DHCP snooping

• In computer networking, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure. When DHCP servers are allocating IP addresses to the clients on the LAN, DHCP snooping can be configured on LAN switches to prevent malicious or malformed DHCP traffic, or rogue DHCP servers

https://en.wikipedia.org/wiki/DHCP_snooping

• 1. What is DHCP snooping? DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. However, the most common DoS scenario is that of an end-user plugging in a consumer-grade router at their desk, ignorant that the device they plugged in is a DHCP server by default.

2. What traffic will DHCP snooping drop?
DHCP snooping will drop DHCP messages from a DHCP server that is not trusted. Trusted DHCP servers are identified by configuring a switchport’s DHCP snooping trust state. DHCP server messages can flow through switchports that have a DHCP snooping trusted state. DHCP server messages will be dropped if attempting to flow through a switchport that is not trusted.
DHCP messages where the source MAC and embedded client hardware MAC do not match will also be dropped, although this protection can be defeated; badly written vendor IP implementations can cause this to happen with a surprising amount of frequency, the most common scenario being a DHCP request for one interface being forwarded through another interface on that same device.
DHCP snooping will also drop messages that release a lease or decline an offer, if the release or decline message is received on a switchport other than the port that the original DHCP conversation was held. This prevents a third party from terminating a lease or declining a DHCP offer on behalf of the actual DHCP client.

3. How does DHCP snooping track information? DHCP snooping stores its observations in a database containing the client MAC address, DHCP assigned IP address, remaining lease time, VLAN, and switchport. The database is a simple flat-file that can be stored in device flash. However, flash is limited in size; as such, it’s considered best-practice to store the DHCP snooping off-box in a remote location, such as a TFTP server. Storing the DHCP snooping database off-box also guarantees that the DHCP snooping database would survive a catastrophic switch failure.

https://packetpushers.net/five-things-to-know-about-dhcp-snooping/