Configure DHCP Snooping Basic Functions
The DHCP Snooping basic functions include enabling the DHCP Snooping function, configuring the port trust status and limiting the rate of the DHCP packets.
Configuration Condition
None
Configure DHCP Snooping Function
After enabling the DHCP Snooping function, monitor the DHCP packets received by all the ports of the device:
- For the received request packet, generate the corresponding bound entry according to the information in the packet
- For the response packet received from the trust packet, update the status and lease time of the bound entry
- For the response packet received from the un-trust port, directly drop it
Table 7-2 Configure the DHCP Snooping function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enable the DHCP Snooping function
|
dhcp-snooping
|
Mandatory
By default, DHCP Snooping function is disabled.
|
Configure Port Trust Status
To prevent the DHCP client from getting the address from the invalid DHCP server, we can configure the port directly or in-directly connected to the valid server as the trust port.
After the port is configured as the trust port, permit the normal forwarding of the DHCP response packet. Otherwise, drop the DHCP response packet.
Table 7-3 Configure the port trust status
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the port trust status
|
dhcp-snooping trust
|
Mandatory
By default, all ports are un-trust port.
|
-
The port connected to the DHCP server needs to be configured as the trust port. Otherwise, the DHCP client cannot get the address.
- After the port is configured as the trust port, do not limit the rate of the DHCP packets passing the port.
- After changing the port status from the trust port to the un-trust port, the upper threshold of the port rate is the default 40.
Configure DHCP Snooping Rate Limitation
Configuring the DHCP Snooping rate limitation function can limit the number of the DHCP packets processed every second, avoiding that other protocol packets cannot be processed in time because the system processes the DHCP packets for a long time.
When the number of the DHCP packets received within one second exceeds the rate limitation, the subsequent DHCP packets are dropped. If the DHCP packets received by the port for successive 20s exceed the rate limitation, disable the port to isolate the packet impact source.
Table 7-4 Configure the DHCP Snooping rate limitation function
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the DHCP Snooping rate limitation function
|
dhcp-snooping rate-limit limit-value
|
Mandatory
By default, the upper rate threshold of the DHCP packets is 40pps.
|
-
After configuring the rate threshold of the DHCP packets in the aggregation group configuration mode, the DHCP packet rate threshold of each member port of the aggregation group is the value.
- The DHCP packet rate limitation function just takes effect for the un-trust port and does not take effect for the trust port.
- After the port is disabled automatically, we can configure Error-Disable to enable the port automatically. By default, the auto disabling function of the port is enabled; if the DHCP packets received by the port for successive 20s exceed the rate limitation, but cannot disable the port automatically, we need to view the configuration of Error-Disable. For the Error-Disable function, refer to the Error-Disable chapter of the configuration manual.
Switch
.png){kind=icon}
.png){kind=logo}
.jpg)
.png){kind=logo}
