Configuring DHCP

This section provides information about configuring DHCP.

Prerequisites for Configuring DHCP

The following prerequisites apply to DHCP Snooping and Option 82:

You must globally enable DHCP snooping on the switch.
Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled.
If you want the switch to respond to DHCP requests, it must be configured as a DHCP server.
Before configuring the DHCP snooping information option on your switch, be sure to configure the device that is acting as the DHCP server. You must specify the IP addresses that the DHCP server can assign or exclude, or you must configure DHCP options for these devices.
For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces, as untrusted DHCP messages will be forwarded only to trusted interfaces. In a service-provider network, a trusted interface is connected to a port on a device in the same network.
You must configure the switch to use the Cisco IOS DHCP server binding database to use it for DHCP snooping.
To use the DHCP snooping option of accepting packets on untrusted inputs, the switch must be an aggregation switch that receives packets with option-82 information from an edge switch.

DHCP Snooping Binding Database Configuration Prerequisites

You must configure a destination on the DHCP snooping binding database to use the switch for DHCP snooping.
Because both NVRAM and the flash memory have limited storage capacity, it is recommended that you store the binding file on a TFTP server.
For network-based URLs (such as TFTP and FTP), you must create an empty file at the configured URL before the switch can write bindings to the binding file at that URL. Consult the documentation for your TFTP server to determine whether you must first create an empty file on the server; some TFTP servers cannot be configured this way.
To ensure that the lease time in the database is accurate, it is recommended that you enable and configure Network Time Protocol (NTP).
If NTP is configured, the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP.

Restrictions for Configuring DHCP

It is recommended that you do not use transmit (Tx) Switched Port Analyzer (SPAN) or egress SPAN that supports DHCP Snooping, DHCP Relay Agent. If SPAN at Tx is required, avoid using VLAN ports that are in the forwarding path for DHCP packets.

Information About DHCP

DHCP Server

The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them. If the DHCP server cannot give the DHCP client the requested configuration parameters from its database, it forwards the request to one or more secondary DHCP servers defined by the network administrator. The switch can act as a DHCP server. If the DHCP server provides the client with the requested configuration, it will not forward the message to the other server.

DHCP Relay Agent

A DHCP relay agent is a Layer 3 device that forwards DHCP packets between clients and servers. Relay agents forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is different from the normal Layer 2 forwarding, in which IP datagrams are switched transparently between networks. Relay agents receive DHCP messages and generate new DHCP messages to send on output interfaces.

DHCP Snooping

DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

Note: For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces, as untrusted DHCP messages will be forwarded only to trusted interfaces.

An untrusted DHCP message is a message that is received through an untrusted interface. By default, the switch considers all interfaces untrusted. Therefore, the switch must be configured to trust some interfaces to use DHCP Snooping. When you use DHCP snooping in a service-provider environment, an untrusted message is sent from a device that is not in the service-provider network, such as a customer's switch. Messages from unknown devices are untrusted because they can be sources of traffic attacks.

The DHCP snooping binding database contains the MAC address, the IP address, the lease time, the binding type, the VLAN number, and the interface information that corresponds to the local untrusted interfaces of a switch. It does not contain information regarding hosts interconnected with a trusted interface.

In a service-provider network, an example of an interface you might configure as trusted is one connected to a port on a device in the same network. An example of an untrusted interface is one that is connected to an untrusted interface in the network or to an interface on a device that is not in the network.

When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled, the switch compares the source MAC address and the DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the addresses do not match, the switch drops the packet.

When the Switch Drops a DHCP Packet:

A packet from a DHCP server (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) is received from outside the network or firewall.
A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.
The maximum snooping queue size of 1000 is exceeded when DHCP snooping is enabled.

If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch that is inserting DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices and cannot build a complete DHCP snooping binding database.

Option-82 Data Insertion

When an aggregation switch can be connected to an edge switch through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted global configuration command, the aggregation switch accepts packets with option-82 information from the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security features, such as dynamic ARP inspection or IP source guard, can still be enabled on the aggregation switch while the switch receives packets with option-82 information on untrusted input interfaces to which hosts are connected. The port on the edge switch that connects to the aggregation switch must be configured as a trusted interface.

In Residential, Metropolitan Ethernet-Access Environments

In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the switch, a subscriber device is identified by the switch port through which it connects to the network (in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified.

Note: The DHCP option-82 feature is supported only when DHCP snooping is globally enabled on the VLANs to which subscriber devices using option-82 are assigned.

The following illustration shows a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.

Figure 1: DHCP Relay Agent in a Metropolitan Ethernet Network

Catalyst switch
(DHCP relay agent)
Access layer
VLAN 10
DHCP
server
Host A
(DHCP client)
Subscribers
Host B
(DHCP client)

Sequence of Events When Enabling DHCP Snooping Information Option 82

The host (DHCP client) generates a DHCP request and broadcasts it on the network.
When the switch receives the DHCP request, it adds the option-82 information in the packet. By default, the remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier, vlan-mod-port, from which the packet is received. You can configure the remote ID and circuit ID.
If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.
The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.

Suboption Fields

In the default suboption configuration, when the described sequence of events occurs, the values in these fields do not change (see the illustration, Suboption Packet Formats):

Circuit-ID suboption fields:
- Suboption type
- Length of the suboption type
- Circuit-ID type
- Length of the circuit-ID type
Remote-ID suboption fields:
- Suboption type
- Length of the suboption type
- Remote-ID type
- Length of the remote-ID type

In the port field of the circuit ID suboption, the port numbers start at 3. For example, on a switch with 24 10/100/1000 ports and four small form-factor pluggable (SFP) module slots, port 3 is the Gigabit Ethernet 1/0/1 port, port 4 is the Gigabit Ethernet 1/0/2 port, and so forth. Port 27 is the SFP module slot Gigabit Ethernet 1/0/25, and so forth.

The illustration, Suboption Packet Formats, shows the packet formats for the remote-ID suboption and the circuit-ID suboption when the default suboption configuration is used. For the circuit-ID suboption, the module number corresponds to the switch number in the stack. The switch uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command.

Figure 2: Suboption Packet Formats

Circuit ID Suboption Frame Format
Suboption
type
Circuit
ID type
Length Length
1
6
0
4
VLAN
Module Port
1 byte 1 byte 1 byte 1 byte 2 bytes
1 byte 1 byte

Remote ID Suboption Frame Format
Suboption
type
Remote
ID type
Length Length
2
8
0
6
MAC address
6 bytes
1 byte 1 byte 1 byte 1 byte

The illustration, User-Configured Suboption Packet Formats, shows the packet formats for user-configured remote-ID and circuit-ID suboptions. The switch uses these packet formats when DHCP snooping is globally enabled and when the ip dhcp snooping information option format remote-id global configuration command and the ip dhcp snooping vlan information option format-type circuit-id string interface configuration command are entered.

The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions:

Circuit-ID suboption fields:
- The circuit-ID type is 1.
- The length values are variable, depending on the length of the string that you configure.
Remote-ID suboption fields:
- The remote-ID type is 1.
- The length values are variable, depending on the length of the string that you configure.

Cisco IOS DHCP Server Database

During the DHCP-based autoconfiguration process, the designated DHCP server uses the Cisco IOS DHCP server database. It contains IP addresses, address bindings, and configuration parameters, such as the boot file. An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.

DHCP Snooping Binding Database

When DHCP snooping is enabled, the switch uses the DHCP snooping binding database to store information about untrusted interfaces. The database can have up to 64,000 bindings.

Each database entry (binding) includes an IP address, an associated MAC address, the lease time (in hexadecimal format), the interface to which the binding applies, and the VLAN to which the interface belongs. The database agent stores the bindings in a file at a configured location. At the end of each entry is a checksum that accounts for all the bytes from the start of the file through all the bytes associated with the entry. Each entry is 77 bytes, followed by a space, the checksum value, and the EOL symbol.

To retain the bindings when the switch reloads, you must use the DHCP snooping database agent. If the agent is disabled, dynamic ARP inspection or IP source guard is enabled, and the DHCP snooping binding database has dynamic bindings, the switch loses its connectivity. If the agent is disabled and only DHCP snooping is enabled, the switch does not lose its connectivity, but DHCP snooping might not prevent DHCP spoofing attacks.

When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes.

When a switch learns of new bindings or when it loses bindings, the switch immediately updates the entries in the database. The switch also updates the entries in the binding file. The frequency at which the file is updated is based on a configurable delay, and the updates are batched. If the file is not updated in a specified time (set by the write-delay and abort-timeout values), the update stops.

This is the format of the file with bindings:

<initial-checksum>
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
<entry-1> <checksum-1>
<entry-2> <checksum-1-2>
<entry-n> <checksum-1-2-..-n>
END

Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file. The initial-checksum entry on the first line distinguishes entries associated with the latest file update from entries associated with a previous file update.

This is an example of a binding file:

3ebe1518
TYPE DHCP-SNOOPING
VERSION 1
BEGIN
10.1.1.1 512 001.0001.0005 3EBE2881 Gil/1
10.1.1.1 512 001.0001.0002 3EBE2881 Gil/1
10.1.1.1 1536 001.0001.0004 3EBE2881 Gil/1
10.1.1.1 1024 001.0001.0003 3EBE2881 Gil/1
10.1.1.1 1 001.0001.0001 3EBE2881 Gil/1
END
e5e1e733
4b3486ec
f0e02872
ac41adf9
34b3273e

When the switch starts and the calculated checksum value equals the stored checksum value, the switch reads entries from the binding file and adds the bindings to its DHCP snooping binding database. The switch ignores an entry when one of these situations occurs:

The switch reads the entry and the calculated checksum value does not equal the stored checksum value. The entry and the ones following it are ignored.
An entry has an expired lease time (the switch might not remove a binding entry when the lease time expires).
The interface in the entry no longer exists on the system.
The interface is a routed interface or a DHCP snooping-trusted interface.

Default DHCP Snooping Configuration

Table 1: Default DHCP Configuration
Feature	Default Setting
DHCP server	Enabled in Cisco IOS software, requires configuration¹
DHCP relay agent	Enabled
DHCP packet forwarding address	None configured
Checking the relay agent information	Enabled (invalid messages are dropped)
DHCP relay agent forwarding policy	Replace the existing relay agent information
DHCP snooping enabled globally	Disabled
DHCP snooping information option	Enabled
DHCP snooping option to accept packets on untrusted input interfaces	Disabled
DHCP snooping limit rate	None configured
DHCP snooping trust	Untrusted
DHCP snooping VLAN	Disabled
DHCP snooping MAC address verification	Enabled
Cisco IOS DHCP server binding database	Enabled in Cisco IOS software, requires configuration. Note: The switch gets network addresses and configuration parameters only from a device configured as a DHCP server.
DHCP snooping binding database agent	Enabled in Cisco IOS software, requires configuration. This feature is operational only when a destination is configured.

¹ The switch responds to DHCP requests only if it is configured as a DHCP server.

² The switch relays DHCP packets only if the IP address of the DHCP server is configured on the SVI of the DHCP client.

³ Use this feature when the switch is an aggregation switch that receives packets with option-82 information from an edge switch.

DHCP Snooping Configuration Guidelines

If a switch port is connected to a DHCP server, configure a port as trusted by entering the ip dhcp snooping trust interface configuration command.
If a switch port is connected to a DHCP client, configure a port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
You can display DHCP snooping statistics by entering the show ip dhcp snooping statistics user EXEC command, and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command.

DHCP Server Port-Based Address Allocation

DHCP server port-based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address.

How to Configure DHCP

Configuring the DHCP Server

The switch can act as a DHCP server. If DHCP server for DHCP clients with management ports is used, both DHCP pool and the corresponding interface must be configured using the Management VRF.

Configuring the DHCP Relay Agent

Follow these steps to enable the DHCP relay agent on the switch:

Procedure
Step	Command or Action	Purpose
1	`enable` Example: Device> enable	Enables privileged EXEC mode. • Enter your password if prompted.
2	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
3	`service dhcp` Example: Device(config)# service dhcp	Enables the DHCP server and relay agent on your switch. By default, this feature is enabled.
4	`end` Example: Device(config)# end	Exits global configuration mode and returns to privileged EXEC mode.

What to do next

Checking (validating) the relay agent information
Configuring the relay agent forwarding policy

Specifying the Packet Forwarding Address

If the DHCP server and the DHCP clients are on different networks or subnets, you must configure the switch with the ip helper-address address interface configuration command. The general rule is to configure the command on the Layer 3 interface closest to the client. The address used in the ip helper-address command can be a specific DHCP server IP address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables any DHCP server to respond to requests. Perform these steps to specify the packet forwarding address:

Procedure
Step	Command or Action	Purpose
1	`enable` Example: Device> enable	Enables privileged EXEC mode. • Enter your password if prompted.
2	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
3	`interface vlan vlan-id` Example: Device (config)# interface vlan 1	Creates a switch virtual interface by entering a VLAN ID, and enters interface configuration mode.
4	`ip address ip-address subnet-mask` Example: Device (config-if)# ip address 192.108.1.27 255.255.255.0	Configures the interface with an IP address and an IP subnet.
5	`ip helper-address address` Example: Device (config-if)# ip helper-address 172.16.1.2	Specifies the DHCP packet forwarding address. The helper address can be a specific DHCP server address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables other servers to respond to DHCP requests. If you have multiple servers, you can configure one helper address for each server.
6	`exit` Example: Device (config-if)# exit	Exits interface configuration mode and returns to global configuration mode.
7	Use one of the following: • `interface range port-range` • `interface interface-id` Example: Device (config)# interface gigabitethernet 1/0/2	Configures multiple physical ports that are connected to the DHCP clients, and enters interface range configuration mode. or Configures a single physical port that is connected to the DHCP client, and enter interface configuration mode.
8	`switchport mode access` Example: Device (config-if)#2 switchport mode access	Defines the VLAN membership mode for the port.
9	`switchport access vlan vlan-id` Example: Device (config-if)#23 switchport access vlan 1	Assigns the ports to the same VLAN as configured in Step 2.
10	`end` Example: Device (config-if)# end	Exits interface configuration mode and returns to privileged EXEC mode.

Configuring DHCP for IPv6 Address Assignment

Default DHCPv6 Address Assignment Configuration

By default, no DHCPv6 features are configured on the switch.

DHCPv6 Address Assignment Configuration Guidelines

The following prerequisites apply when configuring DHCPv6 address assignment:

In the following procedures, the specified interface must be one of these Layer 3 interfaces:
- If the IPv6 address is not explicitly configured, enable IPv6 routing by using the ipv6 enable command.
- DHCPv6 routing must be enabled on a Layer 3 interface.
- SVI: A VLAN interface created by using the interface vlan vlan_id command.
- EtherChannel port channel in Layer 3 mode: a port-channel logical interface created by using the interface port-channel port-channel-number command.
The device can act as a DHCPv6 client, server, or relay agent. The DHCPv6 client, server, and relay function are mutually exclusive on an interface.
Beginning from Cisco IOS XE Gibraltar 16.11.1, a DHCPv6 address will contain interface identifiers that are not part of the reserved interface identifiers range specified in RFC5453.

Enabling DHCPv6 Server Function (CLI)

Use the no form of the DHCP pool configuration mode commands to change the DHCPv6 pool characteristics. To disable the DHCPv6 server function on an interface, use the no ipv6 dhcp server interface configuration command.

To enable the DHCPv6 server function on an interface, perform this procedure:

Procedure
Step	Command or Action	Purpose
1	`enable` Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
2	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
3	`ipv6 dhcp pool poolname` Example: Device (config)# ipv6 dhcp pool 7	Enters DHCP pool configuration mode, and defines the name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0).
4	`address prefix IPv6-prefix {lifetime} {t1 tl \| infinite}` Example: Device (config-dhcpv6) % address prefix 2001:1000::0/64 lifetime 3600	(Optional) Specifies an address prefix for address assignment. This address must be in hexadecimal, using 16-bit values between colons. lifetime tl tl-Specifies a time interval (in seconds) that an IPv6 address prefix remains in the valid state. The range is 5 to 4294967295 seconds. Specify infinite for no time interval.
5	`link-address IPv6-prefix` Example: Device (config-dhcpv6) # link-address 2001:1002::0/64	(Optional) Specifies a link-address IPv6 prefix. When an address on the incoming interface or a link-address in the packet matches the specified IPv6 prefix, the server uses the configuration information pool. This address must be in hexadecimal, using 16-bit values between colons.
6	`vendor-specific vendor-id` Example: Device (config-dhcpv6) # vendor-specific 9	(Optional) Enters vendor-specific configuration mode and specifies a vendor-specific identification number. This number is the vendor IANA Private Enterprise Number. The range is 1 to 4294967295.
7	`suboption number {address IPv6-address \| ascii ASCII-string \| hex hex-string}` Example: Device (config-dhcpv6-vs) # suboption 1 address 1000:235D::	(Optional) Enters a vendor-specific suboption number. The range is 1 to 65535. Enter an IPv6 address, ASCII text, or a hex string as defined by the suboption parameters.
8	`exit` Example: Device (config-dhcpv6-vs)# exit	Returns to DHCP pool configuration mode.
9	`exit` Example: Device (config-dhcpv6)# exit	Returns to global configuration mode.
10	`interface interface-id` Example: Device (config)# interface gigabitethernet 1/0/1	Enters interface configuration mode, and specifies the interface to configure.
11	`ipv6 dhcp server [poolname \| automatic] [rapid-commit] [preference value] [allow-hint]` Example: Device (config-if)# ipv6 dhcp server automatic	Enables DHCPv6 server function on an interface. `poolname`—(Optional) User-defined name for the IPv6 DHCP pool. The pool name can be a symbolic string (such as Engineering) or an integer (such as 0). `automatic`—(Optional) Enables the system to automatically determine which pool to use when allocating addresses for a client. `rapid-commit`—(Optional) Allows two-message exchange method. `preference value`—(Optional) Configures the preference value carried in the preference option in the advertise message sent by the server. The range is from 0 to 255. The preference value default is 0. `allow-hint` (Optional) Specifies whether the server should consider client suggestions in the SOLICIT message. By default, the server ignores client hints.
12	`end` Example: Device (config-if)# end	Returns to privileged EXEC mode.

Enabling DHCPv6 Client Function

To enable the DHCPv6 client on an interface, perform this procedure:

Procedure
Step	Command or Action	Purpose
1	`enable` Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
2	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
3	`interface interface-id` Example: Device (config)# interface gigabitethernet 1/0/1	Enters interface configuration mode, and specifies the interface to configure.
4	`ipv6 address dhcp [rapid-commit]` Example: Device (config-if)# ipv6 address dhcp rapid-commit	Enables the interface to acquire an IPv6 address from the DHCPv6 server. `rapid-commit`—(Optional) Allow two-message exchange method for address assignment.
5	`ipv6 dhcp client request [vendor-specific]` Example: Device (config-if)# ipv6 dhcp client request vendor-specific	(Optional) Enables the interface to request the vendor-specific option.
6	`end` Example: Device (config)# end	Returns to privileged EXEC mode.
7	`show ipv6 dhcp interface` Example: Device# show ipv6 dhcp interface	Verifies that the DHCPv6 client is enabled on an interface.

Enabling the Cisco IOS DHCP Server Database

For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide.

Enabling the DHCP Snooping Binding Database Agent

Beginning in privileged EXEC mode, follow these steps to enable and configure the DHCP snooping binding database agent on the switch:

Procedure
Step	Command or Action	Purpose
1	`enable` Example: Device> enable	Enables privileged EXEC mode. • Enter your password if prompted.
2	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
3	`ip dhcp snooping database {flash [number] : /filename \| ftp://user : password @ host /filename \| http://[[username : password] @ ] {hostname \| host-ip} [ /directory] / image-name.tar \| rcp://user @ host/filename \| scp://user@host/filename \| tftp://hostfilename}` Example: Device (config)# ip dhcp snooping database tftp://10.90.90.90/snooping-rp2	Specifies the URL for the database agent or the binding file by using one of these forms: `flash[number]:/filename` `ftp://user:password@host/filename` `http://[[username:password]@]{hostname \| host-ip}[/directory] /image-name.tar` `rcp://user@host/filename` `scp://user@host/filename` Note: Before you configure SCP, you need to set the line console 0 transport output to ssh or all. `tftp://host/filename`
4	`ip dhcp snooping database timeout seconds` Example: Device (config)# ip dhcp snooping database timeout 300	Specifies (in seconds) how long to wait for the database transfer process to finish before stopping the process. The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the transfer indefinitely.
5	`ip dhcp snooping database write-delay seconds` Example: Device (config)# ip dhcp snooping database write-delay 15	Specifies the duration for which the transfer should be delayed after the binding database changes. The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes).
6	`exit` Example: Device (config)# exit	Exits global configuration mode and returns to privileged EXEC mode.
7	`ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds` Example: Device# ip dhcp snooping binding 0001.1234.1234 vlan 1 172.20.50.5 gigabitethernet 1/1/0 expiry 1000	(Optional) Adds binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295. Enter this command for each entry that you add. Use this command when you are testing or debugging the switch.
8	`show ip dhcp snooping database [detail]` Example: Device# show ip dhcp snooping database detail	Displays the status and statistics of the DHCP snooping binding database agent.

Monitoring DHCP Snooping Information

Table 2: Commands for Displaying DHCP Information
Command	Purpose
`show ip dhcp snooping`	Displays the DHCP snooping configuration for a switch
`show ip dhcp snooping binding`	Displays only the dynamically configured bindings in the DHCP snooping bin also referred to as a binding table.
`show ip dhcp snooping database`	Displays the DHCP snooping binding database status and statistics.
`show ip dhcp snooping statistics`	Displays the DHCP snooping statistics in summary or detail form.
`show ip source binding`	Display the dynamically and statically configured bindings.

Note: If DHCP snooping is enabled and an interface changes to the down state, the switch does not delete the statically configured bindings.

Enabling DHCP Server Port-Based Address Allocation

Follow these steps to globally enable port-based address allocation and to automatically generate a subscriber identifier on an interface.

Procedure
Step	Command or Action	Purpose
1	`enable` Example: Device> enable	Enables privileged EXEC mode. • Enter your password if prompted.
2	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
3	`ip dhcp use subscriber-id client-id` Example: Device (config)# ip dhcp use subscriber-id client-id	Configures the DHCP server to globally use the subscriber identifier as the client identifier on all incoming DHCP messages.
4	`ip dhcp subscriber-id interface-name` Example: Device (config)# ip dhcp subscriber-id interface-name	Automatically generates a subscriber identifier based on the short name of the interface. A subscriber identifier configured on a specific interface takes precedence over this command.
5	`interface interface-type interface-number` Example: Device (config)# interface gigabitethernet 1/0/1	Specifies the interface to be configured, and enters interface configuration mode.
6	`ip dhcp server use subscriber-id client-id` Example: Device (config-if)# ip dhcp server use subscriber-id client-id	Configures the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interface.
7	`end` Example: Device (config-if)# end	Exits interface configuration mode and returns to privileged EXEC mode.

What to do next

After enabling DHCP port-based address allocation on the switch, use the ip dhcp pool global configuration command to preassign IP addresses and to associate them to clients.

Monitoring DHCP Server Port-Based Address Allocation

Table 3: Commands for Displaying DHCP Port-Based Address Allocation Information
Command	Purpose
`show interface interface id`	Displays the status and configuration of a specific interface.
`show ip dhcp pool`	Displays the DHCP address pools.
`show ip dhcp binding`	Displays address bindings on the Cisco IOS DHCP server.

Feature History for DHCP

This table provides release and related information for the features explained in this module. These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Table 4: New Feature History
Release	Feature	Feature Information
Cisco IOS XE Everest 16.5.1a	DHCP	DHCP provides configuration parameters to Internet hosts. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP Server to a host and a mechanism for allocating network addresses to hosts. DHCP is built on a client/server model, where designated DHCP Server hosts allocate network addresses and deliver configuration parameters to dynamically configured hosts.
Cisco IOS XE Fuji 16.8.1a	DHCP	Support for this feature was introduced only on the C9500-12Q, C9500-16X, C9500-24Q, C9500-40X models of the Cisco Catalyst 9500 Series Switches.
Cisco IOS XE Fuji 16.8.1a	DHCP Client Option 12	The DHCP Client Option 12 feature specifies the hostname of the client. While acquiring an IP address for an interface from the Dynamic Host Configuration Protocol (DHCP) server, if the client device receives the DHCP Hostname option inside the response, the hostname from that option is set. DHCP is used by DHCP clients to obtain configuration information for operation in an IP network.

Use the Cisco Feature Navigator to find information about platform and software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.

Models: DHCP Configuration, DHCP, Configuration

File Info : application/pdf, 22 Pages, 1.40MB

configuring dhcp DITA Open Toolkit XEP 4.30.961; modified using iText 2.1.7 by 1T3XT

	Configuring DHCP Services for Accounting and Security Learn how to configure DHCP services for enhanced security and accounting in Cisco IOS XE networks. This guide covers AAA/RADIUS integration, IP spoofing prevention, ARP security, and DHCP lease management for Public Wireless LANs and other network implementations.
	IP Addressing Services Configuration Guide for Cisco IOS XE Dublin 17.12.x (Catalyst 9300 Switches) A comprehensive guide detailing the configuration of IP Addressing Services for Cisco Catalyst 9300 Switches running Cisco IOS XE Dublin 17.12.x. This document covers IPv6 addressing, DHCP, DHCPv6, GLBP, HSRP, and GRE tunnels.
	IP Addressing Services Commands Guide A comprehensive guide to IP addressing services commands, covering IPv4 and IPv6 configurations, DHCP, NAT, and routing protocols. This document details various commands for network management and troubleshooting.
	Cisco IOS XE 17.x IP Addressing Configuration Guide Comprehensive guide to configuring IP addressing, including IPv4 and IPv6, subnetting, NAT, DHCP, DNS, and advanced IP services for Cisco IOS XE 17.x.
	Cisco Zero-Touch Provisioning (ZTP) Guide A comprehensive guide to Cisco's Zero-Touch Provisioning (ZTP) feature, detailing its overview, restrictions, DHCP and DHCPv6 configuration, sample scripts, and boot logs for various Cisco IOS XE versions. Learn how to automate network device provisioning.
	Configuring IP Source Guard on Cisco NX-OS Devices This document provides a comprehensive guide on configuring IP Source Guard on Cisco NX-OS devices. It covers enabling and disabling IP Source Guard, managing static IP source entries, configuring trunk ports, and clearing statistics. The guide also includes prerequisites, guidelines, limitations, and configuration examples.
	Guide de configuration des adresses IP et des services pour les routeurs Cisco ASR 9000 Series, version IOS XR 25.1.x, 25.2.x Ce guide fournit des instructions détaillées sur la configuration des adresses IP et des services pour les routeurs Cisco ASR 9000 Series, en utilisant la version IOS XR 25.1.x et 25.2.x. Il couvre des sujets tels que la mise en œuvre d'IPv4 et d'IPv6, la configuration du protocole DHCP, les listes d'accès, le routage basé sur des politiques et la surveillance vidéo.
	Cisco IP Phone Installation Guide A comprehensive guide to installing and configuring Cisco IP Phones, covering network setup, phone installation, wireless LAN configuration, and various network settings.

Prerequisites for Configuring DHCP

DHCP Snooping Binding Database Configuration Prerequisites

Restrictions for Configuring DHCP

Information About DHCP

DHCP Server

DHCP Relay Agent

DHCP Snooping

When the Switch Drops a DHCP Packet:

Option-82 Data Insertion

In Residential, Metropolitan Ethernet-Access Environments

Sequence of Events When Enabling DHCP Snooping Information Option 82

Suboption Fields

Cisco IOS DHCP Server Database

DHCP Snooping Binding Database

Default DHCP Snooping Configuration

DHCP Snooping Configuration Guidelines

DHCP Server Port-Based Address Allocation

How to Configure DHCP

Configuring the DHCP Server

Configuring the DHCP Relay Agent

What to do next

Specifying the Packet Forwarding Address

Configuring DHCP for IPv6 Address Assignment

Default DHCPv6 Address Assignment Configuration

DHCPv6 Address Assignment Configuration Guidelines

Enabling DHCPv6 Server Function (CLI)

Enabling DHCPv6 Client Function

Enabling the Cisco IOS DHCP Server Database

Enabling the DHCP Snooping Binding Database Agent

Monitoring DHCP Snooping Information

Enabling DHCP Server Port-Based Address Allocation

What to do next

Monitoring DHCP Server Port-Based Address Allocation

Feature History for DHCP

Related Documents