Showing results for 
Search instead for 
Did you mean: 

IP DHCP Snooping in Packet Tracer


Hi Everyone,

I am studying for CCNP Switch 300-115 test and I was playing with the IP DHCP Snooping configuration using Cisco Packet Tracer. Attached you can find a picture with the setup of the lab, the problem is only on ALS1 switch (bottom left corner).

PC1 is configured as a DHCP client and connected to ALS1 on fastethernet 0/15 (VLAN 100) and the links to the other switches are from Fastethernet 0/7 - to - fastethernet 0/12 (Trunk Links forwarding all available VLANs), the DHCP Discovery packet is expected to be broadcasted out to the remaining switches (except for whatever links were disabled by STP obviously).

So the theory (or at least how I understood it) is: When you enable "ip dhcp snooping", all ports are by default set to "untrusted", meaning that they will not accept any DHCP RESPONSE, which is why we need to manually go to all trunk ports where the responses mare expected to come from and set them as "trusted", but it is NOT required to set the access ports (where the clients are connected to) as trusted.

Well... in my lab, if a DHCP Request is coming from an untrusted port, the request is not forwarded out to other switches (refer to the highlighted packet in the picture, and ignore the yellow packets on DLS1 and ALS2 as these refer to a different test I was running). As soon as I configured Fastethernet 0/15 (the one connected to PC1) as trusted, everything works out the way I want and PC1 gets DHCP assignments. This contradicts with the theory (Find the configuration file for ALS1 attached).

I would like to know if this is a bug in Packet Tracer or if my understanding of the theory is flawed.

Best Regards


3 Replies 3


Hi !

I think it's a bug from PT.

For the same purpose I recently try to set up DHCP snooping in action, in packet tracert too!

And, I think I had the same problem. 

So What I've done to make things work is just to take at list one interface that is part of the vlan in wich you activated dhcp snooping (a port in access mode!) and just set this port in trusted mode!

And according to me, you have well understand the process.

I have found this by passing in "simulation mode" in PT and then I have generate a DHCP renew with the client, and if you click the letter, you will be able to read something like : 

DHCP SNOOPING: there is no port in access mode in the vlan.

(So take any port in the vlan, even if it is unplugged, set it in trusted mode, and access in the vlan ! and , your client will work still plugged in an untrusted port.)


Thank you so much!

PC1 still gets an IP whatever you do to enable dhcp snooping.

I have set the ports on access mode, enabled dhcp snooping on global level , vlan level and still after release / renew PC1 is still able to obtain ip. Is it a bug. But if you configure dhcp snooping on a port level it works.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers