DHCP Snooping Questions

Patrick McHenry · ‎10-29-2014

Hey,

I want to configure DHCP snooping on some new 3850s we just deployed.

1: If I enable DHCP snooping, and enable it on the VLANs on the switch, this will make all interfaces untrusted, correct?

2: If I want clients to still get DHCP replies I must configure the uplinks(where the DHCP replies will come from) as trusted before I configure DHCP snooping? Or, are trunks trusted ports by default? I ask this because I have a 3750X in production that has DHCP snooping configured and a trunk on the switch is not configured as trusted, but it still gives DHCP addresses to laptops that hang off of the trunk(the trunk connects to a 3560 in a conference room) ..................just realized that the 3560 does not have DHCP snooping enabled so it will except DHCP replies from the 3750X trunk - make sense?

3: The switch that currently has DHCP snooping enabled is configured as a L3 switch(the uplinks to the core are L3 interfaces).These L3 interfaces are not configured as trusted, but DHCP is still working for clients attached to the switch. Is this because the DHCP snooping-Trusted-Not-Trusted function is only related to L2 interfaces ? Which makes sense since it is applied to VLANs.

Thanks for your help - Pat

Reza Sharifi · ‎10-29-2014

Hi Pat,

According to the config guide, by default the DHCP snooping trust is disabled. So, you would need to enable it on the interfaces you want to trust.

Also, I think switch to switch ports (trunks) by default are trusted and so you don't need to add the trust command. DHCP snooping usually applies to edge ports you don't want to trust.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/54sg/command/reference/cmdref/int_sess.html#wp1975695

HTH