Leaflet
40
OL-11615-01
packet. MAC address verification is available on Catalyst 6500 Series switches and is enabled by default
in both, Cisco IOS and Catalyst OS. In Catalyst OS this feature is called the MAC-Address Matching
option. This feature is not supported on Catalyst 4500.
Catalyst 6500 Series switches have the capacity to insert Option-82 information as DHCP packets are
received. Catalyst 4500 Series switches do not insert Option-82 information, but they can be configured
to accept DHCP requests with Option-82 information inserted by downstream switches.
Other functional differences between Catalyst 6500 and Catalyst 4500 Series switches are described in
the following sections.
Catalyst 6500 DHCP Snooping (Catalyst OS)
DHCP snooping is disabled by default, and in switches running Catalyst OS software it is configured per
VLAN. The configuration of DHCP snooping on a VLAN requires the use of a new or an existing VLAN
ACL (VACL), to which a special DHCP-snooping access control entry (ACE) is appended. This special
DHCP-snooping ACE tells the switch to turn DHCP snooping on the VLAN to which the VACL is
mapped. By default, all ports on the affected VLAN are treated as untrusted. You need to statically
configure the ports connecting to DHCP servers or relay agents as trusted.
It is important to note that the VACL used for DHCP-snooping is a regular VACL, which affects all traffic
entering the associated VLAN. For this reason, you must analyze where to position the DHCP snooping
ACE in the VACL. For example, if you want to deny the DHCP packets that come from a certain host
and perform DHCP snooping for the other DHCP packets, then you must place a deny ACE before the
DHCP-snooping ACE.
In addition, DHCP Snooping on Catalyst 6500 implements a hardware-based rate limiting function that
controls the amount of DHCP packets to be processed by the supervisor engine. This rate limiting
function is set by default to 1000 pps, which is shared with ARP inspection and 802.1X-DHCP, and
which can be changed by configuration. DHCP rate limiting is supported on PFC2 and later versions.
Refer to
The ACL Feature (ARP Inspection, DHCP Snooping, 802.1x), page 82 for more information.
Note In Catalyst 6500 Series switches, DHCP snooping is supported on all supervisors.
To enable DHCP snooping on a Catalyst 6500 Series switch running Catalyst OS, perform the following
steps:
Step 1 Add DHCP snooping to the VACL using the set security acl ip permit dhcp-snooping command:
Console> (enable) set security acl ip acl_name permit dhcp-snooping
Step 2 Configure the VACL to allow DHCP snooping from all hosts. Use the set security acl ip command:
Console> (enable) set security acl ip
acl_name
permit ip any any
Step 3 Save the VACL by executing the commit security acl command:
Console> (enable) commit security acl
acl_name
Step 4 Apply the VACL to a VLAN using the set security acl map command:
Console> (enable) set security acl map
acl_name vlan_id
Step 5 Set ports connecting to DHCP servers and relay agents as trusted using the set port dhcp-snooping trust
enable command:
Console> (enable) set port dhcp-snooping
mod/ports
{trust | source-guard} {enable |
disable}