To understand DHCP snooping we need to learn about DHCP spoofing attack first.

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and

answers them with fake DHCP Response before the authorized DHCP Response comes to the clients.

The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent

from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the

attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the

DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that

determines which switch ports can respond to DHCP requests. Ports are identified as trusted and

untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of

DHCP

messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP

response is seen on an untrusted port, the port is shut down.

The port connected to a DHCP server should be configured as trusted port with the “ip dhcp

snooping trust” command. Other ports connecting to hosts are untrusted ports by default.

In this question, we need to configure the uplink to “trust” (under interface Gi1/0/1) as shown below.