Cisco Support Community
Community Member

LAN was down ie Users are not getting ip from DHCP server after enabling DHCP snooping

Hi All ,

Enclosed file has network connectivity diagram.

1. L3 vlan's ie 2,3,4,5 and 6 are configured on ACC-CR1 and ACC-CR2. 

2.Trunk is configured between Core switches ( CR1 and CR2) and access switches .VTP mode is transparent on all switches.L2 vlans are configured on all access switches.

3.DHCP is server is located at different location and is reachable over MPLS.

Without enabling dhcp snooping , users connected to access switches (Sw1,sw2,sw3 and Sw4 ) are getting ip address from DHCP server without any problem and everything is working fine.

But users connected to Sw3 and Sw4 are getting ip address from rouge DHCP server which is not pingable from any one of the switch.

So we have configured DHCP snooping for all vlan's on CR1 , CR2 , SW3 and SW4 and "trusted uplink ports" which are connected to WAN routers from CR1 and CR2  and also "trusted uplink ports " of Sw3 and Sw4 which are connected to CR1 and CR2.


As soon we have enabled DHCP snooping and trusted respective uplink ports , users are not getting ip address from remote DHCP server and even users connected to Sw1 and SW2 are facing same issue.

Note : DHCP snooping is not configured on SW1 and SW2.


Why users are not getting ip address from remote DHCP server as soon as we enabled dhcp snooping on Core switches and two access switches ie sw3 and sw4 ? what could have caused DHCP packets to be dropped ? Any idea would be appreciated .







Thanks , M S K
Everyone's tags (1)

Hi, is also the trunk between



is also the trunk between your CR1 and CR2 switches configured as trusted on both ends?

Which switch is the STP root in your LAN?

Which CRx switch is receiving the  DHCP offers from your WAN?

Have you seen any messages in you CRx switches logs regarding dropping DHCP packets?

If not, have you tried to enable DHCP debug on them?


Best regards,


Community Member

Hi Milan , thanks for prompt

Hi Milan ,


thanks for prompt response..


CR1 is the root bridge and CR2 is secondary root and HSRP is configured between CR1 and CR2 and Vlans are active on CR1.


Yes Trunk link between CR1 and CR2 are trusted ..I have not seen any DHCP messages on neither of the core switch...Debug commands were not enabled because switches are in production and did not get chance to enable Debug commands pertaining to DHCP.



Thanks , M S K

Hi,as you say: " HSRP is


as you say: " HSRP is configured between CR1 and CR2 and Vlans are active on CR1" does it mean there are L3 intrefaces configured in each VLAN on your CR switches and ip hepler-address pointing to the remote DHCP server is configured on each of them?


I know it's difficult in a productive environment but IMHO you need to find out where are the DHCP offers dropped.

Either by enabling DHCP debugging or by capturing packets via Wireshark, e.g.


Best regards,



Community Member

Hi Milan , Yes we have L3

Hi Milan ,


Yes we have L3 interfaces on core switches and ip helper address is configured under each and every L3 configured on the core Switches as DHCP server is placed remotely.





Thanks , M S K
CreatePlease to create content