Turns on features that look for and discard misbehaving DHCP packets.
Enable on "untrusted" ports (those downstream from the real DHCP server -- typically facing end user devices).
SW2(config)#ip dhcp snooping
^ Globally turn on DHCP Snooping
SW2(config)#ip dhcp snooping vlan 1
^ And turn it on for each VLAN - in this case, VLAN 1.
SW1(config)#no ip dhcp snooping information option
SW2(config)#no ip dhcp snooping information option
^ Turns off the default behavior of both switches to add "Option 82" to DHCP messages they receive from clients.
R1 <--> SW2 <--> SW1 <--> PC1
By default, Cisco switches will drop DHCP messages with Option 82 that are received from an untrusted port. In a design like the one above, SW1 would (by default) add Option 82 even if it is not the relay agent. When the upstream switch (SW2) receives this packet from a downstream (untrusted) port, SW2 takes the default behavior which is to drop DHCP messages with Option 82 that are received from an untrusted port.
By running the command above, we tell the switch not to add Option 82.
SW2(config)#int g0/0
SW2(config-if)#ip dhcp snooping trust
^ Configures this port as a "trusted" port. Trusted ports won't perform DHCP Snooping. Do this on each port that points "toward" the real DHCP server.
SW1#show ip dhcp snooping binding
^ Displays the DHCP Snooping binding table which is loaded with known DHCP info:
MacAddress - MAC of client
IpAddress - IP given to client
Lease - Length of DHCP lease
VLAN - Which VLAN
Interface - Interface of leased IP configured on a MAC
Rate-Limiting:
SW1(config)#int range g0/1 - 3
SW1(config-if-range)#ip dhcp snooping limit rate 1
^ This limits the DHCP traffic rate to 1 per second. This is too low in a real network. If the traffic rate exceeds this number, the interface will be disabled.
Manually re-enable interface with shut/no shut or configure interface to automatically re-enable:
SW1(config)#errdisable recovery cause dhcp-rate-limit
^ Turns on recovery of interface in (default) 300 seconds if reason is surpassing DHCP rate
SW1#show errdisable recovery
^ Confirms automatic recovery is turned on by displaying which errDisable reasons are enabled
[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]
