DHCP Snooping is a Catalyst feature that determines which switch ports can
respond to DHCP requests. Ports are identified as trusted and untrusted.
Trusted ports can source all DHCP messages while untrusted ports can source
requests only. Trusted ports host a DHCP server or can be an uplink toward the
DHCP server. If a rogue device on an untrusted port attempts to send a DHCP
response packet into the network, the port is shut down. This feature can be
coupled with DHCP Option 82, where switch information, such as the port ID of
the DHCP request, can be inserted into the DHCP request packet.
Untrusted ports are those not explicitly configured as trusted. A DHCP
Binding Table is built for untrusted ports. Each entry contains client MAC
address, IP address, lease time, binding type, VLAN number and Port ID recorded
as clients make DHCP requests. The table is then used to filter subsequent DHCP
traffic. From a DHCP Snooping perspective, untrusted access ports should not
send any DHCP server responses, such as DHCPOffer, DHCPAck, or DHCPNak.