DHCP snooping allows DHCP responses only from trusted (uplink) ports — blocking rogue DHCP servers on access ports. Creates a binding table (MAC+IP+port) used by Dynamic ARP Inspection.
Enable on all access switches. Trust only uplink ports connected to legitimate DHCP servers. Rate-limit DHCP requests per port to prevent DHCP starvation. The binding table created by DHCP snooping is used by DAI (Dynamic ARP Inspection) to validate ARP packets.