SecurityInterface Config

ip dhcp snooping trust

Configures an interface as a trusted port for DHCP snooping, allowing DHCP server responses to be forwarded through it.

Syntax·Interface Config

ip dhcp snooping trust

When to Use This Command

On a switch port connected to a legitimate DHCP server to ensure its replies are trusted and not dropped.
On an uplink port connecting to another switch that is the DHCP server or has a trusted path to the server.
On a port connected to a DHCP relay agent that forwards server responses.
On a port connected to a router that provides DHCP services for the subnet.

Command Examples

Trusting an interface connected to a DHCP server

interface GigabitEthernet0/1
ip dhcp snooping trust

Switch(config-if)# ip dhcp snooping trust
Switch(config-if)#

The command is entered in interface configuration mode. No output is displayed upon success. The interface is now trusted for DHCP snooping.

Verifying trusted interface status

show ip dhcp snooping

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10,20,30
DHCP snooping operational on following VLANs:
10,20,30
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id default format: vlan-mod-port
   remote-id: 00:11:22:33:44:55 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface                    Trusted    Allow option    Rate limit (pps)
-----------------------      -------    ------------    ----------------
GigabitEthernet0/1           yes        yes             unlimited
GigabitEthernet0/2           no         no              15

The 'show ip dhcp snooping' output displays the trust status for each interface. The 'Trusted' column shows 'yes' for trusted ports and 'no' for untrusted. The 'Allow option' column indicates whether option 82 is allowed, and 'Rate limit' shows the configured rate limit in packets per second.

Understanding the Output

The 'show ip dhcp snooping' command provides a summary of DHCP snooping configuration. The 'Trusted' column indicates whether the interface is trusted (yes) or untrusted (no). Trusted ports are allowed to receive DHCP server responses; untrusted ports will drop such packets. The 'Allow option' column shows if DHCP option 82 insertion is permitted on that interface. The 'Rate limit' column displays the rate limit for DHCP packets on untrusted ports (in packets per second). In a real network, ensure that only ports connected to legitimate DHCP servers or relay agents are trusted. All other ports should remain untrusted to prevent rogue DHCP server attacks.

CCNA Exam Tips

Remember that DHCP snooping must be globally enabled before configuring trust on an interface.

On CCNA exam, you may be asked to identify which ports should be trusted: typically uplinks to other switches or router ports acting as DHCP servers.

Trusted ports bypass DHCP snooping validation; only configure trust on ports that are known to receive legitimate DHCP server responses.

The 'ip dhcp snooping trust' command is applied per interface; it does not affect the global DHCP snooping state.

Common Mistakes

Configuring trust on all ports, which defeats the purpose of DHCP snooping and allows rogue DHCP server attacks.

Forgetting to enable DHCP snooping globally with 'ip dhcp snooping' before configuring trust on an interface.

Applying the trust command on a port that is actually connected to a client, causing the switch to accept DHCP server replies from that port.

Related Commands

ip dhcp snooping

Enables DHCP snooping globally on the switch to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions