Configuring DHCP Snooping

Owned by Tracy Yang
Nov 28, 2023
3 min read

DHCP snooping creates a binding table, which includes the client IP address, MAC address, VLAN ID, physical port and the lease time. DHCP snooping is disabled by default. The steps below explain how to enable DHCP snooping and configure the trust port (by default all the ports are untrusted ports), DHCP snooping binding file and the delay timer for writing the DHCP snooping entries from memory to the binding file, and how to configure DHCP snooping Option 82 policy.

Procedure

Step 1        Configure DHCP snooping on a VLAN.

   set protocols dhcp snooping vlan <vlan-id> disable <true | false>

NOTE:

DHCP snooping should be enabled in the VLAN, it takes effect only on DHCP messages received from interfaces in this VLAN. Packets that are not received from this VLAN won’t be processed by DHCP snooping module and will be processed and forwarded as ordinary packets.

Step 2        Configure the interface connected to the DHCP server as DHCP snooping trusted interface.

   set protocols dhcp snooping trust-port <interface-name>

NOTE:

  • The port can be either physical port or aggregated port.
  • By default, all the ports are untrusted ports.
  • When DHCP snooping is enabled in a VLAN without configuring the trust interface, the DHCP packets received from the DHCP server in this VLAN will be dropped.

Step 3        (Optional) Configure the DHCP snooping binding file and the delay timer for writing the DHCP snooping entries from memory to the binding file.

   set protocols dhcp snooping binding file <file-path> 
   set protocols dhcp snooping binding write-delay <write-delay-timer>

Step 4        (Optional) Configure the DHCP snooping Option 82 policy and the sub-options.

   set protocols dhcp snooping vlan <vlan-id> option82-policy <drop | keep | insert | replace>

   set protocols dhcp snooping option82 circuit-id <port-index | port-name | port-description>

   set protocols dhcp snooping option82 remote-id <system-mac | hostname>

Step 5        (Optional) Enable Option 82 trust-all function for DHCP snooping.

   set protocols dhcp snooping option82 trust-all <true | false>

Configuration example

Networking Requirements

  • On PICA8 Switch, the interfaces ge-1/1/1 and ge-1/1/2 are in VLAN 2.
  • Enable DHCP snooping on VLAN 2.
  • Configure the interface connected to the DHCP server (ge-1/1/2) as the DHCP snooping trust interface. 

Figure 1 DHCP Snooping Networks


Procedure

Step 1        Configure VLAN.

admin@XorPlus# set vlans vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2

Step 2        Configure DHCP snooping on VLAN 2.

admin@XorPlus#set protocols dhcp snooping vlan 2 disable false

Step 3        Configure the interface connected to the DHCP server as DHCP snooping trusted interface.

admin@XorPlus# set protocols dhcp snooping trust-port ge-1/1/2

Step 4        (Optional) Configure /tmp/run/dhcp_bind as the DHCP snooping binding file and the value of delay timer for writing the DHCP snooping entries from memory to the binding file is 30s.

admin@XorPlus# set protocols dhcp snooping binding file /tmp/run/dhcp_bind
admin@XorPlus# set protocols dhcp snooping binding write-delay 30

Step 5        Commit the configuration.

admin@XorPlus# commit

Step 6        Verify the configuration.

  • After the configuration is complete, run the run show dhcp snooping command to view the DHCP snooping binding table.   
admin@Xorplus# run show dhcp snooping binding 
Total count:     1
MAC Address         IP Address     Port            VLAN ID   Lease(sec)                    
-------------------------------------------------------------------------------------------------------                                
14:18:77:18:2c:b9   100.1.1.1      ge-1/1/1        2         599/600
  • DHCP client can obtain the IP address normally.


Copyright © 2024 Pica8 Inc. All Rights Reserved.