DHCP Snooping not working

Unanswered Question
Feb 19th, 2008


I have a PC and DHCP server each plugged into a 3550 switch. They are on vlan 13, server on fa0/14, PC on fa0/1.

I enable DHCP snooping on vlan 13 in global config mode. When I plug in the PC to get an address, it gets the address. I thought the switch was supposed to block DHCP packets on untrusted ports? Am I mistaken?

Next I enabled the server port as "trusted". I use a different NIC on the PC to plug in....I got an IP address but it did not show up in the binding database...

Am I missing something on how this is supposed to work?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Tue, 02/19/2008 - 20:57

DHCP-Snooping disallows DHCP "Server" traffic. It allows DHCP "Client" traffic (like DHCP-Request, DHCP-Discover, DHCP-Release, etc.).

A trusted port disables snooping on a port which is a member of a VLAN enabled for Snooping.

Hope this helps,

dodgerfan78 Wed, 02/20/2008 - 07:11

Right but dhcp snooping is on and the server port is "untrusted". Shouldn't this block the DHCPOFFER?

And if the port is trusted, shouldn't it show up in the binding database?

jafrazie Wed, 02/20/2008 - 07:29

DHCP-Client messages (Discover, Request, etc.) could originate from any port. DHCP-client messages are only sent to trusted ports.

Typically on an access switch in a LAN, only the 2 uplinks on the switch will be trusted ports.

I don't think a client plugged into a trusted port will have an entry in the binding table.

I'm wondering how/if your offer is getting through. Is your server echoing option-82? What code rev and what switch are we talking here?

dodgerfan78 Wed, 02/20/2008 - 10:40

Thanks for the replies,

the switch is running 12.2(25) I believe. I'll get the exact version when I get home this afternoon. the client port is always untrusted in my lab, i just toggle the server port between trusted and untrusted.

I'm not sure about option 82 - I'll do a capture and post the results. Not sure where that comes in to play so I will have to do some more research.


dodgerfan78 Wed, 02/20/2008 - 16:29

I did some more research and it looks like I made a mistake when enabling dhcp snooping. I have to enable two commands:

ip dhcp snooping

ip dhcp snooping vlan #

I may have just used the vlan # command yesterday.

I started over today (i didnt save my config so I dont know exactly how I screwed up yesterday) and now it works great.

thanks again,



This Discussion