DHCP snooping/ PXE

Unanswered Question
Apr 25th, 2009
User Badges:
  • Bronze, 100 points or more


Is there any specification(RFC or otherwise) that describes the behavior of DHCP snooping, specially how it would behave in conjunction with PXE support.

Please take some time to refer to MS PXE support.


How is the second DHCP OFFER packet received from the RIS server intended for the same client, handled by a DHCP enabled switch?

Since there is a second DHCP OFFER packet intended to the same client I am curious to know how this is handled by a DHCP enabled switch.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Sun, 04/26/2009 - 23:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ranil,

this is a very good question.

in a switch without DHCP snooping to support PXE you need:

-spanning-tree portfast on the port or the PXE process will time out

- an ip helper address command for the RIS server on the L3 device has to be added to that for the DHCP server

the multiple ip helper-address commands cause the DHCP offer to be translated to all the helper-address unicast destinations.

From the point of view of DHCP snooping is important that the port(s) where server side messages are received are classified as trusted or they will be discarded.

On a client untrusted port DHCP snooping performs several checks:

only client side messages are accepted

the client messages can be examined to verify that

DHCP decline and release messages arrive on the ports where the ip addresses had been assigned.

the source MAC address of frame and client-id inside the packet are the same.

The idea is to avoid man in the middle and denial of service attacks (scope depletion).

I'm not sure but probably two DHCP offers arriving on the same client untrusted port could be accepted if so DHCP snooping and PXE can coexist.



But initial implementations of DHCP snooping were a problem with PXE:


A switch now forwards DHCP-acknowledge packets from a Pre-Boot Execution Environment (PXE) server when IP DHCP snooping is enabled.



So you need to verify if your switches are affected by this bug.

Hope to help



This Discussion