• track the number of address requests per relay agent. Restricting the number of addresses availableper relay agent can harden a server against address exhaustion attacks.• associate client MAC addresses with a relay agent to prevent offering an IP address to a clientspoofing the same MAC address on a different relay agent.• assign IP addresses according to the relay agent. This prevents generating DHCP offers in response torequests from an unauthorized relay agent.The server echoes the option back to the relay agent in its response, and the relay agent can use theinformation in the option to forward a reply out the interface on which the request was received ratherthan flooding it on the entire VLAN.The relay agent strips Option 82 from DHCP responses before forwarding them to the client.To insert Option 82 into DHCP packets, follow this step.• Insert Option 82 into DHCP packets.CONFIGURATION modeip dhcp relay information-option [trust-downstream]For routers between the relay agent and the DHCP server, enter the trust-downstream option.• Manually reset the remote ID for Option 82.CONFIGURATION modeip dhcp relay information-option remote-idDHCP SnoopingDHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are eithertrusted or not trusted.By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.Manually configure ports connected to legitimate servers and relay agents as trusted.When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages —containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, andDHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that thepacket arrived on the correct port. Packets that do not pass this check are forwarded to the server forvalidation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the realclient’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a nottrusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as aDHCP server to facilitate a man-in-the-middle attack.Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,DHCPNACK, or DHCPDECLINE.Dell Networking OS Behavior: Introduced in Dell Networking OS version 7.8.1.0, DHCP snooping wasavailable for Layer 3 only and dependent on DHCP relay agent (ip helper-address). Dell NetworkingOS version 8.2.1.0 extends DHCP snooping to Layer 2 and you do not have to enable relay agent tosnoop on Layer 2 interfaces.264 Dynamic Host Configuration Protocol (DHCP)