DHCP snooping design

Unanswered Question
May 6th, 2010


I would like to implement DHCP snooping function beetween a cat4510 (name switch A) with one DHCP server connected to it (vlan_dhcp_server) , and an access-switch (name switch E, DHCP client on vlan_dhcp_client) also connected throught several switches (names switches: B, switch C, switch D) to switch E.

DHCP client and DHCP server are not on the same vlans (there is a router)

On switch A,

the interface to the DHCP server is in a trusted mode
the interface to the router is in a trusted mode
dhcp snooping activated on vlan vlan_dhcp_client even if there is no client directly connected

on switch E,
no DHCP snooping definition

on switches B, C and D
no DHCP definition

on the router (switch cat4500 acting also as a router):
the interface to swith A is in a trust mode, but dhcp snooping isn't running/activated

1) do I have to implement also DHCP snooping to all switches between swith A and switch E (B, C, and D)  ?
   (with trusted interface to switch A, activation on vlan_dhcp_client 
2) on the router
do I have to enable DHCP snooping  also on the router globally (even if there is no client from any vlans directly connected to the router (it is a cat4500 box) ?
    ip dhcp snooping
still on the switch-router box, do I have to implement DHCP snooping on vlan_dhcp_client even if there is no client on this box directly connected?
     ip dhcp snooping vlan <vlan_dhcp_client>


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Hitesh Vinzoda Fri, 05/14/2010 - 06:18

DHCP snooping feature can't be considered as domain wide implementation like VTP.  As you might be aware that DHCP snooping binding database is stored locally on the switch, so i m sure that you need not enable DHCP snooping through the way.

What you can do is enable dhcp snooping for the vlan on the switch where client is connected and make that port as untrusted and uplink from upstream switch as trusted. and check for the dhcp snooping binding or database on the local switch, which makes sense to me.

What i believe is such features cannot be deployed in campus at one go looking at the size... so its practical to say you can deploy it on one switch and server may reside on other network separated by several devices switches or routers.


Hitesh Vinzoda

Note : Please rate helpful posts

jabouaf Wed, 05/19/2010 - 06:49


Thank you for answer. Yes I think like you. Then I go on testing,  DHCP snooping is running ok on switch A, with no DHCP function on sitches B, C D and E. The last problem I met on switch A is in fact related to   option 82.



This Discussion

Related Content