17.1 ip
Set IP parameters.
17.1.1 ip dhcp-snooping verify-mac
If enabled verifies the source MAC address in the ethernet packet against the client hardware address in the received DHCP Message. If disabled does not perform this additional security check.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping verify-mac
no ip dhcp-snooping verify-mac Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip dhcp-snooping verify-mac 17.1.2 ip dhcp-snooping mode
Enable or disable DHCP Snooping.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping mode
no ip dhcp-snooping mode Disable the option
Mode: Global Config Mode
Privilege Level: Operator
Format: no ip dhcp-snooping mode 17.1.3 ip dhcp-snooping database storage
This command specifies a location for the persistent DHCP Snooping bindings database. This can be a local file or a remote file on a given host.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping database storage <P-1>
17.1.4 ip dhcp-snooping database write-delay
This command configures the interval in seconds at which the DHCP Snooping binding database will be saved (persistent).
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping database write-delay <P-1>
17.1.5 ip dhcp-snooping binding add
This command creates a new static DHCP Snooping binding (and optionally an associated dynamic IP Source Guard binding) between a MAC address and an IP address, for a specific VLAN at a particular interface.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping binding add <P-1> <P-2> <P-3> <P-4> [<P-5>]
Parameter Value Meaning
P-1 local Save persistent DHCP Snooping bindings database to a local file.
tftp-loc Save persistent DHCP Snooping bindings database to a remote file: <tftp-loc>
:= tftp://<ip-addr>/<filename>.
Parameter Value Meaning
P-1 15..86400 Interval in seconds at which the persistent DHCP Snooping binding database will be saved. The interval value ranges from 15 to 86400 seconds.
Parameter Value Meaning P-1 aa:bb:cc:dd:ee:ff MAC address.
17.1.6 ip dhcp-snooping binding delete all
This command deletes all static DHCP Snooping bindings (and optionally all associated dynamic IP Source Guard bindings) at all interfaces.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping binding delete all 17.1.7 ip dhcp-snooping binding delete interface
This command deletes all static DHCP Snooping bindings (and optionally all associated dynamic IP Source Guard bindings), associated with a particular interface.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping binding delete interface <P-1>
17.1.8 ip dhcp-snooping binding delete mac
This command deletes one DHCP Snooping binding (and optionally the associated dynamic IP Source Guard binding), associated with a MAC address.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping binding delete mac <P-1>
17.1.9 ip dhcp-snooping binding mode
This command activates or deactivates a configured static DHCP Snooping binding, associated with a MAC address.
Mode: Global Config Mode
Privilege Level: Operator
Format: ip dhcp-snooping binding mode <P-1> <P-2>
17.2 clear
Clear several items.
17.2.1 clear ip dhcp-snooping bindings
This command clears all dynamic DHCP Snooping (and IP Source Guard) bindings on all interfaces or on a specific interface.
Mode: Privileged Exec Mode
Privilege Level: Operator
Format: clear ip dhcp-snooping bindings [<P-1>]
17.2.2 clear ip dhcp-snooping statistics This command clears the DHCP Snooping statistics.
Mode: Privileged Exec Mode
Privilege Level: Operator
Format: clear ip dhcp-snooping statistics
P-2 A.B.C.D IP address.
P-3 slot no./port no.
P-4 1..4042 Enter the VLAN ID.
P-5 active Activate the option.
inactive Inactivate the option.
Parameter Value Meaning P-1 slot no./port no.
Parameter Value Meaning P-1 aa:bb:cc:dd:ee:ff MAC address.
Parameter Value Meaning P-1 aa:bb:cc:dd:ee:ff MAC address.
P-2 active Activate the option.
inactive Inactivate the option.
Parameter Value Meaning P-1 slot no./port no.
Parameter Value Meaning
17.3 ip
IP commands.
17.3.1 ip dhcp-snooping mode
Enables or disables DHCP Snooping on a VLAN.
Mode: VLAN Database Mode
Privilege Level: Operator
Format: ip dhcp-snooping mode <P-1>
no ip dhcp-snooping mode Disable the option
Mode: VLAN Database Mode
Privilege Level: Operator
Format: no ip dhcp-snooping mode <P-1>
17.4 ip
IP interface commands.
17.4.1 ip dhcp-snooping trust
This command configures an interface as trusted (typically connected to a DHCP server) or un-trusted. DHCP Snooping forwards valid DHCP client messages on trusted interfaces. On un-trusted interfaces the application compares the receive interface with the clients interface in the binding database.
Mode: Interface Range Mode
Privilege Level: Operator
Format: ip dhcp-snooping trust
no ip dhcp-snooping trust Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip dhcp-snooping trust 17.4.2 ip dhcp-snooping log
This command configures an interface to log invalid DHCP messages, or not to log.
Mode: Interface Range Mode
Privilege Level: Operator
Format: ip dhcp-snooping log
no ip dhcp-snooping log Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip dhcp-snooping log 17.4.3 ip dhcp-snooping auto-disable
Enables or disables the auto-disable feature for an interface, applicable when the DHCP packet rate exceeds the limit.
Mode: Interface Range Mode
Privilege Level: Operator
Format: ip dhcp-snooping auto-disable
no ip dhcp-snooping auto-disable Disable the option
Mode: Interface Range Mode
Privilege Level: Operator
Format: no ip dhcp-snooping auto-disable
Parameter Value Meaning
P-1 1..4042 Enter the VLAN ID.
17.4.4 ip dhcp-snooping limit
This command configures an interface for a maximum DHCP packet rate in a burst interval, or disables it. If the rate of DHCP packets exceed this limit in consecutive intervals then all further packets are dropped. If that happens and additionally the auto-disable feature is enabled, then the port is disabled automatically.
Mode: Interface Range Mode
Privilege Level: Operator
Format: ip dhcp-snooping limit <P-1> [<P-2>]
17.5 show
Display device options and settings.
17.5.1 show ip dhcp-snooping global
This command displays the global DHCP Snooping configuration.
Mode: Command is in all modes available.
Privilege Level: Guest
Format: show ip dhcp-snooping global 17.5.2 show ip dhcp-snooping statistics
This command displays statistics for DHCP Snooping security violations on untrusted ports.
Mode: Command is in all modes available.
Privilege Level: Guest
Format: show ip dhcp-snooping statistics 17.5.3 show ip dhcp-snooping interfaces
This command shows the DHCP Snooping status of all interfaces.
Mode: Command is in all modes available.
Privilege Level: Guest
Format: show ip dhcp-snooping interfaces 17.5.4 show ip dhcp-snooping vlan
This command displays the VLAN based DHCP Snooping status.
Mode: Command is in all modes available.
Privilege Level: Guest
Format: show ip dhcp-snooping vlan 17.5.5 show ip dhcp-snooping bindings
This command displays the DHCP Snooping binding entries from the static and/or dynamic bindings table.
Mode: Command is in all modes available.
Privilege Level: Guest
Format: show ip dhcp-snooping bindings [<P-1>] [interface <P-2>] [vlan <P-3>]
[interface]: Restrict the output based on a specific interface.
[vlan]: Restrict the output based on VLAN.
Parameter Value Meaning
P-1 -1..150 Specifies the rate limit value (in packets per seconds, pps) for DHCP snooping purposes. The value -1 switches rate limiting off.
P-2 1..15 Specifies the burst interval value for DHCP snooping purposes. Because this parameter is optional it leaves unchanged if omitted.
Parameter Value Meaning
P-1 static Restrict the output based on static bindings.
dynamic Restrict the output based on dynamic bindings.
P-2 slot no./port no.
P-3 1..4042 Enter the VLAN ID.