Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dhcp snooping

I am trying to set up dhcp snooping and was just wondering if the commands below are what I should be using for COS and IOS. Also, how would I do a test to see if the switch disables the port if it detects a DHCP server? I was thinking I could use ICS on a windows computer but I dont know if that would work.



set securtity acl ip dhcpsnoop permit dhcp-snooping

set security acl ip dhcpsnoop permit ip any any

commit security acl dhcpsnoop

set acl map dhcpsnoop 1

set dhcp-snooping information host-tracking enable

set port dhcp-snooping 1/1 trust enable

Step 1

Configure the port as port based.

set port security-acl (port) port-based

Step 2

Enable IP source guard.

set port dhcp-snooping (port) source-guard enable

Step 3

Enable DHCP snooping.

set security acl ip dhcpsnoop permit dhcp-snooping

Step 4

Allow the port to forward other traffic.

set security acl ip dhcpsnoop permit ip any any

Step 5

Save the ACL configuration.

commit security acl dhcpsnoop

Step 6

Enable the ACL on the VLAN.

set security acl map dhcpsnoop 1

Step 7

Enable DHCP-snooping trust on a port.

set port dhcp-snooping (port) trust enable



conf t

ip dhcp snooping

ip dhcp snooping vlan 1

ip dhcp snooping information option

interface (mod/port)

ip dhcp snooping trust

ip verify source vlan dhcp-snooping port-security


Re: dhcp snooping

config looks ok for IOS.

try this command for output:

sh ip dhcp snooping binding

New Member

Re: dhcp snooping

Are ACL's not needed for snooping to work?

Re: dhcp snooping

Hi Matthew,

You can test if dhcp snooping works by connecting another switch or router configured as DHCP server to any untrusted port and making the hosts send dhcp discover messages.

Of course, you'd better test the dhcp snooping trusted ports as well to see these ports do not block rightful dhcp packets.



New Member

Re: dhcp snooping

So hook a switch to the switch with dhcp snooping and then hook a computer to that switch?

Re: dhcp snooping

Hi Matthew,

On the port that is configured as "trusted" in dhcp snooping, the switch will allow dhcp packets from a dhcp server.

On all other ports, dhcp packets will be rejected and the port will be put in errdisable state if dhcp replies are detected.

So it doesn't matter, where your dhcp server is located: it may be another switch hooked to the switch directly or it may be several hops away.

But you need to enable the port as "trusted" where the dhcp reply packets from the trusted dhcp server are expected to come in.