Hello Andy,
So I treat ports connected to hosts as untrusted and trunks or ports connected to DHCP servers as trusted?
Correct.
Will this cause an issue with hubs as (I know) in som esites we have a hub or 2 plugged into a switch due to a loack of floor ports?
There will be no issues as long as the hub connects only to untrusted or only to trusted devices (you can not mix trusted and untrusted hosts on a single port on a DHCP Snooping switch - the port is either trusted or untrusted and that defines the trust level for everyone connected to that port).
In some sites the WAN router is the DHCP server so I can treat that as a trusted port?
Yes, that is correct. On the WAN router, you will have to configure the following command:
ip dhcp relay information trust-all
The reason is that the DHCP Snooping switch adds a specific DHCP option to all relayed DHCP messages from clients (the so-called Option-82) but does not fill in the address of the relay agent (because there is no relay agent at all). Cisco's implementation of DHCP server does not like seeing this option in DHCP messages that do not carry relay agent IP address (it is a kind of validation check). The command I've just mentioned deactivates this check.
Regarding the Option-82, there is much misunderstanding about it. It is often suggested to deactivate its insertion. I am strongly against such recommendations unless there is a provable case that the DHCP Snooping deployment won't be working with Option-82. I suggest checking out this discussion:
https://supportforums.cisco.com/thread/2060498
In some sites we use the switch as the DHCP server so I guess I don't need to do anything with that?
If the DHCP server runs on the same switch that also performs DHCP Snooping then there is no additional configuration necessary besides turning the DHCP Snooping on, of course.
Best regards,
Peter
