DHCP Snooping Operations

If a DHCP message is received on a trusted port, forward it as normal without inspection.

If a DHCP message is received on an untrusted port, inspect it and act as follows:

  • If it is a DHCP Server message, discard it.

  • If it is a DHCP Client message, perform the following checks:

    • DISCOVER/REQUEST messages: Check if the frame's source MAC address and the DHCP message's CHADDR fields match. Match = forward, mismatch = discard.

    • RELEASE/DECLINE messages: Check if the packet's source IP address and the receiving interface match the entry in the DHCP Snooping Binding Table. Match = forward, mismatch = discard.

When a client successfully leases an IP address from a server, create a new entry in the DHCP Snooping Binding Table.

Configurations

RELEASE/DECLINE messages will be checked to make sure their IP address/interface ID match the entry in the DHCP snooping table.

PreviousDHCP MessagesNextDHCP Snooping Rate-Limiting

Last updated