Hi Gary,
In a sense, DHCP Snooping is a relatively inflexible protection technique that assumes a standard type of LAN deployment: DHCP clients do not have any server capability, and so they are not expected to send any server-type responses, nor should they listen to the DHCP communication of other clients. If the clients go beyond this assumption and in fact provide some kind of DHCP server-alike services then they're no longer common clients, and DHCP Snooping is not well-suited to accomodate them.
Unfortunately, DHCP Snooping cannot be customized in the way you would require. If it is required for each Windows workstation to provide PXE booting capabilities then the workstation is no longer in the position of a classic host, rather, it is becoming a server. Deploying DHCP Snooping in such a network would require configuring ports to all stations as trusted ports which voids the entire protection.
The question is whether all stations should truly be providing the PXE booting service. To me, it sounds like an overkill - if one single station is capable of doing that, what is the reason or advantage of having all stations acting in the same way? Perhaps this design should be re-evalued and hopefully changed.
Best regards,
Peter