- It filters all messages sent exclusively by DHCP servers.
- The switch checks DHCP release & decline messages against the DHCP snooping binding table.
- if the IP address in those messages is not listed with the port in the DHCP snooping binding table, the messages are filtered.
- Optionally, it compares a DHCP request's client hardware address value with the source MAC address inside the Ethernet frame.
The 1st one takes care of the fake DHCP server man-in-the-middle attack.
The 2nd one prevents an attacking host from releasing a legitimate host's DHCP lease, then attempting to request an address and be assigned the same ip address