Online demo
Contact us
11.15. DHCP Snooping Commands
11.15.1. clear dhcp snooping
Command Purpose
Use the clear dhcp snooping Global Config command on the switch to clear dynamic entries in DHCP binding database or the DHCP snooping statistics counters.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
clear dhcp snooping ( bindings ( learning | manual ) ( ipv4 IP_ADDR | mac MAC_ADDR | vlan VLAN_ID | interface IFNAME | ) | statistics )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
bindings |
Clear the DHCP snooping binding database |
- |
IP_ADDR |
Clear the binding entry by IP address |
IPv4 Address |
MAC_ADDR |
Clear the binding entry by MAC address |
MAC Address |
VLAN_ID |
Clear the binding entry by VLAN |
1-4094 |
IFNAME |
Clear the binding entry by interface |
Support physical and AGG interfaces |
statistics |
Clear the DHCP snooping statistics counter |
- |
Command Mode
Global Config
Default
No default is defined.
Usage
This command is used to clear DHCP snooping binding or statistics.
Examples
This example shows how to clear the DHCP snooping statistics counters:
Switch# configure terminal
Switch(config)# clear dhcp snooping statistics
11.15.2. dhcp snooping
Command Purpose
Use the dhcp snooping Global Config command on the switch to globally enable DHCP snooping. Use the no form of this command to return to the default setting.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping
no dhcp snooping
Command Mode
Global Config
Default
DHCP snooping is disabled.
Usage
For any DHCP snooping configuration to take effect, you must globally enable DHCP snooping. DHCP snooping is not active until you enable snooping on a VLAN by using the dhcp snooping vlan vlan-id global configuration command.
Examples
This example shows how to enable DHCP snooping:
Switch# configure terminal
Switch(config)# dhcp snooping
You can verify your settings by entering the show dhcp snooping config privileged EXEC command
Related Commands
dhcp snooping vlan
show dhcp snooping config
11.15.3. dhcp snooping binding
Command Purpose
Use the dhcp snooping binding Global Config command on the switch to configure the DHCP snooping binding database and to add binding entries to the database.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping binding mac MAC_ADDR vlan VLAN_ID ipv4 IP_ADDR interface IFNAME expiry SECONDS
no dhcp snooping bindings ( ipv4 IP_ADDR | mac MAC_ADDR | vlan VLAN_ID | interface IFNAME | )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
MAC_ADDR |
Specify a MAC address |
MAC Address |
VLAN_ID |
Specify a VLAN number. |
1-4094 |
IP_ADDR |
Specify an IP address |
IPv4 Address |
IFNAME |
Specify an interface on which to add or delete a binding entry |
Support physical and AGG interfaces |
expiry SECONDS |
Specify the interval (in seconds) after which the binding entry is no longer valid. |
0 - 86400 |
Command Mode
Global Config
Default
No default database is defined.
Usage
Use this command when you are testing or debugging the switch.
In the DHCP snooping binding database, each database entry, also referred to a binding, has an IP address, an associated MAC address, the lease time, the interface to which the binding applies, and the VLAN to which the interface belongs.
Use the show dhcp snooping binding privileged EXEC command to display the configured bindings.
Examples
This example shows how to generate a DHCP binding configuration with an expiration time of 1000 seconds on a port in VLAN 1:
Switch# configure terminal
Switch(config)# dhcp snooping binding mac 0058.3f0c.01ef vlan 1 ipv4 10.10.1.1 interface eth-0-1 expiry 1000
Related Commands
dhcp snooping
show dhcp snooping binding
11.15.4. dhcp snooping database
Command Purpose
Use the dhcp snooping database Global Config command on the switch to configure the DHCP snooping binding database agent.
Use the no form of this command to disable the agent, to reset the timeout value, or to reset the write-delay value.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping database auto-save interval SECONDS
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
interval SECONDS |
Specify the interval (in seconds) that how long to save the binding database. |
15 - 1200 seconds |
Command Mode
Global Config
Default
Default interval is 600 seconds.
Usage
The DHCP snooping database is save as flash:/dhcpsnooping.
Examples
The following is sample output from the dhcp snooping database command:
Switch# configure terminal
Switch(config)# dhcp snooping database auto-save interval 120
Related Commands
dhcp snooping
dhcp snooping binding
11.15.5. dhcp snooping information option
Command Purpose
Use the dhcp snooping information option Global Config command on the switch to enable DHCP option-82 data insertion. Use the no form of this command to disable DHCP option-82 data insertion.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping information option
no dhcp snooping information option
Command Mode
Global Config
Default
DHCP option-82 data is not inserted.
Usage
You must globally enable DHCP snooping by using the dhcp snooping global configuration command for any DHCP snooping configuration to take effect.
When the option-82 feature is enabled and a switch receives a DHCP request from a host, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (circuit ID suboption). The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
When the DHCP server receives the packet, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or a circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
The DHCP server unicasts send the reply to the switch if the request has been relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch inspects the remote ID and possibly the circuit ID fields to verify that it originally inserted the option-82 data. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP host that sent the DHCP request.
Examples
This example shows how to enable DHCP option-82 data insertion:
Switch# configure terminal
Switch(config)# dhcp snooping information option
You can verify your settings by entering the show dhcp snooping config privileged EXEC command.:
Switch# show dhcp snooping config
dhcp snooping service: enabled
dhcp snooping switch: enabled
Verification of hwaddr field: enabled
Insertion of relay agent information (option 82): enabled
Relay agent information (option 82) on untrusted port: not allowed
dhcp snooping vlan 1
Related Commands
show dhcp snooping config
show dhcp snooping binding
11.15.6. dhcp snooping information option allow-untrusted
Command Purpose
Use the dhcp snooping information option allow-untrusted global configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch. Use the no form of this command to return to the default setting.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping information option allow-untrusted
no dhcp snooping information option allow-untrusted
Command Mode
Global Config
Default
The switch drops DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch.
Usage
You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the dhcp snooping information option allow-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.
Examples
This example shows how to configure an access switch to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:
Switch# configure terminal
Switch(config)# dhcp snooping information option allow-untrusted
Related Commands
show dhcp snooping config
11.15.7. dhcp snooping information option allow-untrusted (interface)
Command Purpose
Use the dhcp snooping information option allow-untrusted interface configuration command on an aggregation switch to configure it to accept DHCP packets with option-82 information that are received on untrusted ports that might be connected to an edge switch. Use the no form of this command to return to the default setting.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping information option allow-untrusted
no dhcp snooping information option allow-untrusted
Command Mode
Interface Configuration
Default
Allow-untrusted is not configured on interface.DHCP packets with Option-82 will be processed according to Global Config.
Usage
You might want an edge switch to which a host is connected to insert DHCP option-82 information at the edge of your network. You might also want to enable DHCP security features, such as DHCP snooping, IP source guard, or dynamic Address Resolution Protocol (ARP) inspection, on an aggregation switch. However, if DHCP snooping is enabled on the aggregation switch, the switch drops packets with option-82 information that are received on an untrusted port and does not learn DHCP snooping bindings for connected devices on a trusted interface.
If the edge switch to which a host is connected inserts option-82 information and you want to use DHCP snooping on an aggregation switch, enter the dhcp snooping information option allow-untrusted command on the aggregation switch. The aggregation switch can learn the bindings for a host even though the aggregation switch receives DHCP snooping packets on an untrusted port. You can also enable DHCP security features on the aggregation switch. The port on the edge switch to which the aggregation switch is connected must be configured as a trusted port.
Examples
This example shows how to configure an interface to not check the option-82 information in untrusted packets from an edge switch and to accept the packets:
Switch# configure terminal
Switch(config)# interface eth-0-1
Switch(config-if)# dhcp snooping information option allow-untrusted
Related Commands
show dhcp snooping config
11.15.8. dhcp snooping trust
Command Purpose
Use the dhcp snooping trust interface configuration command on the switch to configure a port as trusted for DHCP snooping purposes. Use the no form of this command to return to the default setting.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping trust
no dhcp snooping trust
Command Mode
Interface Configuration
Default
DHCP snooping trust is disabled.
Usage
Configure as trusted ports those that are connected to a DHCP server or to other switches or routers. Configure as untrusted ports those that are connected to DHCP clients.
Examples
This example shows how to enable DHCP snooping trust on a port:
Switch# configure terminal
Switch(config)# interface eth-0-1
Switch(config-if)# dhcp snooping trust
Related Commands
show dhcp snooping config
11.15.9. dhcp snooping verify
Command Purpose
Use the dhcp snooping verify Global Config command on the switch to configure the switch to verify on an untrusted port that the source MAC address in a DHCP packet matches the client hardware address. Use the no form of this command to configure the switch to not verify the MAC addresses.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping verify mac-address
no dhcp snooping verify mac-address
Command Mode
Global Config
Default
The switch verifies the source MAC address in a DHCP packet that is received on untrusted ports matches the client hardware address in the packet.
Usage
In a service-provider network, when a switch receives a packet from a DHCP client on an untrusted port, it automatically verifies that the source MAC address and the DHCP client hardware address match. If the addresses match, the switch forwards the packet. If the addresses do not match, the switch drops the packet.
Examples
This example shows how to disable the MAC address verification:
Switch# configure terminal
Switch(config)# no dhcp snooping verify mac-address
Related Commands
show dhcp snooping config
11.15.10. dhcp snooping vlan
Command Purpose
Use the dhcp snooping vlan Global Config command on the switch to enable DHCP snooping on a VLAN. Use the no form of this command to return to the default setting.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping vlan VLAN-RANGE
no dhcp snooping vlan VLAN-RANGE
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VLAN-RANGE |
Specify a VLAN ID or a range of VLANs on which to enable DHCP snooping. |
1-4094 |
Command Mode
Global Config
Default
DHCP snooping is disabled on all VLANs.
Usage
You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.
You must first globally enable DHCP snooping before enabling DHCP snooping on a VLAN.
Examples
This example shows how to enable DHCP snooping on VLAN 10:
Switch# configure terminal
Switch(config)# dhcp snooping vlan 10
Related Commands
show dhcp snooping config
11.15.11. dhcp snooping vlan information option format-type circuit-id string
Command Purpose
Use this interface configuration command on the switch stack or on a standalone switch to configure the option-82 circuit-ID suboption. Use the no form of this command to configure the default circuit-ID suboption.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping vlan VLAN_ID information option format-type circuit-id string STRING
no dhcp snooping vlan VLAN_ID information option format-type circuit-id string
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
VLAN_ID |
Specify a VLAN ID. |
1-4094 |
STRING |
ASCII string for circuit id |
ASCII string with up to 63 characters |
Command Mode
Interface Configuration
Default
None
Usage
User must globally enable DHCP snooping configuration command for any DHCP snooping configuration to take effect.
Examples
This example shows how configure the option-82 circuit-ID suboption:
Switch# configure terminal
Switch(config)# interface eth-0-1
Switch(config-if)# dhcp snooping vlan 2 information option format-type circuit-id string vlan2
Related Commands
None
11.15.12. dhcp snooping information option format remote-id
Command Purpose
Use the dhcp snooping information option format remote-id global configuration command on the switch stack or on a standalone switch to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping information option format remote-id ( string NAME | hostname )
no dhcp snooping information option format remote-id
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
NAME |
Specify a remote ID |
ASCII string with up to 63 characters(no spaces) |
hostname |
Specify the switch hostname as the remote ID |
- |
Command Mode
Global Config
Default
None
Usage
You must globally enable DHCP snooping configuration command for any DHCP snooping configuration to take effect.
Examples
This example shows how configure the option-82 remote-ID suboption:
Switch# configure terminal
Switch(config)# dhcp snooping information option format remote-id hostname
Related Commands
None
11.15.13. dhcp snooping information option format remote-id(interface)
Command Purpose
Use the dhcp snooping information option format remote-id interface configuration command on the switch stack or on a standalone switch to configure the option-82 remote-ID suboption. Use the no form of this command to configure the default remote-ID suboption.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
dhcp snooping information option format remote-id ( string NAME | hostname )
no dhcp snooping information option format remote-id
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
NAME |
Specify a remote ID |
ASCII string with up to 63 characters(no spaces) |
hostname |
Specify the switch hostname as the remote ID |
- |
Command Mode
Interface Configuration
Default
None
Usage
You must globally enable DHCP snooping configuration command for any DHCP snooping configuration to take effect.The port configuration takes precedence over the Global Config.
Examples
This example shows how configure the option-82 remote-ID on interface:
Switch# configure terminal
Switch(config)# interface eth-0-17
Switch(config-if)# dhcp snooping information option format remote-id hostname
Related Commands
None
11.15.14. debug dhcp snooping
Command Purpose
Use this command to turn on the debug switches of dhcp snooping module.
To restore the default, use the no form of this command
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
debug dhcp snooping ( events | error | dump | packet | all )
no debug dhcp snooping ( events | error | dump | packet | all )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
events |
Snooping events |
- |
error |
Error DHCP message |
- |
packet |
DHCP message fields |
- |
dump |
Dump message in hex format |
- |
all |
Turn all debugging on |
- |
Command Mode
Privileged EXEC
Default
None
Usage
Use command “terminal monitor” to make debug messages print on the VTY immediately.
Use command “show logging buffer” to check the debug messages in the logging buffer.
Examples
The following is sample to open dhcp snooping debug switches:
Switch# debug dhcp snooping all
Related Commands
terminal monitor
show logging buffer
11.15.15. show dhcp snooping binding
Command Purpose
Use the show dhcp snooping binding privileged EXEC command to display the DHCP snooping binding database and configuration information for all interfaces on a switch.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show dhcp snooping binding ( (all | manual | learning ) ( ipv4 IP_ADDR | mac MAC_ADDR | vlan VLAN_ID | interface IFNAME | ) summary | database )
Parameter |
Parameter Description |
Parameter Value |
|---|---|---|
all |
Display all entries |
- |
manual |
Display static entries |
- |
learning |
Display dynamic entries |
- |
MAC_ADDR |
Specify MAC address |
MAC Address |
VLAN_ID |
Specify a VLAN number. |
1-4094 |
IP_ADDR |
Specify an IP address |
IPv4 Address |
IFNAME |
Specify an interface on which to add or delete a binding entry |
Support physical and aggregation interfaces |
summary |
Display summary information of DHCP snooping bindings |
- |
database |
Display stored information of DHCP snooping bindings |
- |
Command Mode
Privileged EXEC
Default
None
Usage
If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings.
Examples
The following is sample output from the show dhcp snooping binding command:
Switch# show dhcp snooping binding all
DHCP snooping binding table:
VLAN MAC Address Interface Lease(s) IP Address
============================================================
1 0001.0001.0001 eth-0-2 static 1.1.1.1
Related Commands
dhcp snooping binding
11.15.16. show dhcp snooping config
Command Purpose
Use the show dhcp snooping privileged EXEC command to display the DHCP snooping configuration.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show dhcp snooping config
Command Mode
Privileged EXEC
Default
None
Usage
This command is used to display the configuration of DHCP snooping.
Examples
The following is sample output from the show dhcp snooping config command:
Switch# show dhcp snooping config
dhcp snooping service: enabled
dhcp snooping switch: enabled
Verification of hwaddr field: enabled
Insertion of relay agent information (option 82): enabled
Relay agent information (option 82) on untrusted port: not allowed
dhcp snooping vlan 1
Related Commands
dhcp snooping binding
11.15.17. show dhcp snooping statistics
Command Purpose
Use the show dhcp snooping statistics privileged EXEC command to display DHCP snooping statistics.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show dhcp snooping statistics
Command Mode
Privileged EXEC
Default
None
Usage
This command is used to display the statistics of DHCP snooping.
Examples
The following is sample output from the show dhcp snooping statistics command:
Switch# show dhcp snooping statistics
DHCP snooping statistics:
============================================================
DHCP packets 11257
BOOTP packets 0
Packets forwarded 10381
Packets invalid 844
Packets MAC address verify failed 354
Packets dropped 516
Related Commands
clear dhcp snooping statistics
11.15.18. show dhcp snooping trusted-sources
Command Purpose
Use the show dhcp snooping trusted-sources command to display DHCP snooping trusted interfaces.
Prerequisites
Platform |
Software |
License |
Comments |
|---|---|---|---|
AQ-N3000 |
7.0 |
Base |
|
AQ-N5000 |
7.0 |
Base |
|
AQ-N6000 |
7.0 |
Base |
Command Syntax
show dhcp snooping trusted-sources
Command Mode
Privileged EXEC
Default
None
Usage
This command is used to display the trusted interfaces of DHCP snooping.
Examples
The following is sample output from the show dhcp snooping trusted-sources command:
Switch# show dhcp snooping trusted-sources
List of DHCP snooping trusted interface(s):
============================================================
eth-0-2
Related Commands
dhcp snooping trust