited

Router# 

Configuring DHCP Snooping Rate Limiting on Layer 2 LAN Interfaces

To configure DHCP snooping rate limiting on a Layer 2 LAN interface, perform this task:

When configuring DHCP snooping rate limiting on a Layer 2 LAN interface, note the following information:

•We recommend an untrusted rate limit of not more than 100 packets per second (pps).

•If you configure rate limiting for trusted interfaces, you might need to increase the rate limit on trunk ports carrying more than one VLAN on which DHCP snooping is enabled.

•DHCP snooping puts ports where the rate limit is exceeded into the error-disabled state.

This example shows how to configure DHCP packet rate limiting to 100 pps on Fast Ethernet port 5/12:

Router# configure terminal 

Router(config)# interface FastEthernet 5/12 

Router(config-if)# ip dhcp snooping limit rate 100 

Router(config-if)# do show ip dhcp snooping | begin pps 

Interface                    Trusted     Rate limit (pps)

------------------------     -------     ----------------

FastEthernet5/12             no          100 

Router# 

Configuring the DHCP Snooping Database Agent

To configure the DHCP snooping database agent, perform one or more of the following tasks:

Router(config)# ip dhcp snooping database { url | 
write-delay seconds | timeout seconds } 

Router# show ip dhcp snooping database [detail] 

Router# clear ip dhcp snooping database statistics 

Router# renew ip dhcp snooping database [validation 
none] [url] 

Router# ip dhcp snooping binding mac_address vlan 
vlan_ID ip_address interface ifname expiry 
lease_in_seconds 

When configuring the DHCP snooping database agent, note the following information:

•Store the file on a TFTP server to avoid consuming storage space on the switch storage devices.

•When a switchover occurs, if the file is stored in a remote location accessible through TFTP, the newly active supervisor engine can use the binding list.

•Network-based URLs (such as TFTP and FTP) require that you create an empty file at the configured URL before the switch can write the set of bindings for the first time.

Configuration Examples for the Database Agent

These sections provide examples for the database agent:

•Example 1: Enabling the Database Agent

•Example 2: Reading Binding Entries from a TFTP File

•Example 3: Adding Information to the DHCP Snooping Database

Example 1: Enabling the Database Agent

The following example shows how to configure the DHCP snooping database agent to store the bindings at a given location and to view the configuration and operating state:

Router# configure terminal 

Router(config)# ip dhcp snooping database tftp://10.1.1.1/directory/file 

Router(config)# end 

Router# show ip dhcp snooping database detail 

Agent URL : tftp://10.1.1.1/directory/file

Write delay Timer : 300 seconds

Abort Timer : 300 seconds

Agent Running : No

Delay Timer Expiry : 7 (00:00:07)

Abort Timer Expiry : Not Running

Last Succeded Time : None

Last Failed Time : 17:14:25 UTC Sat Jul 7 2001

Last Failed Reason : Unable to access URL.

Total Attempts       :       21   Startup Failures :        0

Successful Transfers :        0   Failed Transfers :       21

Successful Reads     :        0   Failed Reads     :        0

Successful Writes    :        0   Failed Writes    :       21

Media Failures       :        0

First successful access: Read

Last ignored bindings counters :

Binding Collisions    :        0   Expired leases    :        0

Invalid interfaces    :        0   Unsupported vlans :        0

Parse failures        :        0

Last Ignored Time : None

Total ignored bindings counters:

Binding Collisions    :        0   Expired leases    :        0

Invalid interfaces    :        0   Unsupported vlans :        0

Parse failures        :        0

Router#

The first three lines of output show the configured URL and related timer-configuration values. The next three lines show the operating state and the amount of time left for expiry of write delay and abort timers.

Among the statistics shown in the output, startup failures indicate the number of attempts to read or create the file failed upon bootup.

Note Create a temporary file on the TFTP server with the touch command in the TFTP server daemon directory. With some UNIX implementations, the file should have full read and write access permissions (777).

DHCP snooping bindings are keyed on the MAC address and VLAN combination. If an entry in the remote file has an entry for a given MAC address and VLAN set for which the switch already has a binding, the entry from the remote file is ignored when the file is read. This condition is referred to as the binding collision.

An entry in a file may no longer be valid because the lease indicated by the entry may have expired by the time it is read. The expired leases counter indicates the number of bindings that are ignored because of this condition. The Invalid interfaces counter refers to the number of bindings that have been ignored when the interface referred by the entry either does not exist on the system or is a router or DHCP snooping trusted interface (if it exists) when the read happened. Unsupported VLANs refers to the number of entries that have been ignored because the indicated VLAN is not supported on the system. The Parse failures counter provides the number of entries that have been ignored when the switch is unable to interpret the meaning of the entries from the file.

The switch maintains two sets of counters for these ignored bindings. One provides the counters for a read that has at least one binding ignored by at least one of these conditions. These counters are shown as the "Last ignored bindings counters." The total ignored bindings counters provides a sum of the number of bindings that have been ignored because of all the reads since the switch bootup. These two set of counters are cleared by the clear command. Therefore, the total counter set may indicate the number of bindings that have been ignored since the last clear.

Example 2: Reading Binding Entries from a TFTP File

To manually read the entries from a TFTP file, perform this task:

Router# show ip dhcp snooping database 

Router# renew ip dhcp snoop data url 

Router# show ip dhcp snoop data 

Router# show ip dhcp snoop bind 

This is an example of how to manually read entries from the tftp://10.1.1.1/directory/file:

Router# show ip dhcp snooping database 

Agent URL : 

Write delay Timer : 300 seconds

Abort Timer : 300 seconds

Agent Running : No

Delay Timer Expiry : Not Running

Abort Timer Expiry : Not Running

Last Succeded Time : None

Last Failed Time : None

Last Failed Reason : No failure recorded.

Total Attempts       :        0   Startup Failures :        0

Successful Transfers :        0   Failed Transfers :        0

Successful Reads     :        0   Failed Reads     :        0

Successful Writes    :        0   Failed Writes    :        0

Media Failures       :        0

Router# renew ip dhcp snoop data tftp://10.1.1.1/directory/file 

Loading directory/file from 10.1.1.1 (via GigabitEthernet1/1): !

[OK - 457 bytes]

Database downloaded successfully.

Router#

00:01:29: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Read 
succeeded.

Router# show ip dhcp snoop data 

Agent URL : 

Write delay Timer : 300 seconds

Abort Timer : 300 seconds

Agent Running : No

Delay Timer Expiry : Not Running

Abort Timer Expiry : Not Running

Last Succeded Time : 15:24:34 UTC Sun Jul 8 2001

Last Failed Time : None

Last Failed Reason : No failure recorded.

Total Attempts       :        1   Startup Failures :        0

Successful Transfers :        1   Failed Transfers :        0

Successful Reads     :        1   Failed Reads     :        0

Successful Writes    :        0   Failed Writes    :        0

Media Failures       :        0

Router#

Router# show ip dhcp snoop bind 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:01:00:01:00:05   1.1.1.1          49810       dhcp-snooping  512   GigabitEthernet1/1

00:01:00:01:00:02   1.1.1.1          49810       dhcp-snooping  512   GigabitEthernet1/1

00:01:00:01:00:04   1.1.1.1          49810       dhcp-snooping  1536  GigabitEthernet1/1

00:01:00:01:00:03   1.1.1.1          49810       dhcp-snooping  1024  GigabitEthernet1/1

00:01:00:01:00:01   1.1.1.1          49810       dhcp-snooping  1     GigabitEthernet1/1

Router# clear ip dhcp snoop bind 

Router# show ip dhcp snoop bind   

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

Router#

Example 3: Adding Information to the DHCP Snooping Database

To manually add a binding to the DHCP snooping database, perform the following task:

Router# show ip dhcp snooping binding 

Router# ip dhcp snooping binding binding_id vlan 
vlan_id interface interface expiry lease_time 

Router# show ip dhcp snooping binding 

This example shows how to manually add a binding to the DHCP snooping database:

Router# show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

Router#

Router# ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi1/1 expiry 1000 

Router# show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:01:00:01:00:01   1.1.1.1          992         dhcp-snooping  1     GigabitEthernet1/1

Router#

Displaying a Binding Table

The DHCP snooping binding table for each switch contains binding entries that correspond to untrusted ports. The table does not contain information about hosts interconnected with a trusted port because each interconnected switch will have its own DHCP snooping binding table.

This example shows how to display the DHCP snooping binding information for a switch:

Router# show ip dhcp snooping binding 

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:02:B3:3F:3B:99   55.5.5.2         6943        dhcp-snooping  10    FastEthernet6/10

Table 34-2 describes the fields in the show ip dhcp snooping binding command output.