How does DHCP snooping help prevent IP spoofing and what switch configuration is typically required?

• A. It blocks all DHCP messages.
• B. It builds a trusted port database, filters rogue offers, and requires enabling DHCP snooping globally and designating trusted ports (uplinks to the DHCP server).
• C. It uses ACLs to deny IP addresses.
• D. It requires DHCP servers to be in VLAN 1 only.

Answer: (B)

DHCP snooping acts as a gatekeeper for DHCP messages to stop IP spoofing. It watches the DHCP traffic, builds a binding database that ties each client’s MAC address to the IP address it was offered (and later assigned) and the switch port where that exchange occurred, and then uses that information to validate future DHCP traffic. When a client requests an IP, the switch records the binding and expects the corresponding DHCPOFFER/DHCPACK to come from a trusted path. If a DHCP response comes from an untrusted port or from an unknown server, the switch can drop it. This prevents a rogue device pretending to be a DHCP server from handing out incorrect IP addresses or gateways, which is how IP spoofing via DHCP could occur.

To make this work, you enable the feature globally on the switch and apply it to the VLANs you’re using, then designate the uplinks that connect to the legitimate DHCP server as trusted ports. With the trusted ports in place, the switch allows the real server’s responses to pass to clients while blocking any rogue responses on other ports.