DHCP trusted and untrusted ports
Interfaces that connect to clients should never be allowed to send a DHCP OFFER message. We can enforce this by making those ports untrusted. An interface that is untrusted will block DHCP OFFER messages. Only an interface that has been configured as trusted is allowed to forward DHCP OFFER messages.
In addition, when a DHCP DISCOVER message is received by a switch, it will be forwarded out of only trusted ports. This way, no hosts (or potential attackers) that are connected to untrusted ports will receive such a message.