Enabling DHCP snooping

DHCP snooping is enabled globally by entering this command:

switch(config)# dhcp-snooping

Use the no form of the command to disable DHCP snooping.


[no] dhcp-snooping [authorized-server|database|option|trust|verify|vlan]
authorized server

Enter the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers.


To configure a location for the lease database, enter a URL in the format tftp://ip-addr/ascii-string. The maximum number of characters for the URL is 63.


Add relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is yes, add relay information.


Configure trusted ports. Only server packets received on trusted ports are forwarded. Default: untrusted.


Enables DHCP packet validation. The DHCP client hardware address field and the source MAC address must be the same for packets received on untrusted ports or the packet is dropped. Default: Yes.


Enable DHCP snooping on a vlan. DHCP snooping must be enabled already. Default: No.

To display the DHCP snooping configuration, enter this command:

switch(config)# show dhcp-snooping

Output for the show dhcp-snooping command

switch(config)# show dhcp-snooping
 DHCP Snooping Information
  DHCP Snooping              : Yes
  Enabled Vlans              :
  Verify MAC                 : Yes
  Option 82 untrusted policy : drop
  Option 82 Insertion        : Yes
  Option 82 remote-id        : mac
  Store lease database : Not configured
  Port Trust
  ----- -----
  5     No
  6     No

To display statistics about the DHCP snooping process, enter this command:

switch(config)#show dhcp-snooping stats

An example of the output is shown below.

Output for the show DHCP snooping statistics command

switch(config)# show dhcp-snooping stats

Packet type  Action   Reason                        Count
-----------  -------  ----------------------------  -----
server       forward  from trusted port             8
client       forward  to trusted port               8
server       drop     received on untrusted port    2
server       drop     unauthorized server           0
client       drop     destination on untrusted port 0
client       drop     untrusted option 82 field     0
client       drop     bad DHCP release request      0
client       drop     failed verify MAC check       0