diff --git a/roles/access/tasks/main.yml b/roles/access/tasks/main.yml
index a48f03e..785a8a2 100644
--- a/roles/access/tasks/main.yml
+++ b/roles/access/tasks/main.yml
@@ -19,7 +19,7 @@
     ansible_terminal_stderr_re: [] # some errors are not actually errors
   register: result
   # These lines are not displayed by 'sho ru' and always reported as different, so ignore them.
-  changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?)$')
+  changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?|no ip dhcp snooping|no ip dhcp snooping trust)$')
   notify: write config
 
 - name: Run model-specific tasks
diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2
index ab2a982..9942cf6 100644
--- a/roles/access/templates/config-d-link.j2
+++ b/roles/access/templates/config-d-link.j2
@@ -51,6 +51,12 @@ interface {{ iface.name }}
 {% set mgmt.gw = iface.custom_fields.gateway.address %}
 {% endif %}
 {% endif %}
+
+{% if iface.name in ifaces_dhcp | default([]) %}
+ ip dhcp snooping trust
+{% else %}
+ no ip dhcp snooping trust
+{% endif %}
 {% endfor %}
 
 {%- if mgmt.ip %}
@@ -83,6 +89,12 @@ sntp server {{ address }}
 
 ntp access-group default nomodify noquery
 
+{% if ifaces_dhcp | default(false) %}
+ip dhcp snooping
+{% else %}
+no ip dhcp snooping
+{% endif %}
+
 {% if mgmt.gw %}
 ip route 0.0.0.0 0.0.0.0 {{ mgmt.gw | ipaddr('address') }} primary
 {% endif %}