Chapter 33
Configuring DHCP Snooping and IP Source Guard
Task
Step 3
Save the VACL.
Step 4
Add an ACL to a VLAN.
This example shows how to configure DHCP snooping on a VLAN:
Console> (enable) set security acl ip dhcpsnoop permit dhcp-snooping
Successfully configured DHCP Snooping for ACL dhcpsnoop. Use 'commit' command to save
changes.
Console> (enable) set security acl ip dhcpsnoop permit ip any any
dhcpsnoop editbuffer modified. Use 'commit' command to apply changes.
Console> (enable) commit security acl dhcpsnoop
ACL commit in progress.
ACL 'dhcpsnoop' successfully committed.
Console> (enable) set security acl map dhcpsnoop 10
Mapping in progress.
ACL dhcpsnoop successfully mapped to VLAN 10.
Console> (enable)
If you create a VACL just for enabling DHCP snooping, the VACL has an implicit deny at the end and
Note
no other packets are allowed unless there is an explicit permit for those packets.
Note
802.1X-DHCP and DHCP snooping are mutually exclusive. Do not configure a VLAN with both
features.
Enabling DHCP Snooping on a Private VLAN
You must enable DHCP snooping separately on the primary and secondary (isolated or community)
private VLANs (PVLANs). The DHCP-snooping binding table contains binding information about the
primary VLAN only and not the secondary VLANs. If you enable DHCP snooping on a PVLAN and not
on the secondary VLAN, the DHCP-snooping binding table entries are not added, even though the packet
is seen on the PVLAN.
Enabling the DHCP-Snooping Host-Tracking Information Option
If you enable the host-tracking information option, the DHCP relay agent information option (option 82)
is added to the client packets that are being forwarded. The relay agent option contains the agent circuit
ID and the agent remote ID information. The circuit ID suboption contains the port and the VLAN
number of the client. The remote ID suboption contains the MAC address of the switch. Before inserting
the host-tracking information, the switch verifies that the DHCP messages do not have an existing relay
information option or a nonzero giaddr field. Before removing the host-tracking information, the switch
verifies that the DHCP reply messages are from a trusted port and that the MAC address of the remote
ID and the local switch match. If the packet comes from a trusted port and the addresses do not match,
the packet is forwarded.
OL-8978-04
Command
commit security acl acl_name
set security acl map acl_name 10
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Configuring DHCP Snooping on a VLAN
33-5