Administrator Guide
DHCPv6 relay agent options
The DHCPv6 relay agent inserts Options 18 and 37 before forwarding DHCPv6 packets to the server. These DHCPv6 options are enabled
by default and are not configurable.
Interface ID
(Option 18)
Interface on which the client-originated message is received.
The interface-ID is 12 bytes long and is constructed using three ifindexes: Logical, Received, and Physical. Each of
the ifindex is 4 bytes long.
Remote ID (Option
37)
Identifies the host from which the message is received.
The default values of the Options 18 and 37 are as follows:
• Default Agent Interface ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the
PortStr is represented as mainPort:subPort (all in ASCII format).
• Default Agent Remote ID is the system MAC address of the relay agent that adds Option 37 (in binary format).
DHCP Snooping
DHCP snooping is a feature that protects networks from spoofing. It acts as a firewall between the DHCP server and DHCP clients.
DHCP snooping places the ports either in trusted or non-trusted mode. By default, all ports are set to the non-trusted mode. An attacker
can not connect to the DHCP server through trusted ports. While configuring DHCP snooping, manually configure ports connected to
legitimate servers and relay agents as trusted ports.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC
address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a
trusted port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the
binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not
pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or
releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted
port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle
attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE.
DHCP snooping is supported on Layer 2 and Layer 3 traffic. DHCP snooping on Layer 2 interfaces does not require a relay agent.
NOTE:
In DHCP relay agent, configure DHCP snooping such that the packet from DHCP client must not pass through
DHCP snooping-enabled switches twice before reaching the DHCP server.
Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maintain a list of
snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded
across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCPRELEASE
and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls below the
maximum limit of 4000 entries, new IP address assignments are allowed.
NOTE:
DHCP server packets are dropped on all non-trusted interfaces of a system configured for DHCP snooping. To
prevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected port.
DHCP Snooping for a Multi-Tenant Host
You can configure the DHCP snooping feature such that multiple IP addresses are expected for the same MAC address. You can use the
ip dhcp snooping command multiple times to map the same MAC address with different IP addresses. This configuration is also used
for dynamic ARP inspection (DAI) and source address validation (SAV). The DAI and SAV tables reflect the same entries in the DHCP
snooping binding table.
NOTE:
If you enable DHCP Option 82 using the ip dhcp relay command, by default, the remote-ID field contains the
MAC address of the relay agent. If you configure the remote ID as the host name in a VLT setup, configure different
host names on both VLT peers. If you configure the remote ID with your own string, ensure that your strings are
different on both VLT peers.
Dynamic Host Configuration Protocol (DHCP) 325