SecurityGlobal Config

ip dhcp snooping vlan [id]

Enables DHCP snooping on a specific VLAN to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

Syntax·Global Config

ip dhcp snooping vlan [id]

When to Use This Command

Protect a user access VLAN from unauthorized DHCP servers by enabling snooping on that VLAN.
Enable DHCP snooping on a voice VLAN to ensure only authorized DHCP servers assign IP addresses to IP phones.
Use in a multi-VLAN environment to selectively apply DHCP snooping only on VLANs with untrusted hosts.
Combine with DHCP snooping option 82 to add circuit ID information for DHCP requests in a specific VLAN.

Command Examples

Enable DHCP snooping on VLAN 10

ip dhcp snooping vlan 10

Switch(config)# ip dhcp snooping vlan 10
Switch(config)#

The command is entered in global configuration mode. No output is displayed if successful. The switch now monitors DHCP traffic on VLAN 10 and filters messages based on the DHCP snooping database.

Enable DHCP snooping on multiple VLANs

ip dhcp snooping vlan 10,20,30

Switch(config)# ip dhcp snooping vlan 10,20,30
Switch(config)#

DHCP snooping is enabled on VLANs 10, 20, and 30 simultaneously. The switch will apply DHCP snooping rules to all three VLANs.

Understanding the Output

This command does not produce any output upon successful execution. To verify DHCP snooping is enabled on a VLAN, use 'show ip dhcp snooping'. The output will list each VLAN with its snooping status (Enabled/Disabled). For example: 'VLAN 10 : DHCP Snooping is Enabled'. If a VLAN is not listed, snooping is not enabled on it. A common issue is forgetting to globally enable DHCP snooping with 'ip dhcp snooping' before enabling it on a VLAN; otherwise, the VLAN command will be accepted but snooping will not function.

CCNA Exam Tips

Remember that 'ip dhcp snooping vlan' must be preceded by the global command 'ip dhcp snooping' to activate snooping.

The exam may test that DHCP snooping is configured per VLAN; you cannot enable it globally without specifying VLANs.

Know that DHCP snooping is typically enabled on access VLANs, not on trunk ports or VLANs containing trusted DHCP servers.

Be aware that DHCP snooping creates a binding database; you must also configure trusted ports for the DHCP server interface.

Common Mistakes

Forgetting to enable DHCP snooping globally with 'ip dhcp snooping' before enabling it on a VLAN.

Enabling DHCP snooping on a VLAN that contains the DHCP server without configuring the server port as trusted.

Using a hyphen instead of a comma when specifying multiple VLANs (e.g., 'vlan 10-20' is invalid; use 'vlan 10,20').

Not verifying that DHCP snooping is enabled on the correct VLANs using 'show ip dhcp snooping'.

Related Commands

ip dhcp snooping

Enables DHCP snooping globally on the switch to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

ip dhcp snooping trust

Configures an interface as a trusted port for DHCP snooping, allowing DHCP server responses to be forwarded through it.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions