DHCP snooping provides the foundation for IP spoofing detection and prevention. DHCP ACK packets received on a trusted port from a DHCP server create a MAC-to-IP binding for the user along with the lease time and expiration. DHCP ACK packets received on any ports that are configured as untrusted should be dropped as configured by policy.
On edge devices, an optional configuration is to verify the SA (source address) MAC address of the client with the client hardware address found in the DHCP payload. Provided that policy is appropriately configured to determine trusted ports for DHCP servers versus DHCP clients in an exclusively DHCP environment, and configured on an edge switch, DHCP snooping is deterministic in binding an IP address to a MAC address. Dynamic ARP inspection and IP source guard can be used to supplement the bindings database and create a secure network.