DHCP Snooping Commands 36712DHCP Snooping CommandsDHCP Snooping is a security feature that monitors DHCP messages betweenDHCP clients and DHCP server to filter harmful DHCP messages and builda bindings database of {MAC address, IP address, VLAN ID, interface} tuplesthat are considered authorized.The DHCP snooping application processes incoming DHCP messages. ForDHCPRELEASE and DHCPDECLINE messages, the application comparesthe receive interface and VLAN with the client's interface and VLAN in thebindings database. If the interfaces do not match, the application logs theevent and drops the message. For valid client messages, DHCP snoopingcompares the source MAC address to the DHCP client hardware address.When there is a mismatch, DHCP snooping logs and drops the packet.DHCP Snooping forwards valid client messages on trusted members withinthe VLAN. If DHCP Relay and/or DHCP Server coexist with DHCPSnooping, the DHCP client message is sent to the DHCP Relay or/andDHCP Server for further processing.The DHCP Snooping application uses DHCP messages to build andmaintain the binding's database. The binding's database only includes datafor clients on untrusted ports. DHCP Snooping creates a tentative bindingfrom DHCP DISCOVER and REQUEST messages. Tentative bindings tie aclient to a port (the port where the DHCP client message was received).Tentative bindings are completed when DHCP Snooping learns the client's IPaddress from a DHCP ACK message on a trusted port. DHCP Snoopingremoves bindings in response to DECLINE, RELEASE, and NACK messages.The DHCP Snooping application ignores the ACK messages as a reply to theDHCP Inform messages received on trusted ports. The network administratorcan enter static bindings into the binding database.IP Source Guard and Dynamic ARP Inspection use the DHCP Snoopingbindings database for the validation of IP and ARP packets.