DHCP Snooping

Unanswered Question
May 22nd, 2007

guys pleas advise...

i have four 3750 stackable switches connected with two routed up-links interface running eigrp in conjunction with two 6513 core switches.

Now my trusted DHCP servers connected to the Core, and i want to configure ip dhcp snooping at the 3750 switches, is it possible to make the routes interface (no switchport ) as trusted interface ?

because from my understanding that dhcp snooping based on layer2 (MAC address level) but in my case i dont have VTP domain or spanning-tree !!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
royalblues Tue, 05/22/2007 - 12:10

If your trusted DHCP servers are connected to the 65XX and the vlans are at the 3750, you must have configured DHCP relay on the SVI's.

You should trust the port connecting to DHCP server on the 6513

On the 3750 switch enable DHCP snooping and do not configure any trusted ports.

HTH, rate if it does


hassan_oudeh Tue, 05/22/2007 - 12:24

thanks for your reply,

this is my 3750 config (vlan 40,41,48 and 49 are all layer 3 interface config at the switch)

ip dhcp snooping vlan 40-41,48-49

ip dhcp snooping

interface GigabitEthernet1/0/1

description GigabitEthernet Link to HO1-CORE-6513-A

no switchport

ip address


this is the Core config:

interface GigabitEthernet13/1

no switchport

ip address

assume the DHCP server connected to gig 12/1


currently the above config is running and PCs is geeting IP address from DHCP server, but dhcp snooping is enabled on 3750 and as i know all interfaces become as untrusted ? how it is working ??!!

can you please show me what commands i have to configure to config relay ??


hassan_oudeh Mon, 05/28/2007 - 14:55

hi narayan,

i did what you told me and it seems everything is fine.

one more question regarding for dynamic arp inspection, what is the needed configuration in my case;

remember between 6513 and 3750 eigrp running on a routing L3 interface.

vdadlaney Mon, 07/23/2007 - 19:47

Hi Hassan,

Were you able to configure this. I am in a similar situation and I have this working however I am not convinved that it is working correctly hence just want to confirm.

Basically my setup is:

Lan Access switches with various vlan's all have dhcp snooping configured. All uplinks are L3 hence I don't have any way to configure the uplinks as trusted since that option isn't available.

The DHCP server isn't local to the switch hence I haven't configured any trusted interfaces.

Without DHCP snooping enabled a rouge DHCP server was setup locally and it was confirmed that the clients were getting an ip from the rogue DHCP server.

However once DHCP snooping was enabled the clients were getting DHCP from the correct server. A helper address is configured on the L3 SVI interfaces local to the access switch?

My understanding of how this is working is that if any ports local to the switch are connected to a machine that also tries to be a DHCP server the clients won't respond to it because its untrusted by default hence that takes care of any rogue dhcp server locally. However I cannot understand how its deciding that the DHCP server upstream (The correct one) is the one it should get its ip address from. I mean say if someone decides to setup a DHCP server in the core or even on the same subnet as the DHCP server that is the real one than how would the clients decide that they should reject that response. Is there something with DHCP snooping that it will only accept a response from the ip configured in the ip helper address?

There is another feature I am looking into which is Dynamip Arp Inspection. Again I have that working but am not quite sure if its working correctly. The way this was tested was that the arp entry in the L3 switch was cleared for a client hostname Client 1 and another client, let's call it Client 2, on the same switch was configured statically with the same ip as Client 1. Once the arp entry was cleared from the L3 Access switch without Dynamip Arp Inspection Client 2 was immediately able to communicate with the rest of the network with the ip of Client 1 however with Arp Inspection enabled even if the arp entry was cleared Client 2 was unable to communicate with the Network. Does that make sense? Are there any downsides to this like will it cause any problems if the Arp entry aged out after 4 hours which is the default. Thanks

hassan_oudeh Mon, 07/23/2007 - 23:40

hi vdadlaney

seems like you have the same situation that i have.

see after a lot of testing for the dhcp snooping i have figured out that all L3 interfaces become trusted/relay by default when you enable dhcp snooping. so in your case you have to enable the snooping on the access swiches without giving any trusted interfaces (all default un-trsuted) and for the core side enable dhcp snooping and give the dhcp server a trusted port.

now regarding for the arp inspection feature, once you enabled the arp inspection on your switch it will keep checking the binding database from your dhcp snooping database because it works in conjunction with it, so even if client1 is out of the arp table it's still there in the dhcp snooping binding database and this is apllied for all your PCs that getting IPs dynamically from the dhcp server, and for those with statically IP address you need to configure ARP ACL.

Hope this was helpful.



vdadlaney Tue, 07/24/2007 - 05:38

Hi Hasan,

Thank you for replying. That does seem to make sense however in this environment there is just one thing. The DHCP server is not local to this campus and I don't have DHCP snooping enabled throughout so the switch that the DHCP server connects to doesn't have DHCP snooping enabled. Would that be a problem? I am trying to understand how the switch figures out that it will trust the DHCP server that is configured with the helper command as opposed to a reply from any other server located in the campus. I guess if there is no other helper address than it won't make a difference but still I was wondering if there was something more to it.

With regards to arp inspection are there any caveats that you might have noticed. For eg: Just in case the DHCP entry ages out from the Database and at the same time if the arp entry ages out how would that affect the client. Would another client be able to spoof that ip in the case that this particular scenario occurs. Also how does this relate with the arp aging timeout. Thx for your help



t.fiala Tue, 09/25/2007 - 04:53

Hi Vikram,

I've met another caveat you mentioned. The switch with DHCP snooping enabled configured as DHCP helper does not forward DHCP Requests if its source address is not equal (not an arror but feature). It means that a node cannot ask for IP Address prolongation. Strictly speking it can, but without any respose. It can become a new address only after its old address fully aged out. Consequently its current sessions are dropped. Do you have a similar experience?




This Discussion