One of the nice layer 2 security features that Cisco provides is DHCP Snooping. I will here provide a simple example of how it can be used.
In short terms, the DHCP snooping is securing that only DHCP offers can come from trusted ports. So it is the network administrators task to secure that the ports pointing to the server is trusted and known.
The setup that I will explain is showed on below picture
This is a very simple setup. The clients and servers are in the same VLAN. So we will only focus on the Access switch since we are dealing with layer 2 technology.
On the access switch we need to enable the IP DHCP Snooping feature.
Access-Switch(Config)#ip dhcp snooping
When the feature is enabled, the switch will set DHCP Snooping on all VLANs.
If you are using Windows DHCP Server, it is important that you disable the option82.
Access-Switch(Config)#no ip dhcp snooping information option
The DHCP Server was connected to the port Gig 1/0/1. So we need to tell the switch that it is alright to recieve DHCP offers inbound on this connection.
Access-Switch(Config-if)#ip dhcp snooping trust
Now the clients will be able to optain IP addresses from the server.
But why have we done this, the smart thing with DHCP Snooping is that if a user brings a small router o similar with them from home and connects it to the network, by default then if they are in the same VLAN, the clients could get IP addresses from the new “Rouge” DHCP server.
When DHCP Snooping is turned on and the port is not trusted, then all packages containing a DHCP Offer will be dropped when it reaches the port.