Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP Snooping and Dynamic Arp Inspection

Hello All,

I am trying to setup DHCP snooping in a L3 Environment.


6500 L3 Access Switches connected to 6500 L3 Distribution switches connected to 6500 L3 Core switches. All uplinks are L3 links. There are no trunks or L2 links.

The Access switches have SVI interfaces configured corresponding to the Vlan's. These SVI interfaces have helper addresses configured.

The DHCP Server is located in the campus. Its not local to these switches.

DHCP Snooping

This feature has been enabled globally on the Access switch and also on a per vlan basis on the Access switch. From what I have read all the interfaces in that vlan are now untrusted? Is that correct? If that is true than that takes care of any local workstation/laptop from coming up as a DHCP server since the clients will not response to any DHCP messages from these Rogue devices. However I am not sure if anything else needs to be done. I am confused that even though I have DHCP snooping enabled and am haven't defined any ports as trusted how is it that the clients are getting the address from the correct DHCP server located in the campus environment. Is there anything in this feature that automatically makes it trust any information from the server configured in the ip helper statement?

Dynamic Arp Inspection

Again its a similar issue where I am not certain if its working correctly. Arp inspection is configured and the way it was tested was by clearing the arp entry in the 6500 Access switch. With arp inspection enabled and clearing the arp entry another workstation was unable to take over the ip address or communicate with the same ip address that was assigned to the previous client. Is that how this feature is supposed to work? I just enabled ip arp inspection and configured the L3 uplink interfaces as trusted? Would that suffice?

Thanks for your help