Chapter 9
| General Security Measures
DHCPv4 Snooping
– 286 –
Default Setting
16
Command Mode
Interface Configuration (Ethernet, Port Channel)
Example
This example sets the maximum number of DHCP clients supported on port 1
to 2.
Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping max-number 2
Console(config-if)#
ip dhcp snooping trust
This command configures the specified interface as trusted. Use the
no
form
to restore the default setting.
Syntax
[
no
]
ip dhcp snooping trust
Default Setting
All interfaces are untrusted
Command Mode
Interface Configuration (Ethernet, Port Channel)
Command Usage
◆
A trusted interface is an interface that is configured to receive only
messages from within the network. An untrusted interface is an interface
that is configured to receive messages from outside the network or fire
wall.
◆
Set all ports connected to DHCP servers within the local network or fire
wall to trusted, and all other ports outside the local network or fire wall to
untrusted.
◆
When DHCP snooping is enabled globally using the
command, and enabled on a VLAN with
DHCP packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an
interface with the
no ip dhcp snooping trust
command.
◆
When an untrusted port is changed to a trusted port, all the dynamic
DHCP snooping bindings associated with this port are removed.