ip dhcp snooping limit rate [pps]
Limits the rate of DHCP packets processed by DHCP snooping on an interface to prevent DHCP starvation attacks.
ip dhcp snooping limit rate [pps]When to Use This Command
- Configure on access ports connected to untrusted devices to limit DHCP packet rate to 100 pps.
- Apply on trunk ports to restrict DHCP traffic from downstream switches.
- Set a low rate limit on ports in high-security zones to mitigate DHCP flooding.
- Use on ports connecting to IP phones to prevent excessive DHCP requests.
Command Examples
Basic rate limit configuration
ip dhcp snooping limit rate 100Switch(config-if)#ip dhcp snooping limit rate 100 Switch(config-if)#
No output is shown upon successful configuration. The command sets a rate limit of 100 packets per second on the interface.
Verifying rate limit configuration
show ip dhcp snooping interface GigabitEthernet0/1Interface Trusted Rate limit (pps) ----------------------------- ---------- ------------------ GigabitEthernet0/1 no 100
The output shows the interface, whether it is trusted (no), and the configured rate limit in packets per second (100).
Understanding the Output
The 'show ip dhcp snooping interface' command displays per-interface DHCP snooping settings. The 'Trusted' column indicates if the interface is trusted (yes) or untrusted (no). The 'Rate limit (pps)' column shows the configured maximum DHCP packets per second. A value of 'unlimited' means no rate limit is applied. In a real network, untrusted ports should have a rate limit (e.g., 100 pps) to prevent DHCP starvation. If the rate limit is exceeded, the interface will be err-disabled (if errdisable recovery is not configured). Watch for interfaces that show 'unlimited' on untrusted ports—this is a security risk.
CCNA Exam Tips
CCNA exam may test that rate limiting is only effective on untrusted ports; trusted ports ignore the limit.
Remember that exceeding the rate limit causes the interface to go into errdisable state; recovery requires manual intervention or errdisable recovery.
The default rate limit is unlimited; you must explicitly configure it for protection.
Rate limiting is configured in packets per second (pps), not bits per second.
Common Mistakes
Applying rate limit on trusted ports, which is ignored and wastes configuration effort.
Setting the rate limit too low (e.g., 1 pps) causing legitimate DHCP traffic to trigger errdisable.
Forgetting to configure errdisable recovery, leading to manual interface shutdown recovery.
Related Commands
errdisable recovery cause psecure-violation
Enables automatic recovery of ports that have been error-disabled due to port security violation (psecure-violation), allowing them to come back up after a specified timeout without manual intervention.
ip dhcp snooping
Enables DHCP snooping globally on the switch to filter untrusted DHCP messages and prevent rogue DHCP server attacks.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions