Thanks Jhon

1. You mean configure ip dhcp snooping command only on access switch but not on dist/core/server core / and server farm switch ?

2,and only trust the port connecting from servrfarm switch to serverfarm core ?

In that my whole config will be

Access switch

ip dhcp snooping

ip dhcp snooping vlan 100,200

server farm switch

Trust the dhcp server connected port

Trust the up link port

Did I missing some thing more

Personally, I would enable it everywhere, but you're generally only worried about the access switches because a user can bring a wireless router from home to give themselves extra switchports or wireless where they may not have it, and they'll keep the dhcp server enabled. Once they connect it to the network, it can start handing out addresses. Of course, there are other malicious things users can do with dhcp, but the previous example is more common, at least in my environment.

The only ports that you should trust are all of the interswitch links (uplink ports) and the port that your dhcp server connects to.

HTH,
John

*** Please rate all useful posts ***

You are right its required only on the access swtich ,

Now my next query is for the command on the interface ip dhcp snooping trust  to be effective do I need to apply the command ip dhcp snooping global on the switch for example dist switch .

would require more clarity on the interswitch links (uplink ports)--

That mean all the trunks starting from the user side to dhcp server side ?

example trust both the ports on distribure one towards user side and other toward dhcp server side ?

Thanks again 

Suppose you have the following:

PC --- (f0/1) Access SWA (f0/2) ----- (f0/2) Access SWB (f0/3) ----- (f0/3) Distribution (f0/4) ---- (f0/4) Core (f0/5) ----- Server

PC connects to fa0/1

Access SWA fa0/2 connects to SWB on fa0/2

Access SWB fa0/3 connects to Distribution on fa0/3

Distribution fa0/4 connects to Core on fa0/4

Server connects to Core on fa0/5

Run "ip dhcp snooping" on all of the switches.

On SWA, trust fa0/2

SWB trust fa0/2 and fa0/3

Distribution trust fa0/3 and fa0/4

Core trust fa0/4 and fa0/5

To trust, go under the interface:

int fa0/5

ip dhcp snooping trust

You need to have ip dhcp snooping global to enable snooping.

HTH,
John

*** Please rate all useful posts ***

Thanks again..I will try to implement accordingly. Any think specific if I have dhcp relay in dist switch...

DHCP relays shouldn't be affected as long as you have the appropriate ports trusted. Just remember that it needs to be trusted if it leads to a dhcp server.

HTH,
John

*** Please rate all useful posts ***

Alrigth , Any way I am going to try this implementation next week.

have another query do I need to apply ip dhcp snooping vlan 100 , 200 in all switches  access for sure how about on

dist, core and server access switch ?

Thanks in advance

There are many discussion I could found on this topic . Thanks a lot Jhonfor sharing your knowledge .

Elton . Does that mean I need care about only the uplink port of the access switch and nothing to be done with core and dist switch ports

I could also fine much details on some of previous disucssion

May help other as well

https://supportforums.cisco.com/thread/2097580

I would say it depends on where your DHCP server sits on your network. We are doing DHCP snooping on all of the downstream paths from
The core where the DHCP server sits.

Sent from Cisco Technical Support iPhone App