Typical Configuration Example for DHCP Relay and DHCP Snooping
Networking Requirements
As shown in figure 5, Switch 1 is a Layer 2 device and Switch 2 is the gateway that acts as a DHCP relay agent to forward DHCP packets between DHCP client and DHCP server, allowing the DHCP client to get configuration parameters such as IP address from the DHCP server.
In order to provide better service to DHCP clients, network administrator can configure DHCP snooping feature on Switch 1 to implement DHCP attack prevention.
Figure 1 User Topology of DHCP Snooping and DHCP Relay
Configure the DHCP Snooping and DHCP Relay by completing the following tasks on each Switch 1 and Switch 2:
- Switch 1 is a Layer 2 device, the interfaces ge-1/1/1 and ge-1/1/2 belong to VLAN 100.
- On Switch 1, enable DHCP snooping in VLAN 100 and configure the interface ge-1/1/2 as the DHCP snooping trust interface.
- On Switch 2, ge-1/1/1 interface belongs to VLAN 100, the IP address of the associated L3 VLAN interface is 10.10.1.1/24; ge-1/1/2 interface belongs to VLAN 200, the IP address of the associated L3 VLAN interface is 10.20.1.1/24.
- Enable DHCP relay on Switch 2 on the L3 VLAN interface VLAN100.
- DHCP server and DHCP relay agent are in the same subnet. The IP address of the DHCP server is 10.20.1.100.
Procedure
Switch 1
Step 1 Configure the VLANs.
admin@Switch1# set vlans vlan-id 100 admin@Switch1# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 100 admin@Switch1# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 100
Step 2 Enable DHCP snooping on VLAN 100.
admin@Switch1#set protocols dhcp snooping vlan 100 disable false
NOTE: The DHCP snooping function is only practicable to the clients directly connected to the local L2 domain, rather than connected through a router. |
Step 3 Configure the interface ge-1/1/2 as DHCP snooping trust interface.
admin@Switch1# set protocols dhcp snooping trust-port ge-1/1/2
Step 4 Commit the configuration.
admin@Switch1# commit
Switch 2
Step 1 Configure the VLANs.
admin@Switch2# set vlans vlan-id 100 admin@Switch2# set vlans vlan-id 200 admin@Switch2# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 100 admin@Switch2# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 200 admin@Switch2# set vlans vlan-id 100 l3-interface VLAN100 admin@Switch2# set vlans vlan-id 200 l3-interface VLAN200 admin@Switch2# set l3-interface vlan-interface VLAN100 address 10.10.1.1 prefix-length 24 admin@Switch2# set l3-interface vlan-interface VLAN200 address 10.20.1.1 prefix-length 24
Step 2 Enable IP routing function when using DHCP relay.
admin@Switch2# set ip routing enable true
Step 3 Enable DHCP relay on the L3 VLAN interface VLAN100.
admin@Switch2#set protocols dhcp relay interface VLAN100 disable false
Step 4 Configure the IP address for the DHCP server.
admin@Switch2#set protocols dhcp relay interface VLAN100 dhcp-server-address 10.20.1.100
Step 5 Commit the configuration.
admin@Switch2# commit
Verify the Configuration
- After the configuration is complete, run the run show dhcp snooping command on Switch1 to view the information of DHCP snooping binding table.
admin@Switch1# run show dhcp snooping binding Total count: 1 MAC Address IP Address Port VLAN ID Lease(sec) ------------------------------------------------------------------------------------------------------ E3:44:56:a2:00:2c 10.10.1.12 ge-1/1/1 100 60/600
The format of lease time for the IP address is Remaining Lease Time/Total Lease Time.
- DHCP client can obtain the IP address normally.
Related content
Copyright © 2025 Pica8 Inc. All Rights Reserved.