Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP snooping/ PXE


Is there any specification(RFC or otherwise) that describes the behavior of DHCP snooping, specially how it would behave in conjunction with PXE support.

Please take some time to refer to MS PXE support.

How is the second DHCP OFFER packet received from the RIS server intended for the same client, handled by a DHCP enabled switch?

Since there is a second DHCP OFFER packet intended to the same client I am curious to know how this is handled by a DHCP enabled switch.


Hall of Fame Super Silver

Re: DHCP snooping/ PXE

Hello Ranil,

this is a very good question.

in a switch without DHCP snooping to support PXE you need:

-spanning-tree portfast on the port or the PXE process will time out

- an ip helper address command for the RIS server on the L3 device has to be added to that for the DHCP server

the multiple ip helper-address commands cause the DHCP offer to be translated to all the helper-address unicast destinations.

From the point of view of DHCP snooping is important that the port(s) where server side messages are received are classified as trusted or they will be discarded.

On a client untrusted port DHCP snooping performs several checks:

only client side messages are accepted

the client messages can be examined to verify that

DHCP decline and release messages arrive on the ports where the ip addresses had been assigned.

the source MAC address of frame and client-id inside the packet are the same.

The idea is to avoid man in the middle and denial of service attacks (scope depletion).

I'm not sure but probably two DHCP offers arriving on the same client untrusted port could be accepted if so DHCP snooping and PXE can coexist.


But initial implementations of DHCP snooping were a problem with PXE:


A switch now forwards DHCP-acknowledge packets from a Pre-Boot Execution Environment (PXE) server when IP DHCP snooping is enabled.


So you need to verify if your switches are affected by this bug.

Hope to help