DHCP snooping

Unanswered Question
Nov 27th, 2007
User Badges:


I'm planning to enable DHCP snooping. Recently, i did some reading on the subject. One thing that i'm not sure.

My network consist of having several remote site all linked through a MPLS network.

I have a primary and secondary dhcp server which is found in the IT center, First thing i need to trust is both ports that have the dhcp servers connected.

my question is do i need to trust all my uplink ports (trunk ports) that are located in my remote sites to let the DHCPoffer come through.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
stephen.stack Fri, 11/30/2007 - 08:47
User Badges:
  • Silver, 250 points or more

Hi Tony,

When configuring DHCP snooping on switches on your network, you must configure all trunk ports as DHCP trusted ports. This will allows the DHCPoffer and ACK packets to pass.

HTH, Please rate posts if it does.



nasheer.ahmad Sun, 12/02/2007 - 20:02
User Badges:


DHCP snooping really require to configure this feature.

In my view,DHCP snooping will be used not to trust other DHCP server in the network.

But If the companies having windows 2003 environment,DHCP server will not work until they give permissions.

Suggest me please.

s.arunkumar Sun, 12/02/2007 - 20:14
User Badges:
  • Bronze, 100 points or more


Attacker could act from DHCP server subnet and could reply to DHCP server request.The reply may also contain itself as the gateway,hence all traffic would be forwarded to him..

The legitimate DHCP server are put on trusted port and all host on untrusted port.Trusted port is the interface where only the replies are expected.So any reply coming from untrusted ports are discarded .Reply from ports are matched with the dhcp binding table,which have all info abt the ip,mac etc and hence kept a track.

tonyp8581 Mon, 12/03/2007 - 08:05
User Badges:


thx for all your help, i got this working properly.


This Discussion