We are facing a problem with DHCP snooping in one of the site.Problem is that even if we exclude one vlan from dhcp snooping , the hosts in that particular vlan are getting ip addresses from the DHCP server.Following are the configurations we have done for the same
We have enabled ip dhcp snooping for user vlans
enabled ip dhcp snooping trust on all up link ports and the port to which dhcp server is connected.
-and the result is even if vlan 10 is not a part of dhcp snooping, and if we connect our laptop to an access port of vlan 10 we are getting ip adress from the DHCP sever. ie dhcp snooping is not woring in this scenario.
dhcp snooping is a security measure that provides protection from some dhcp attacks (rogue dhcp servers for man in the middle, dhcp dos to fill the scope and so on).
If you configure dhcp snooping to skip a vlan that doesn't imply that users in that vlan cannot get an ip address from dhcp server.
In fact, if in interface vlan 10 on your router you have an ip helper-address pointing to the DHCP server's ip address the PCs will get their ip address if the scope is defined.
In addition in vlan 10 you can face a DHCP attack.
If you don't want to provide DHCP support in vlan10 remove the ip helper-address command in interface vlan 10.
see the following link about DHCP snooping
hope to help