{"id":6369,"date":"2026-05-04T12:10:34","date_gmt":"2026-05-04T12:10:34","guid":{"rendered":"http:\/\/docs.connexite.co.uk\/index.php\/docs\/connexite-documentation\/synapse-cli-documentation\/cli-configuring-dhcp-snooping\/"},"modified":"2026-05-04T12:19:09","modified_gmt":"2026-05-04T12:19:09","slug":"cli-configuring-dhcp-snooping","status":"publish","type":"docs","link":"https:\/\/docs.connexite.co.uk\/index.php\/docs\/network\/synapse-cli-documentation\/cli-configuring-dhcp-snooping\/","title":{"rendered":"Configuring DHCP Snooping"},"content":{"rendered":"<h2 class=\"connexite-doc-h2\">Overview of DHCP Snooping<\/h2>\n<p>DHCP snooping (Dynamic Host Configuration Protocol) is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. When DHCP snooping is enabled on a VLAN, the system examines DHCP messages sent from untrusted hosts associated with the VLAN and extracts their IP addresses and lease information. This information is used to build and maintain the DHCP snooping database. DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.<\/p>\n<h2 class=\"connexite-doc-h2\">Trusted Sources<\/h2>\n<p>The DHCP snooping feature determines whether traffic sources are trusted or untrusted. DHCP snooping acts as a guardian of network security by keeping track of valid IP addresses assigned to downstream network devices by a trusted DHCP server. The default trust state of all interfaces is untrusted.<\/p>\n<h2 class=\"connexite-doc-h2\">DHCP Snooping Limit Rate<\/h2>\n<p>Configure the number of DHCP packets per second that an interface can receive, to reduce or eliminate the impact of DHCP packet attack from this interface.<\/p>\n<h2 class=\"connexite-doc-h2\">MAC Address Verification<\/h2>\n<p>With DHCP snooping MAC address verification enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP packets that are received on untrusted ports. The source MAC address is a Layer 2 field associated with the packet, and the client hardware address is a Layer 3 field in the DHCP packet. Option-82 Insertion DHCP Option82 option is also called DHCP relay agent information option, one of many dhcp options. The Option82 option is a DHCP option proposed to enhance the security of the DHCP server and improve the IP address allocation strategy. The addition and stripping of options are implemented by the relay component.<\/p>\n<h2 class=\"connexite-doc-h2\">DHCP Database<\/h2>\n<p>The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces. When the ip verify source function is enabled on the interface, database entrys act as valid users on the interface.<\/p>\n<h2 class=\"connexite-doc-h2\">Configuring<\/h2>\n<ul class=\"connexite-doc-list\">\n<li>Enable DHCP Snooping Globally<\/li>\n<\/ul>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#ip dhcp snooping<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#no ip dhcp snooping<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Enables DHCP snooping globally.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#ip dhcp snooping vlan VID<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#no ip dhcp snooping vlan VIID<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Enables DHCP snooping on a VLAN or VLAN range, For example: Ip dhcp snooping vlan 3-10. By default, DHCP Snooping is enabled on all VLANs.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#ip dhcp snooping trust<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#no ip dhcp snooping trust<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Configures the interface as trusted. By default, All interfaces are untrusted.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config)#ip dhcp snooping verify mac-address<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config)#no ip dhcp snooping verify mac-address<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Enables DHCP snooping MAC address verification. By default is disabled.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#ip dhcp snooping rate-limit PPS<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#no ip dhcp snooping rate-limit<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Configures DHCP packet rate limiting. PPS range from 0 to 128. If PPS is set to 0, this interface will drop all Incoming DHCP packets.<\/p>\n<h2 class=\"connexite-doc-h2\">Note<\/h2>\n<p>\u2726 Due to hardware limitations, for DHCP rate limit, when the limit value is not 0, the software rate limit is used, and when the limit value is 0, the hardware rate limit is used. Software rate limit will consume CPU resources.<\/p>\n<ul class=\"connexite-doc-list\">\n<li>Enabling Option-82 Data Insertion<\/li>\n<\/ul>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config)#ip dhcp snooping information option-82<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config)#no ip dhcp snooping information option-82<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Enables DHCP option-82 data insertion.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#ip dhcp snooping information option-82 circuit-id WORD<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#no ip dhcp snooping information option-82 circuit-id<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Configure circuit-id customization content. Default vlan+port information. WORD: String information, valid length 3-63 characters.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#ip dhcp snooping information option-82 remote-id WORD<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#no ip dhcp snooping information option-82 remote-id<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Configure remote-id custom content. Default device MAC address information. WORD: String information, valid length 1-63 characters.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config)#ip dhcp snooping database write-delay SECONDS<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config-if)#no ip dhcp snooping database write-delay<\/code><\/pre>\n<h2 class=\"connexite-doc-h2\">Configuring DHCP Snooping data to be written to flash at regular intervals<\/h2>\n<p>SECONDS range from 600 to 86400 by unit second.<\/p>\n<ul class=\"connexite-doc-list\">\n<li>Trigger DHCP Snooping Database Write-flash<\/li>\n<\/ul>\n<pre class=\"connexite-doc-command\"><code>SWITCH (config)#ip dhcp snooping database write-flash<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Trigger DHCP Snooping database write-flash.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#ip dhcp snooping database renew<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Trigger DHCP Snooping database renew from flash.<\/p>\n<pre class=\"connexite-doc-command\"><code>SWITCH#clear ip dhcp snooping database (vlan VLANID | interface IFNAME | mac-address XXXX.XXXX.XXXX | ip-address A.B.C.D | flash)<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Clear DHCP Snooping database based on port, vlan, MAC address, or IP address. Support to clear database in flash.<\/p>\n<h2 class=\"connexite-doc-h2\">Examples<\/h2>\n<p>Example 1\uff1aThis is an example of DHCP Snooping typical application. The interface of gigabitEthernet0\/8 is connected to DHCP server; USER-A obtains IP address by dynamic; There are other DHCP servers in the LAN, which will affect the IP address assignment of USER-A. Diagram as show in the Figure 1-1 below. Figure 1-1 Typical application of DHCP Snooping Diagram<\/p>\n<ul class=\"connexite-doc-list\">\n<li>Enable DHCP Snooping Globally.<\/li>\n<\/ul>\n<pre class=\"connexite-doc-command\"><code>SWITCH#configure terminal<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#ip dhcp snooping<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config)#interface gigabitEthernet0\/8<\/code><\/pre>\n<pre class=\"connexite-doc-command\"><code>SWITCH(config-if)#ip dhcp snooping trust<\/code><\/pre>\n<h2 class=\"connexite-doc-h2\">Display Information<\/h2>\n<ul class=\"connexite-doc-list\">\n<li>Display DHCP Snooping Information<\/li>\n<\/ul>\n<pre class=\"connexite-doc-command\"><code>SWITCH#show ip dhcp snooping<\/code><\/pre>\n<p class=\"connexite-doc-command-desc\">Ip dhcp snooping : Enabled No ip dhcp snooping vlan : 2-5 Verify mac-address : Disabled Information option-82 : No database write-delay : 0 seconds Interface Trusted Rate limit (pps) &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;- gigabitEthernet0\/16 yes unlimited<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Networking \u203a Switching \u203a Edge \u203a Synapse<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":6349,"menu_order":20,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[115,119,116],"class_list":["post-6369","docs","type-docs","status-publish","hentry","doc_tag-connexite","doc_tag-network","doc_tag-synapse-cli-documentation","no-post-thumbnail"],"acf":[],"_links":{"self":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6369","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6369"}],"version-history":[{"count":1,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6369\/revisions"}],"predecessor-version":[{"id":6417,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6369\/revisions\/6417"}],"up":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6349"}],"wp:attachment":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6369"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/doc_tag?post=6369"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}