• Source Address ValidationOption 82RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment.The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and remote ID.Circuit ID This is the interface on which the client-originated message is received.Remote ID This identifies the host from which the message is received. The value of this sub-option is the MAC address ofthe relay agent that adds Option 82.The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to:• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden aserver against address exhaustion attacks.• associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on adifferent relay agent.• assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorizedrelay agent.The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward areply out the interface on which the request was received rather than flooding it on the entire VLAN.The relay agent strips Option 82 from DHCP responses before forwarding them to the client.To insert Option 82 into DHCP packets, follow this step.• Insert Option 82 into DHCP packets.CONFIGURATION modeip dhcp relay information-option [trust-downstream]For routers between the relay agent and the DHCP server, enter the trust-downstream option.• Manually reset the remote ID for Option 82.CONFIGURATION modeip dhcp relay information-option remote-idDHCP SnoopingDHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted.By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connectedto legitimate servers and relay agents as trusted.When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MACaddress, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trustedport, it adds an entry to the table.The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against thebinding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not passthis check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasingthe real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are alsodropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE.Dynamic Host Configuration Protocol (DHCP) 283