Basic DHCP Snooping Lab


One very easy thing that I wanted to review was DHCP snooping. There isn’t much to it, but it’s a good thing to review. Take a look at the lab topology. SW3 is the DHCP server that also has the SVI for vlan 2 that we are working with. We have a router hanging off of SW2 on a vlan 2 access port then. This will simulate a client PC connected to that switch. There are two steps to working with DHCP Snooping that will be covered: working on the switch the endpoint is on and the switch the DHCP server is on.

Switch 2 – Endpoint Switch

This switch wasn’t too bad. We are going to enable DHCP snooping globally and then for the specific vlan in question. Those commands look like this:

ip dhcp snooping
ip dhcp snooping vlan 2

Then, we need to make sure that DHCP replies from the uplinking trunk port are allowed, since that’s the connection to our DHCP server. That is done by using the following command on the interface config:

Switch2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Switch2(config)#int e0/1
Switch2(config-if)#ip dhcp snooping trust

That will take care of SW2.

Switch 3 – SVI and DHCP Server

If you do a debug at this point on SW3 ( debug ip dhcp server packet ) you will get the following error message:

DHCPD: inconsistent relay information.
DHCPD: relay information option exists, but giaddr is zero.

There is a valid explanation for this. When DHCP Snooping is used, it adds the option 82 into DHCP messages for the receiving clients. There is a field in the message that includes an address called the GIADDR. When DHCP Snooping is used, that field has the value stripped, thus you receive the error above about it being zero. There is an easy for for this though. Simply enter the command:

Switch(config)#ip dhcp relay information trust-all

Shortly after that, you will see the switch hand out an IP address for our test client if you still have the debug running:

DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d61.6162.622e.6363.3030.2e35.3030.302d.4574.302f.30 on interface Vlan2.
DHCPD: using received relay info.
DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d61.6162.622e.6363.3030.2e35.3030.302d.4574.302f.30 (

And that’s all there is to it! You should now have a functioning DHCP Server with snooping enabled on the access switch.


  1. […] DHCP snooping is a security feature that you will surely run into in while studying for your Cisco exams or while working in an enterprise environment perhaps. It first off helps ensure that you do not have a rogue DHCP server on your network. In the past, I wrote another post on a basic DHCP snooping lab to walk through basic configuration, but I’ll use this post to actually go into more of the “why” and “how” instead of just jumping to configuration. That other post can be found here: Basic DHCP Snooping Lab […]


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.