The DHCP client packet contains an L2 source MAC address and an L3 client hardware address. When DHCP snooping MAC verification is enabled, DHCP snooping verifies that the source MAC address and the client hardware address match in DHCP client packets that transit untrusted ports. If the addresses do not match, the packet is dropped.
DHCP MAC verification is a network edge feature that should be enabled on ports transited by client packets from the intended client. For DHCP snooping MAC verification to be operational:
• DHCP snooping must be enabled, globally and on the port
• The port mode must be set to untrusted