Are we overthinking DHCP Snooping?

  • 8 May 2020
  • 4 replies

Userlevel 2

We have read but still have some questions.


We have a core switch on which there is 1 DHCP server connected in a “Internal_Appliances” VLAN.  Also on that VLAN is a “Desktops” VLAN that has a couple of desktops connected (unfortunately) as well as an uplink to the Edge stack where the rest of the desktops are connected.  What we are trying to accomplish is to drop packets and send a trap if there ever was another DHCP server anywhere on the network.  Do we just need to create a trusted server (specifying our DHCP server IP) on both the Internal_Appliances and Desktop VLAN on both the core and edge and enable dhcp snooping on all ports?  If using a trusted IP do you still also need to use trusted ports in our scenario?

4 replies

Userlevel 6
Badge +1


I activate dhcp-snooping only on edge switches, but on all, and never on distribution/aggregation/core switches.

You can mark all client ports as untrusted and the uplinks to core/aggregation switches as trusted


Userlevel 2

Unfortunately there are some PCs connected to the core switch at the one location and we want to make sure that those users don’t stand up a DHCP server on their system.


With that in mind, it seems like we need to trust the uplink port TO the edge switch since there will be DHCP requests coming into the core on that port?  Do we need to configure both trusted ports and a trusted IP for the DHCP server or is only one or the other necessary?

No, you should not on your core switch trust the port leading to your edge switch.

Trusting a port is saying “I’m OK for this port to answer DHCP requests”.

Userlevel 2

Ok, so then just disable snooping on core for the port that uplinks to the edge switch to avoid any issues there.  It also sounds like we don’t want to trust the uplink port on the edge switch side either since and should disable snooping on that end to prevent issues?