About DHCP Snooping

Hi guys,

Look if any of you may clear some question....

Take into account the scenario below,lets suppose that the dhcp snooping feature is enabled on both L3 and L2 switches,i am using two SVIs,one for the host,another for DHCP server,on both sides of the trunk i configure the ports as trust,but what about the port of layer 3 switch wich is connected to DHCP server?Should i configure the physichal port connected to DHCP server as trust(once on SVI it wouldn't be possible)?Or should i do nothing?



  • Hi


    You don't need to do anything on the interface facing the DHCP server, DHCP snooping is a layer 2 security function, and from your topology i draw that you're using ip helper-address on the multilayer switch, which essentially wraps the layer 2 DHCP packets in a layer 3 IP packet.


    think of it like this: how far does a DHCPDISCOVER (broadcast) message reach?

    yes, the layer 3 boundary of the VLAN in which the message was sent


    essentially DHCP snooping is only meant to be used towards your clients, you selectively enable it on VLAN's with the ip dhcp snooping vlan <vlan list> command.

  • In this scenario, where you are using the DHCP proxy function on your L3 switch, your DHCP snooping config will only be done on the L2 switch.

    The L2 switch uplink to the L3 switch needs to be configured with the trust option, though.


    Good luck!

  • As guys have suggested, DHCP snooping is L2 sec feature and is usually used on L2 uplink trunks towards trusted DHCP servers.

    In some vendors switches, it's needed on both sides of the trunk etc.

    Read about the DHCP snooping here:




  • You need to make all layer 2 ports as trusted on the path between the DHCP server towards the switch were clients are connected;basically all ports that receive DHCP reply messsages from the server need to be trusted if the switch has DHCP snooping enabled.

Sign In or Register to comment.