Hello dean.farr4331,
I will try to answer your question in-line:
1. How do you baseline the bindings table in the first place?
2. If DCHP messages not matching the binding table are discarded, how are new legitimate clients introduced to the network?
By adding them in the binding database, then they will be validated
3. At what point does the switch transition from creating bindings to policing against the bindings?
"Packet Validation
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
•
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
•The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
•The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
•The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0."
I hope it will helps, I also suggest to read the complete Cisco documentation about DHCP Snooping: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1114389
L.
