ip dhcp snooping trust
will be performed on any untrusted ports within the VLAN as specified by the
dhcp snooping trust
When the DHCP snooping is globally disabled, DHCP snooping can still be
configured for specific VLANs, but the changes will not take effect until DHCP
snooping is globally re-enabled.
When DHCP snooping is globally enabled, and DHCP snooping is then disabled
on a specific VLAN, all dynamic bindings learned for this VLAN are removed
from the binding table.
This example enables DHCP snooping for VLAN 1.
Console(config)#ip dhcp snooping vlan 1
ip dhcp snooping (242)
ip dhcp snooping trust (247)
This command configures the specified interface as trusted. Use the no form to
restore the default setting.
[no] ip dhcp snooping trust
All interfaces are untrusted
Interface Configuration (Ethernet, Port Channel)
A trusted interface is an interface that is configured to receive only messages
from within the network. An untrusted interface is an interface that is
configured to receive messages from outside the network or fire wall.
Set all ports connected to DHCP servers within the local network or fire wall to
trusted, and all other ports outside the local network or fire wall to untrusted.
When DHCP snooping is enabled globally using the
command, and enabled on a VLAN with
DHCP packet filtering will be performed on any untrusted ports within the
VLAN according to the default status, or as specifically configured for an
interface with the no ip dhcp snooping trust command.
ip dhcp snooping vlan
– 247 –
| General Security Measures
ip dhcp snooping