Introduction :
Switch snoops DHCP messages and builds a database, which is known as DHCP snooping database.
Each entry in the DHCP snooping database is called a binding entry, which binds the valid IP assigned to client with its mac address.
Binding is valid, until lease expires or client explicitly releases the address by sending DHCP release message.
For clients that are configured with static IP address, there is a provision to configure static DHCP snooping bindings.
DHCP Snooping database is periodically saved to switch flash memory. Database is automatically updated from flash in case of switch reboot
DHCP Snooping Bindings are used to support security features such as Dynamic Arp Inspection (DAI) and IP Source Guard (IPSG).
Configuration Steps :
Create DHCP Snooping vlan profile and enable dhcp snooping.
(SW-3) (config) #vlan-profile dhcp-snooping-profile DHCP_SNOOPING
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #enable
Apply DHCP Snooping profile to VLAN.
(SW-3) (config) #vlan 5
(SW-3) (VLAN "5") #dhcp-snooping-profile DHCP_SNOOPING
Create static DHCP Snooping binding.
(SW-3) (VLAN "5") #dhcp-snooping-database 00:00:00:00:00:01 gigabitethernet 3/0/20 1.1.1.1
Database can be manually saved by using command “write dhcp-snooping-database”
(SW-3) #show dhcp-snooping-database
Total DHCP Snoop Entries : 2
Learnt Entries : 1, Static Entries : 1
DHCP Snoop Table
----------------
MAC IP BINDING-STATE LEASE-TIME VLAN-ID INTERFACE
--- -- ------------- ---------- ------- ---------
00:00:00:00:00:01 1.1.1.1 Static entry No lease time 5 gigabitethernet3/0/20
00:00:00:5f:2c:7d 172.5.255.254 Dynamic entry 2013-11-01 00:38:02 (PST) 5 gigabitethernet3/0/20
(SW-3) #clear dhcp-snooping-database ?
all Clear the dynamic entries in DHCP Snooping database
vlan Snooping learnt on this VLAN
(SW-3) #show dhcp-snooping-database
Total DHCP Snoop Entries : 2
Learnt Entries : 2, Static Entries : 0
DHCP Snoop Table
----------------
MAC IP BINDING-STATE LEASE-TIME VLAN-ID INTERFACE
--- -- ------------- ---------- ------- ---------
A:B:C:D:E:F 1.1.1.1 Dynamic entry 2013-11-01 00:38:02 (PST) 5 g3/0/20
U:V:W:X:Y:Z 172.5.2.2 Dynamic entry 2013-11-01 00:38:02 (PST) 5 g3/0/20
(SW-3) #clear dhcp-snooping-database all
(SW-3) #show dhcp-snooping-database
Total DHCP Snoop Entries : 0
Learnt Entries : 0, Static Entries : 0
Troubleshooting :
Debugging using traceoptions.
DHCP Snooping traceoptions.
(SW-3) (config) #traceoptions
(SW-3) (traceoptions) #dhcp-snoop flags ?
all Enable tracing on all DHCP SNOOP modules
cfg Enable DHCP SNOOP error tracing
debug Enable DHCP SNOOP general debug tracing
errors Enable DHCP SNOOP error tracing
receive Enable DHCP SNOOP dhcp packets receive (RX) tracing
timer Enable DHCP SNOOP timer) tracing
<cr>
(SW-3) (config) #vlan-profile dhcp-snooping-profile DHCP_SNOOPING
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #no enable
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #enable
(SW-3) (dhcp-snooping-profile "DHCP_SNOOPING") #end
[DHCP_SNOOP-CFG] instname "DHCP_SNOOPING" groupname "dhcp_snooping_prof" num_refs 1
[DHCP_SNOOP-CFG] Apply dhcp-snoop-profile (DHCP_SNOOPING) to vlan 5
[DHCP_SNOOP-CFG] dhcp_snoop_init_config called
[DHCP_SNOOP-CFG] dhcp_snoop_req_config_sync called
[DHCP_SNOOP-CFG] vlan_update_dhcp_snoop_configs called
[DHCP_SNOOP-CFG] DHCP snoop : 0 for vlan 5 , where 1 :enable 0 :disbale
[DHCP_SNOOP-CFG] instname "DHCP_SNOOPING" groupname "dhcp_snooping_prof" num_refs 1
[DHCP_SNOOP-CFG] Apply dhcp-snoop-profile (DHCP_SNOOPING) to vlan 5
[DHCP_SNOOP-CFG] dhcp_snoop_init_config called
[DHCP_SNOOP-CFG] dhcp_snoop_req_config_sync called
[DHCP_SNOOP-CFG] vlan_update_dhcp_snoop_configs called
[DHCP_SNOOP-CFG] DHCP snoop : 1 for vlan 5 , where 1 :enable 0 :disbale
DHCP Snooping receive packets and debug trace.
[DHCP_SNOOP-RECV] DHCP DISCOVER packet received with client mac address 00:00:00:5f:2c:7d on vlan 5
[DHCP_SNOOP-RECV] DHCP OFFER packet received with client mac address 00:00:00:5f:2c:7d on vlan 5
[DHCP_SNOOP-RECV] DHCP REQUEST packet received with client mac address 00:00:00:5f:2c:7d on vlan 5
[DHCP_SNOOP] Context added for DHCP Request packet with mac : 00:00:00:5f:2c:7d and vlan 5 and interface : gigabitethernet3/0/20
[DHCP_SNOOP-RECV] DHCP ACK packet received with client mac address 00:00:00:5f:2c:7d on vlan 5 Client IP ac05fffe
[DHCP_SNOOP] Context table found , interface info fetched by context table during dynamic snoop entry addition for the mac address 00:00:00:5f:2c:7d and vlan 5
[DHCP_SNOOP] DHCP Snoop dynamic entry added , vlan_id :5mac address 00:00:00:5f:2c:7dip address ac05fffeinterface gigabitethernet3/0/20binding type 2
[DHCP_SNOOP] Context deleted for DHCP packet with mac : 00:00:00:5f:2c:7d and vlan 5 and interface : gigabitethernet3/0/20
[DHCP_SNOOP-RECV] DHCP RELEASE packet received with client mac address 00:00:00:5f:2c:7d on vlan 5 Client IP 0
[DHCP_SNOOP] DHCP Snoop dynamic entry deleted , vlan_id :5mac address 00:00:00:5f:2c:7dip address ac05fffebinding type 2