Hello All,

So we have recently configured our main/core switch (*4510R+E) to begin authenticating devices using Cisco ISE, which is now configured and seems to be working as expected. Now, I'm trying to configure a 3560 switch that we have located in our IT work area. The 3560 is connected directly to the 4510 via a trunk port.

I have gotten the 3560 completely configured to authenticate endpoints through our ISE server, which it does. The problem I'm running into is when I enable DHCP Snooping on the 3560 (*snooping is NOT configured on the 4510 as of yet) no connected endpoints can get a DHCP address. If I disable dhcp snooping then DHCP begins working again.

The guide I used for configuring the Network Access Devices (*i.e. Routers and Switches) was the Cisco Identity Services Engine Administrator Guide, Release 2.0. Chapter 33 of this guide is where you'll find the commands required to enable ISE on the switches. Now, in this chapter they say you can optionally enable dhcp snooping. But, the only commands they give you are:

ip dhcp snooping             !--> enables dhcp snooping
ip dhcp snooping vlan x-y    !--> Enable Snooping on specific Vlans Only

Now, enabling just these 2 commands prevents devices on the 3560 from getting a DHCP address, because if I remove those commands they can immediately get a DHCP address without issue. So searching around a bit online I found the Cisco TrustSec HowTo: Global Switch Configuration Guide . In this guide they also describe how to enable dhcp snooping, except they include another command, which is "ip dhcp snooping trust" and according to this guide it states the following:

"Before configuring DHCP snooping, be sure to note the location of your trusted DHCP servers. When you configure DHCP snooping, the switch will deny DHCP server replies from any port not configured as “trusted.” Enter interface configuration mode for the uplink interface and configure it as a trusted port."

Since the DHCP server for the Vlan/Subnet being "snooped" is located on a Linux box connected to the 4510 Core Switch, wouldn't the Uplink interface be the Trunk port on the 3560 connecting it to the 4510..?

If I add the "ip dhcp snooping trust" command to the Trunk port on the 3560, no devices connected to this switch can get a DHCP Address. However, if I add the trust command to the Switchports where the PC/devices are connected to on the 3560, they can then get a DHCP address no problem.

So my question is why isn't this working with the trust command configured on the Trunk port only, and why does it only work if the trust command is added to each individual switchport where a PC/Device/Phone is connected. According to the guide, it doesn't sound like this is how it's supposed to work. See screenshot below:

If anyone has any thoughts or suggestions please feel free to reply.

Thanks in Advance,
Matt