5.2.a Implement and troubleshoot switch security features

5.2.a [iii] DHCP snooping

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

● Validates DHCP messages received from untrusted sources and filters out invalid messages.

● Rate-limits DHCP traffic from trusted and untrusted sources.

● Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

● Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

● Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs. The DHCP snooping feature is implemented in software on the route processor (RP). Therefore, all DHCP messages for enabled VLANs are intercepted in the Policy Feature Card (PFC) and directed to the RP for processing.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5201-5209).  . Kindle Edition.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html