show ip dhcp snooping
Displays the DHCP snooping binding database and statistics, used to verify DHCP snooping operation and identify rogue DHCP servers or unauthorized clients.
show ip dhcp snoopingWhen to Use This Command
- Verify that DHCP snooping is enabled and active on VLANs after configuration.
- Check the DHCP snooping binding table to see which clients have obtained IP addresses via trusted DHCP servers.
- Troubleshoot DHCP-related connectivity issues by confirming that DHCP snooping is not blocking legitimate traffic.
- Monitor for potential rogue DHCP servers by reviewing the DHCP snooping statistics for dropped packets.
Command Examples
Basic DHCP Snooping Status and Binding Table
show ip dhcp snoopingSwitch DHCP snooping is enabled DHCP snooping is configured on following VLANs: 10,20,30 DHCP snooping is operational on following VLANs: 10,20,30 DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled Interface Trusted Rate limit (pps) ----------------------- ------- ------------------ GigabitEthernet0/1 yes unlimited GigabitEthernet0/2 no 100 GigabitEthernet0/3 no 100 DHCP snooping binding count: 5 DHCP snooping database agent: not configured MAC Address IP Address Lease(sec) Type VLAN Interface ------------------ ---------------- ---------- ------------- ---- -------------------- 00:1a:2b:3c:4d:5e 192.168.10.10 86400 dhcp-snooping 10 GigabitEthernet0/2 00:1a:2b:3c:4d:5f 192.168.10.11 86400 dhcp-snooping 10 GigabitEthernet0/2 00:1a:2b:3c:4d:60 192.168.20.20 43200 dhcp-snooping 20 GigabitEthernet0/3 00:1a:2b:3c:4d:61 192.168.20.21 43200 dhcp-snooping 20 GigabitEthernet0/3 00:1a:2b:3c:4d:62 192.168.30.30 86400 dhcp-snooping 30 GigabitEthernet0/3
Line 1: Shows global DHCP snooping status (enabled/disabled). Line 2-3: Lists VLANs where snooping is configured and operational. Line 5: Shows if option 82 insertion is enabled. Line 7-10: Interface table: 'Trusted' column indicates if interface is trusted (yes/no); 'Rate limit' shows packets per second limit (unlimited or number). Line 12: Total number of DHCP snooping bindings. Line 13: Database agent status (not configured or path). Line 15-20: Binding table: MAC address, IP address, lease time in seconds, type (dhcp-snooping), VLAN, and interface where client is connected.
DHCP Snooping Statistics
show ip dhcp snooping statisticsPackets Processed by DHCP Snooping ==================================== Packet Type Count ----------- ----- Total DHCP packets received 1500 DHCP packets dropped 10 DHCP packets forwarded 1490 Packet Drop Statistics ===================== Reason Count ------ ----- Invalid server 5 Invalid client 3 Rate limit exceeded 2 DHCP Snooping Database Agent Statistics ======================================== Agent not configured
First section: Total DHCP packets received, dropped, and forwarded. High drop count may indicate issues. Second section: Drop reasons: 'Invalid server' indicates packets from untrusted sources claiming to be DHCP servers; 'Invalid client' indicates clients with invalid MAC/IP; 'Rate limit exceeded' shows packets dropped due to rate limiting. Third section: Database agent statistics (not configured here).
Understanding the Output
The 'show ip dhcp snooping' command output is divided into several sections. The first section shows the global status (enabled/disabled) and the VLANs on which DHCP snooping is configured and operational. If a VLAN is configured but not operational, it may be because the VLAN does not exist or is not active. The second section lists interfaces with their trusted status and rate limit. Trusted interfaces (typically uplinks to DHCP servers) should be set to 'yes'; all other interfaces should be 'no' to prevent rogue DHCP server attacks. The rate limit column shows the configured packets-per-second limit; 'unlimited' means no rate limiting. The third section shows the binding table, which contains the MAC address, IP address, lease time, type (always 'dhcp-snooping' for dynamically learned), VLAN, and interface. A healthy network should have bindings for all legitimate DHCP clients. Missing bindings may indicate DHCP snooping is blocking legitimate traffic or the client did not complete the DHCP process. The statistics output helps identify the number of dropped packets and the reasons, which is crucial for troubleshooting. A high number of 'Invalid server' drops suggests a rogue DHCP server is present on an untrusted interface.
CCNA Exam Tips
Remember that DHCP snooping must be enabled globally and per VLAN; 'show ip dhcp snooping' shows both configured and operational VLANs.
Know that trusted interfaces are typically uplinks to DHCP servers; all other interfaces should be untrusted.
The binding table is built from DHCP ACK messages; if a client does not get an IP, check if the interface is untrusted and the server is on a trusted interface.
Be aware that DHCP snooping drops packets from DHCP servers on untrusted interfaces; this is a common exam scenario for security.
Common Mistakes
Forgetting to enable DHCP snooping globally with 'ip dhcp snooping' before configuring per VLAN.
Setting all interfaces as trusted, which defeats the purpose of DHCP snooping.
Not configuring a rate limit on untrusted interfaces, leaving the switch vulnerable to DHCP starvation attacks.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions