Cisco WLC – Supported Access Points and IOS Versions for AIR-CT2504

It appears the answer is that it is unnecessary configuration. If DHCP snooping is not running on that VLAN, then this configuration has no effect.

I still couldn't find documentation that clearly states this, so I decided to test this myself.

Started off with DHCP snooping enabled for all VLANs and a rate limit of one (1) DHCP packet per second (assuming that the client will send the DISCOVER and REQUEST in one second if the DHCP server responds quickly enough):

router#show ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-4094
Insertion of option 82 is disabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/8              no          1         
router#show run int fa 0/8
Building configuration...

Current configuration : 230 bytes
!
interface FastEthernet0/8
 switchport access vlan 841
 switchport mode access
 ip dhcp snooping limit rate 1
 shutdown
end

Time for the control test, which should err-disable the port, which is exactly what occurs in about a second after the port transitions to up/up:

router#term mon
router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#int fa 0/8
router(config-if)#no shut
router(config-if)#
Feb 13 22:57:04.589 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
Feb 13 22:57:07.701 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
Feb 13 22:57:08.553 CST: %PM-4-ERR_DISABLE: dhcp-rate-limit error detected on Fa0/8, putting Fa0/8 in err-disable state
Feb 13 22:57:08.561 CST: %DHCP_SNOOPING-4-DHCP_SNOOPING_RATE_LIMIT_EXCEEDED: The interface Fa0/8 is receiving more than the threshold set
Feb 13 22:57:10.561 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
router(config-if)#shut

Since the control worked as expected, I now remove VLAN 841 from the DHCP snooping configuration and enable the port again. One minute later, I shut the port (to show the timestamp):

router(config-if)#no ip dhcp snooping vlan 841
router(config)#do sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-840,842-4094
Insertion of option 82 is disabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/8              no          1         
router(config)#int fa   0/8
router(config-if)#no shut
router(config-if)#
Feb 13 22:58:49.150 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
Feb 13 22:58:52.290 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
Feb 13 22:58:53.290 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
router(config-if)#shut
Feb 13 22:59:55.119 CST: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
Feb 13 22:59:56.119 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down

Repeated multiple times with the same results using the following:

1. Three different client devices
2. 2950 running 12.1(22)EA14
3. 3750 running 12.2(55)SE8

Would still love for someone to find documentation for this though.

Untagged (native) VLANs don't really offer you any benefit over tagged VLANs, and they present a certain level of security risk. There is no real reason to use untagged VLANs when tagged VLANs are available.

Some people prefer to use a network-wide VLAN for management, one for printers, etc. This scenario presents both security and operational risks. Cisco has been recommending one access switch per VLAN (an access swtich can have multiple VLANs, but those VLANs don't extend to any other access switch), and, if you can, use layer-3 connections to the access switches instead of trunks.

There is a book published by Cisco Press, "LAN Switch Security: What Hackers Know About Your Switches" by Eric Vyncke and Christopher Paggen that explains a lot of these sorts of things.