Cisco Support Community
Community Member

ip dhcp snooping issue

   Hi all,

I am having trouble getting the dhcp snooping to work on a stacked 3750 when a rogue DHCP server is plugged in to the network. I have configured dhcp snooping on one of our user switches with the following commands.

ip dhcp snooping

ip dhcp snooping vlan 11

no ip dhcp snooping information option

int range fa1/0/1 - 48

ip dhcp snooping limit rate 100

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

11   JKT_Net_DHCP_1 

interface FastEthernet1/0/43

description  DHCP Subnet 1

switchport access vlan 11

switchport mode access

switchport port-security maximum 3

switchport port-security aging time 1440

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

no snmp trap link-status

spanning-tree portfast

spanning-tree bpduguard enable

ip dhcp snooping limit rate 100


The configuration works in ther fact that users are still getting their IP address info from the DHCP server and i can see all the dhcp snooping bindings on the switch. But I'm having issues where when a rogue dhcp device is plugged in to one of the user ports i.e fa1/0/43 on the user subnet, and do an ipconfig /release /renew on a machine on the same VLAN, i am still getting a DHCPOFFER from the rogue device and the machine ends up with the wrong IP address.

Currrently the real DHCP server sits off a network behind the firewall, with a layer 3 link (running OSPF) between the user switch to the distribution switch. I have enabled the dhcp snooping on the link from the distribution switch to the real DHCP server (shown below).

DHCP snooping trusted interface


interface GigabitEthernet1/0/9

description JKTADC01 - LAC 1

switchport access vlan 21

switchport mode access

no snmp trap link-status

ip dhcp snooping trust


I have also attached a network diagram of the network setup.

I would like to stop the rogue server from being able to give out ip addresses.

Can someone shed some light on this topic please?

Kind regards,


Everyone's tags (2)
CreatePlease to create content