Leaflet
42
OL-11615-01
Additionally in Cisco IOS, DHCP Snooping implements a software-based rate limiting function that
controls the number of DHCP packets a port can receive. This rate limiting function is disabled by
default but can be enabled by configuration. DHCP snooping puts ports where the rate limit is exceeded
into the error-disabled state. Cisco recommends not configuring the rate limit to more than 100 packets
per second on an untrusted port. The recommended rate limit for each untrusted client is 15 packets per
second.
Note Normally, the rate limit applies to untrusted ports. If you want to set up rate limiting for trusted ports,
keep in mind that trusted ports aggregate all DHCP traffic in the switch, and you will need to adjust the
rate limit to a higher value. You should fine tune this threshold depending on the network configuration.
The CPU should not receive DHCP packets at a sustained rate of more than 1,000 packets per second.
The configuration of DHCP snooping in Cisco IOS for the Catalyst 6500 and 4500 Series switches is
identical, with the exception of DHCP Option-82 and MAC address verification.
Catalyst 6500 Series switches have the capacity to insert Option-82 information as DHCP packets are
received. This is especially useful when the switch is deployed at the access-level network, such as a
wiring closet. Catalyst 4500 Series switches are typically used as aggregation switches. With that in
mind, Catalyst 4500 Series switches do not insert Option-82 information, but they can be configured to
accept DHCP requests with Option-82 information inserted by downstream switches.
MAC address verification is an available feature on Catalyst 6500 and not on Catalyst 4500. When
enabled, DHCP snooping verifies that the source MAC address in DHCP packets that are received on
untrusted ports match the client hardware address in the packet.
Note We recommend enabling DHCP snooping during a maintenance window. When DHCP snooping is
enabled globally, DHCP requests are dropped until the ports are configured.
To enable DHCP snooping on a Catalyst 6500 or 4500 Series switch running Cisco IOS, perform the
following steps:
Step 1 Enable DHCP snooping globally using the ip dhcp snooping command:
Router(config)# ip dhcp snooping
Step 2 Enabling DHCP Snooping on the necessary VLANs using the ip dhcp snooping vlan command:
Router(config)# ip dhcp snooping vlan {{
vlan_ID
[
vlan_ID
]} | {
vlan_range
}
Step 3 Set the interfaces connecting to DHCP servers and relay agents as trusted using the ip dhcp snooping
trust interface command:
Router(config)# interface {
type1 slot/port
| port-channel
number
}
Router(config-if)# ip dhcp snooping trust
Step 4 Optionally, configure DHCP snooping rate limiting on a Layer 2 LAN interface using the ip dhcp
snooping trust interface command:
Router(config)# interface {
type1 slot/port
| port-channel
number
}
Router(config-if)# ip dhcp snooping limit
rate
Step 5 Optionally, for Catalyst 6500, enable DHCP Snooping MAC Address Verification. Use the ip dhcp
snooping verify mac-address command:
Router(config)# ip dhcp snooping verify mac-address