For routers between the relay agent and the DHCP server, enter the trust-downstream option.• Manually reset the remote ID for Option 82.CONFIGURATION modeip dhcp relay information-option remote-idDHCP SnoopingDHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted.By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually configure portsconnected to legitimate servers and relay agents as trusted.When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MACaddress, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on atrusted port, it adds an entry to the table.The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) againstthe binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets thatdo not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client anddeclining or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive ona not trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate aman-in-the-middle attack.Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, orDHCPDECLINE.DHCP snooping is supported on Layer 2 and Layer 3 traffic. DHCP snooping on Layer 2 interfaces does require a relay agent.Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maintain alist of snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packetsare forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made.However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After thetable usage falls below the maximum limit of 4000 entries, new IP address assignments are allowed.NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for DHCP snooping. Toprevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected port.Enabling DHCP SnoopingTo enable DHCP snooping, use the following commands.1. Enable DHCP snooping globally.CONFIGURATION modeip dhcp snooping2. Specify ports connected to DHCP servers as trusted.INTERFACE modeINTERFACE PORT EXTENDER modeip dhcp snooping trust3. Enable DHCP snooping on a VLAN.CONFIGURATION modeip dhcp snooping vlan nameDynamic Host Configuration Protocol (DHCP) 293