Cisco Support Community
Community Member

DHCP Snooping on 6500

Hi everybody, I make some test about feature dhcp snooping, to explaim more I add a topology about part of my network. I find some problems on switch 1 because the IOS release doesn´t support feature dhcp snooping. Only suports the comand ip dhcp relay information trusted.

So It´s possible to configurate my network using the configuration that you can see on the attchament, Dou you think is a good option ?

I hope you can help more about that ?

Thanks and best regards



Re: DHCP Snooping on 6500

That should work, in this configuration guide they have an internal MSFC but the concept is the same, the trunk port to the relay agent should be a dhcp snooping trust enabled:

Community Member

Re: DHCP Snooping on 6500

Yes I was studying this configuration guide, So there is no problem because the dhcp server is not configurate as a trusted port ?

thans my friend foy your response

best regards

Re: DHCP Snooping on 6500

Actually, the port connecting the two switches are dhcp snooping trust enabled, so yes. The DCHP Server is on the switch running IOS, yes? Then all is well, it should work.

Community Member

Re: DHCP Snooping on 6500

Hi, I have another question, If you see the picture what happend with devices connected directed on 6513 (Farm server),Because all the switches conected to 6513 and servers are on vlan 1, So there isn´t problem with PC user´s because they are on a diferent vlan but on switch 6513, the actual IOS release doesn´´t support feature dhcp snopping. So what you can reccomend me to protect the vlan 1 in case a dhcp rogue ?


Re: DHCP Snooping on 6500

DHCP Snooping is supported in Native IOS from 12.2(18)SXE and later.

Release Notes:

Community Member

Re: DHCP Snooping on 6500

Yes I Know that I need it a new release on switch 6513, but now the client will not buy new hardware, so that I was reading a cisco security presentation where explain about dhcp-snooping and said "If there are switches in the network that will not support DHCP snooping, you can configure VLAN ACL´s to block UPD port, it will not prevent the CHADDR DHCP starvation attack ", Vlan ACL is on CATOS, Dou you have some idea about to make an extended access list on the switch 6513 that doesn´t support the feature


Community Member

Re: DHCP Snooping on 6500

Hi again, now I have tested dhcp snooping on switch 3560 IOS c3560-ipbase-mz.122-25.SEB4 in the same topology that mentionet above, I enable this configuration on switch

ip dhcp snooping vlan 227

ip dhcp snooping database flash://pruebas

ip dhcp snooping

and on the Giga interfaces

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

no cdp enable

channel-group 9 mode on

ip dhcp snooping trust

and on vlan 227 on switch 6513 i enable the follow line

interface Vlan227

ip address

ip helper-address

ip dhcp relay information trusted

but when i type the command sh ip dhcp snooping binding, i dont see any value it´s empty, so It possible that this configuration on IOs it´s wrong, I follow the instructions from this weg page

Can you gime some idea ???


Community Member

Re: DHCP Snooping on 6500

Ok, I can resolve the problem on switch 3560, its misisng the command ip dhcp trust on interface port-channel, only one question, it´s necesary to enable DHCP Snooping Binding Database Agent ?

thanks fou your support


Re: DHCP Snooping on 6500

Without the database agent the switch will loose all binding info upon reload and connectivity will be broken for the DHCP clients.

Please rate all helpful posts.


CreatePlease to create content