Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
582
Views
3
Helpful
4
Replies

dhcp snooping on l3 access switch

Go to solution
bluesea2010
Level 5
Level 5

‎05-21-2025 01:08 PM

Hi 

If a rogue DHCP server is active on the same VLAN as clients, the client may obtain its IP configuration from that unauthorized server. ?. How to solve this ? 

interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip helper-address 192.168.100.10

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jens Albrecht
Level 4
Level 4

‎05-21-2025 01:55 PM - edited ‎05-21-2025 01:56 PM

Hi @bluesea2010,

you already presented the solution in the headline of your post: DHCP snooping.

Once you enable this feature for Vlan 10 by default all ports are untrusted and the switch will simply drop any DHCP offer packets from rogue DHCP servers.

The fact that by default all ports are untrusted also means that you have to configure the port that is pointing to your legitimate DHCP server as a trusted port. Typically this is a trunk link to the switch where your server is connected. In case you have redundant uplinks and/or redundant DHCP servers, then all those links need to be configured as trusted ports.

If you forget to configure the port(s) for your DCHP server(s) as trusted then no one will be able to get an IP address so double-check this before enabling DHCP snooping.

In case you need help to configure this feature, then please tell us the platform and software you are running on your switch.

HTH!

View solution in original post

4 Replies 4

Go to solution
Jens Albrecht
Level 4
Level 4

‎05-21-2025 01:55 PM - edited ‎05-21-2025 01:56 PM

Hi @bluesea2010,

you already presented the solution in the headline of your post: DHCP snooping.

Once you enable this feature for Vlan 10 by default all ports are untrusted and the switch will simply drop any DHCP offer packets from rogue DHCP servers.

The fact that by default all ports are untrusted also means that you have to configure the port that is pointing to your legitimate DHCP server as a trusted port. Typically this is a trunk link to the switch where your server is connected. In case you have redundant uplinks and/or redundant DHCP servers, then all those links need to be configured as trusted ports.

If you forget to configure the port(s) for your DCHP server(s) as trusted then no one will be able to get an IP address so double-check this before enabling DHCP snooping.

In case you need help to configure this feature, then please tell us the platform and software you are running on your switch.

HTH!

Go to solution
bluesea2010
Level 5
Level 5
In response to Jens Albrecht

‎05-21-2025 07:34 PM

My switch is layer 3 access switch , svi's are on the same switch . so trusted won't work on l3 interfaces . dhcp server can reach   through routed interface . so the question here again 

If a rogue DHCP server is active on the same VLAN as clients, the client may obtain its IP configuration from that unauthorized server.

Thanks

0 Helpful

Go to solution
Jens Albrecht
Level 4
Level 4

‎05-22-2025 01:24 AM

DHCP snooping is a Layer 2 feature that only works on switchports.

Routed ports are simply not inspected, so there is no need to configure them as trusted ports and hence it is not possible to do so.

As a result all your access ports remain untrusted and DHCP snooping protects against rogue DHCP servers in the configured Vlan.

Go to solution
bluesea2010
Level 5
Level 5
In response to Jens Albrecht

‎05-23-2025 12:24 AM - edited ‎05-23-2025 12:33 AM

the below commands are enough to configure dhcp snooping on l3 access switches

ip dhcp snooping vlan 10,100

no ip dhcp snooping information option

ip dhcp snooping

and what about arp snooping  on the same l3 switch 

0 Helpful
Customers Also Viewed These Support Documents