DHCP snooping rate limiting best practice

When applying DHCP snooping, it is possible to rate limit the number of DHCP messages received on an interface. This is configured as follows:

SW1(config)#interface fa0/1 SW1(config-if)#ip dhcp snooping limit rate 10

The above configuration limits the number of DHCP messages interface FastEthernet 0/1 can receive to ten per second. Any packets beyond that rate are dropped.

Typically, this is applied to untrusted ports, which are ports that connect to network segments where DHCP hosts reside. A typical DHCP host will not send excessive number of DHCP messages, and any that do so can be considered suspicious.

When DHCP snooping rate limiting, keep the following in mind:

  • It is recommended that an untrusted rate limit of not more than 100 packets per second
  • If you configure rate limiting on trusted interfaces, you might need to increase the rate limit on trunk ports carrying more than one VLAN on which DHCP snooping is enabled.
  • DHCP snooping puts ports where the rate limit is exceeded into the error-disabled state.