ip dhcp snooping trust config issue

mahesh18 · ‎12-11-2010

Hi all,

I have question regarding using ip dhcp snooping trust command.

Here is network

3550 Layer 3 switch with config as shown

ip dhcp snooping vlan 10,20,30
ip dhcp snooping

DHCP snooping is configured on 3550 switch.

Interface fa0/8 from this switch goes to layer 2 switch 2950

3550SMIA#sh run int fa0/8
Building configuration...

Current configuration : 213 bytes
!
interface FastEthernet0/8
description Dynamic Desirable Trunk connection to Switch 2950T
switchport mode dynamic desirable
speed 100
duplex full
spanning-tree bpduguard disable
ip dhcp snooping trust*************************************************

As shown above i config the trunk interface fa0/8 as ip dhcp snooping trust on layer 3 switch.

Also 3550 switch is acting as DHCP server *******************************************

Now Layer 2 switch config

******************************************************************************************

DHCP snooping is enabled as shown below

ip dhcp snooping vlan 10
ip dhcp snooping

Port fa0/8 from 2950 layer 2 goes to 3550 switch

My question is

should i use command ip dhcp snooping trust************************************************* on port fa0/8 on layer 2 switch or not ?

if someone can explain we if my dhcp snooping config is correct or not?

thanks

mahesh

cadet alain · ‎12-11-2010

Hi,

the ip dhcp snooping trust must be configured on links going to your dhcp server.

So if your 3550 is your dhcp server I would get rid of dhcp snooping on it and I would leave trust on 2950 port pointing towards 3550 but I would do snooping for all vlan scopes configured on 3550.

Regards.

Alain.

Don't forget to rate helpful posts.

mahesh18 · ‎12-12-2010

thanks for reply

so on 3550 switch i can remove the ip dhcp config trust from fa0/8 interface ?

mahesh

mahesh18 · ‎12-12-2010

thanks for reply

so on 3550 switch i can remove the ip dhcp config trust from fa0/8 interface ?

or you want me to remove config ip dhcp globally?

mahesh

cadet alain · ‎12-12-2010

You only need to configure dhcp snooping on switches pointing towards your dhcp server.

The purpose of this feature is to stop dhcp server messages on ports pointing towards clients and by default the ports are untrusted

you must then trust ports uplink to your dhcp server.

So yes if this 3550 is the only dhcp server then no need for dhcp snooping on it.

Regards.

Alain.

Don't forget to rate helpful posts.

mahesh18 · ‎12-13-2010

hi cadetalain

it did not work as you said.

here is info

layer 2 switch has uplink port to layer 3 3550 switch

layer 2 switch trunk port is config as ip dhcp snooping trust.

layer 3 switcs 3550 trunk port to layer 2 switch do not have ip dhcp snooping trust command.

i plug my pc to layer 2 switch and it did not get the ip address from layer 3 switch which is acting as dhcp server.

i got ip 169.254.

fix

when i config the command

ip dhcp snooping trust on layer 3 switch's trunk port going to layer 2 switch then my pc got the IP address.

thanks

mahesh