Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure DHCP Snooping Basic Functions

The DHCP Snooping basic functions include enabling the DHCP Snooping function, configuring the port trust status and limiting the rate of the DHCP packets.

Configuration Condition

None

Configure DHCP Snooping Function

After enabling the DHCP Snooping function, monitor the DHCP packets received by all the ports of the device:

  1. For the received request packet, generate the corresponding bound entry according to the information in the packet
  2. For the response packet received from the trust packet, update the status and lease time of the bound entry
  3. For the response packet received from the un-trust port, directly drop it

Table 7-2 Configure the DHCP Snooping function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enable the DHCP Snooping function

dhcp-snooping

Mandatory

By default, DHCP Snooping function is disabled.

Configure Port Trust Status

To prevent the DHCP client from getting the address from the invalid DHCP server, we can configure the port directly or in-directly connected to the valid server as the trust port.

After the port is configured as the trust port, permit the normal forwarding of the DHCP response packet. Otherwise, drop the DHCP response packet.

Table 7-3 Configure the port trust status

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the port trust status

dhcp-snooping trust

Mandatory

By default, all ports are un-trust port.

note


  • The port connected to the DHCP server needs to be configured as the trust port. Otherwise, the DHCP client cannot get the address.
  • After the port is configured as the trust port, do not limit the rate of the DHCP packets passing the port.
  • After changing the port status from the trust port to the un-trust port, the upper threshold of the port rate is the default 40.

Configure DHCP Snooping Rate Limitation

Configuring the DHCP Snooping rate limitation function can limit the number of the DHCP packets processed every second, avoiding that other protocol packets cannot be processed in time because the system processes the DHCP packets for a long time.

When the number of the DHCP packets received within one second exceeds the rate limitation, the subsequent DHCP packets are dropped. If the DHCP packets received by the port for successive 20s exceed the rate limitation, disable the port to isolate the packet impact source.

Table 7-4 Configure the DHCP Snooping rate limitation function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the DHCP Snooping rate limitation function

dhcp-snooping rate-limit limit-value

Mandatory

By default, the upper rate threshold of the DHCP packets is 40pps.

note


  • After configuring the rate threshold of the DHCP packets in the aggregation group configuration mode, the DHCP packet rate threshold of each member port of the aggregation group is the value.
  • The DHCP packet rate limitation function just takes effect for the un-trust port and does not take effect for the trust port.
  • After the port is disabled automatically, we can configure Error-Disable to enable the port automatically. By default, the auto disabling function of the port is enabled; if the DHCP packets received by the port for successive 20s exceed the rate limitation, but cannot disable the port automatically, we need to view the configuration of Error-Disable. For the Error-Disable function, refer to the Error-Disable chapter of the configuration manual.