If i have this:

[Switch1] --------[Switch2] ------- [DHCP Server]

Switch1 (Gi0/48) connects to Switch2 (Gi0/1) 

Switch2 (Gi0/25) connects to DHCP Server

So I understand that Switch2 Gi0/25 needs "ip dhcp snooping trust"

and Switch1 Gi0/48 needs "ip dhcp snooping trust" because its upstream to the DHCP server. But I dont think Switch2 Gi0/1 needs the trust command or does it?

You will need to trust all port that belongs to the chain (Gi0/25, Gi0/1, Gi0/48) because the dhcp packets will go through all these ports. Try to imagine the path that the DHCP packets will take and then enable the dhcp snooping on all these ports that they will cross in order to get the server.

Please rate if useful

makes sense, but if Switch2 wasnt running DHCP snooping at all then all ports would be trusted so no trust would be required except on Switch1 correct?

Steven,

You are correct

You only need to trust the ports towards the DHCP server on the switches that

run DHCP-Snooping.

Option 82 is feature of DHCP which looks at interfaces etc.

If your DHCP server is not configured to use Option 82 then

make sure you configure your switch with

!

no ip dhcp snooping information option

!

If you don't do this the end devices will not receive a DHCP address

Regards

Alex

So does each side of the trunk need ip dhcp snooping trust on it? or just the upstream port?

Steven,

For you - you are saying that DHCP snooping is only on switch1#

!
ip dhcp snooping vlan 1-4094
no ip dhcp snooping information option
ip dhcp snooping
!
errdisable recovery cause dhcp-rate-limit
!
!        
interface GigabitEthernet1/0/1
desc *** MY UPLINK PORT ***
ip dhcp snooping trust
!ALL THE REST OF YOUR INTERFACE CONFIG
!
!        
interface GigabitEthernet1/0/2
desc *** MY USERS PORTS ***
ip dhcp snooping limit rate 15
!ALL THE REST OF YOUR INTERFACE CONFIG
!

show ip dhcp snoop bind

switch1#sh ip dhcp snoop bind
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
AA:AA:CC:DD:EE:FF   10.2.18.196   146909      dhcp-snooping   333   GigabitEthernet1/0/7
AA:BB:CC:DD:EE:FF   10.2.18.198   317696      dhcp-snooping   333   GigabitEthernet1/0/45
AA:CC:CC:DD:EE:FF   10.2.18.199   305513      dhcp-snooping   333   GigabitEthernet1/0/10
AA:DD:CC:DD:EE:FF   10.2.18.165   66526       dhcp-snooping   333   GigabitEthernet1/0/18

If your uplink is a port channel then apply the ip dhcp snooping trust to the port channel interface

it will copy it down to the physicals

Regards

Alex

OK now same scenario but Switch2 is not running DHCP snooping...Does the port-channel downstream to Switch1 require a trust command?

Also the DHCP snooping database, its been about 5 years since I have done DHCP snooping, but does the binding database HAVE to be shipped to a TFTP server? or is that an optional piece? If it needs to be shipped off to TFTP what is the scenario if it is not?

Steven,

1) As you are NOT running DHCP-Snooping on switch2, you do NOT configure the trust staements.
Just make sure you trust the uplinks towards the DHCP server on switch1.

2) Shipping the database is optional. You save to a TFTP server and restore
on switch reloads if you require that feature.

I am not sure what model of switch you are using but here
is a link to the 3750 config of DHCP snooping database agent configuration.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_52_se/configuration/guide/3750scg/swdhcp82.html#wp1282651

Hope this helps
Regards
Alex

Playing devil's advocate here, but...

If a rogue DHCP server is connected to switch2 and sw2 ISN'T running DHCP snooping, then that DHCP isn't effectively blocked?  It's downstream switch IS running snooping, but is trusting the uplink.

...  not an issue of SW2 has no possibility of having rogue DHCP attached to it or something connected to it.