dhcp snooping question (for 2900 series switches)

Unanswered Question
Nov 17th, 2007

Is it possible to implement dhcp snooping on the following switch series?













I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
glen.grant Sat, 11/17/2007 - 04:11

Yes those are all newer type switches and should support dhcp snooping .

aung.naingoo Sat, 11/17/2007 - 05:48

No, it wasn't when I tested on 2940 and 2960. That's why I'm concerning whether it is supported on all models or not.

Below are the IOS images that I used on 2940 and 2960:



glen.grant Sat, 11/17/2007 - 06:38

Not sure what you mean its not supported. It is right in the config guides for both models . You can go to the main cisco.com page and search on like " 2940 dhcp snooping " and this will bring up the config guides and the how to config is right in there . You can check all your models this way . This is out of a 2940 12.1.22ea7 config guide . If there is a conflict between their documentation and what the switch actually supports I don't know.


aung.naingoo Sat, 11/17/2007 - 07:17

It looks like dhcp snooping is supported on all of those models. May be my understanding concept is wrong.

I just want to disable rouge dhcp servers in the campus in case somebody (un)intentionally plug a device/workstation with dhcp running on it. All of my infrastructure servers are located in server farm connected to the core, and I want to implement dhcp snooping on all the access switches.

I test the configuration in the lab by configuring "ip dhcp snooping" (global command) and allow "ip dhcp snooping trust" on the trunk port only. After that, I put the rouge dhcp server on the untrusted port. A test workstation trying to get dhcp ip is still receiving from the rouge dhcp server. The switch port where the rouge dhcp server is connected ain't configured for "ip dhcp snooping trust" and also it wasn't went into "err-disable" nor see anything in the "ip dhcp snooping bindings"

Below is the sample config on the access switch in the lab:


ip dhcp snooping


interface GigabitEthernet0/1

description UPLINK to Distribution

switchport mode trunk

ip dhcp snooping trust


interface FastEthernet0/3

description User Workstation

switchport mode access


interface FastEthernet0/5

description Rouge DHCP Server !

switchport mode access


Upon the user workstation is requesting the IP, rouge DHCP is successfully assigning the IP address without it's interface went into "err-disable" state. Am I understanding the concept wrongly or am I missing something?

glen.grant Sat, 11/17/2007 - 07:59

I haven't done a lot of work with this myself but from what i have read your interpretations sounds correct. Did you add this step ?

Step 3

ip dhcp snooping vlan vlan-range

Enable DHCP snooping on a VLAN or range of VLANs. The range is 1 to 4094.

You can enter a single VLAN ID identified by VLAN ID number, a series of VLAN IDs separated by commas, a range of VLAN IDs separated by hyphens, or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space.

andrew.butterworth Mon, 11/19/2007 - 04:46

What Glen described is correct. There are three steps to enabling DHCP Snooping:

1. Enable DHCP Snooping for the VLANs you require it on in global configuration:

ip dhcp snooping vlan [vlan-range]

2. Trust layer-2 uplinks to where your DHCP Servers are located (note physical Layer-3 interfaces inherantly trust so there is no additional configuration needed on these:

interface GigabitEthernet0/1

description Uplink to Distribution Layer

switchport mode trunk

ip dhcp snooping trust

3. Enable DHCP Snooping in globacl configuration.

ip dhcp snooping

Additionally if you are using a Windows DHCP Server you must disable option 82 insertion as it will not understand option 82:

no ip dhcp snooping information option

You should also rate-limit the DHCP requests on client interfaces to minimise any DoS attacks on your DHCP server:

interface FastEthernet0/1

ip dhcp snooping limit rate 100




This Discussion