Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

implementing dhcp snooping in production network

Hi Friends,

i have a production network environment where i want to implement dhcp snooping and DAI. My setup is as below-

i have 35xx series switch at edge and 2 x 65xx series switcehs at the core. All edge swithc has 2 upink to the 2 core switches. STP is ruunig in the network, core switch 1 is configured as the primary root for all the valns and core switch 2 secondary root. An ether-channel is runnig between 2 core switches. Below are the stp commnds i run in both edge and core switches (uplinkfast is not runnig in the core switches)

spanning-tree mode pvst

spanning-tree loopguard default

spanning-tree uplinkfast


interface FastEthernet0/1

description *** User-Vlan-01 ***

switchport access vlan 10

switchport mode access

switch-port port-security

switch-port port-security aging time 300

switch-port port-security violation restrict    

spanning-tree portfast

spanning-tree bpduguard enable

Below are my querries-

1) Do i need to run any other stp related commands in the edge as well core switches in a typical production network?

Now i need to enable dhcp snooping and ARP inspection in my network. One point to mention is that there is a FWSM module in the core switch and the network setup is like FWSM>MSFC>Router. All the Vlans (User Vlan and Server Vlan) are the layer 3 interface of the FWSM. outside of the fwsm

connects to the MSFC.

My querry is -

2) What are the things i should take care before i implement dhcp snooping and DAI normally in a production LAN

3) Do i need to do any thing in the FWSM ? If YES, what are the things i should do ?

Appreciate your valuable inputs ASAP

Thanks and Regards



Re: implementing dhcp snooping in production network

You dont have to do anything on the FWSM

Enable the dhcp snooping based on the vlan, define the ports where hosts are connected as untrusted and uplink ports as trusted. there are other features with dhcp snoopint which you may use.

Hope this links will help


Hitesh Vinzoda

CreatePlease login to create content