Pretty severe penalty for excessive DHCP-ing
Cisco allows you to monitor any switchport to limit the rate of DHCP client activity. Presumably, someone flooding a network with spurious DISCOVER packets could give a DHCP server headaches.
I figured extra packets would just be dropped, but was in for somewhat of a shock when the port was placed into a permanent ERR-DISABLE status. That means a SysAdmin would need to reset the port manually, unless other provisions were made.
So what’s reasonable number of packets per minute? Maybe 3? I set it to 2 to see what the result. Pretty drastic!
interface range fa0/2 – 5
switchport mode access
switchport port-security mac-address sticky
switchport port-security maximum 1
switchport port-security violation restrict
ip dhcp snooping limit rate 5
no ip address