Port Security Overview
DHCP snooping
*************
DHCP snooping allows the switch to monitor and control DHCP
messages received from
Untrusted devices connected to the switch. When DHCP
snooping is enabled, the system
Snoops the DHCP messages to view DHCP lease information and
build and maintain a
Database of valid address to MAC address (IP-MAC) bindings called
the DHCP snooping
Database. Only clients with valid bindings are allowed
access to the network.DHCP Snooping Process
The basic process of DHCP snooping entails the following steps:
1. Device sends DHCPDISCOVER to request IP address.
2. Switch forwards the packet to the DHCP server.
3. Server sends DHCPOFFER to offer an address. If the DHCPOFFER is from a trusted
interface, switch forwards the packet to the DHCP client.
4. Device sends DHCPREQUEST to accept the IP address. Switch snoops this packet
and adds IP-MAC placeholder binding to the database. The entry is considered a
placeholder until a DHCPACK is received from the server. Until then, the IP address
could still be assigned to some other host.
5. Server sends DHCPACK to assign the IP address or DHCPNAK to deny the address
request.
6. Switch updates the DHCP database in accordance with the type of packet received:
• Upon receipt of DHCPACK, switch updates lease information for the IP-MAC binding
in its database.
• Upon receipt of DHCPNACK, switch deletes the placeholder.
EX2200 - © 2012, Juniper Networks,
