DHCP trusted and untrusted ports

DHCP snooping is a technique where we configure our switch to listen in on DHCP traffic and stop any malicious DHCP packets. This is done by defining trusted and untrusted ports on a switch.

Interfaces that connect to clients should never be allowed to send a DHCP OFFER message. We can enforce this by making those ports untrusted. An interface that is untrusted will block DHCP OFFER messages. Only an interface that has been configured as trusted is allowed to forward DHCP OFFER messages.

In addition, when a DHCP DISCOVER message is received by a switch, it will be forwarded out of only trusted ports. This way, no hosts (or potential attackers) that are connected to untrusted ports will receive such a message.