792 Snooping and Inspecting TrafficWhat Is DHCP Snooping?Dynamic Host Configuration Protocol (DHCP) Snooping is a security featurethat monitors DHCP messages between a DHCP client and DHCP server toaccomplish the following tasks:• Filter harmful DHCP messages• Build a bindings database with entries that consist of the followinginformation:• MAC address• IP address• VLAN ID• Client portEntries in the bindings database are considered to be authorized networkclients.DHCP snooping can be enabled on VLANs, and the trust status (trusted oruntrusted) is specified on individual physical ports or LAGS that aremembers of a VLAN. When a port or LAG is configured as untrusted, it couldpotentially be used to launch a network attack. DHCP servers must bereached through trusted ports.DHCP snooping enforces the following security rules:• DHCP packets from a DHCP server (DHCPOFFER, DHCPACK,DHCPNAK, DHCPRELEASEQUERY) are dropped if they are received onan untrusted port.• DHCPRELEASE and DHCPDECLINE messages are dropped if the MACaddresses in the snooping database, but the binding's interface is otherthan the interface where the message was received.• On untrusted interfaces, the switch drops DHCP packets with a sourceMAC address that does not match the client hardware address. This is aconfigurable option.
