Concept Guide
DHCPv6 relay agent options
By default, the DHCPv6 relay agent inserts Options 18 and 37 before forwarding DHCPv6 packets to the server.
Interface ID (Option
18)
This is the interface on which the client-originated message is received.
Default values: The length of Interface ID is 12 bytes comprising of logical ifindex (VLAN, LAG, or physical
interface), received ifindex (LAG or physical interface), and physical ifindex. Each ifindex value is 4 bytes
long.
In the interface ID, each ifindex (4 bytes) is in hexadecimal. Convert hexadecimal values of each ifindex
separately to decimal and the derived decimal value can be used to get the actual interface name. For more
information about deriving the interface name from interface index, see the section Example of deriving the
interface index number.
Remote ID (Option
37)
This identies the host from which the message is received.
Default values: The default value of this option is the MAC address of the relay agent that adds Option 37.
DHCP Snooping
DHCP snooping is a feature that protects networks from spoong. It acts as a rewall between the DHCP server and DHCP clients.
DHCP snooping places the ports either in trusted or non-trusted mode. By default, all ports are set to the non-trusted mode. An attacker
can not connect to the DHCP server through trusted ports. While conguring DHCP snooping, manually congure ports connected to
legitimate servers and relay agents as trusted ports.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC
address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted
port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP trac (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the
binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not pass
this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoong a client and declining or releasing
the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also
dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE.
DHCP snooping is supported on Layer 2 and Layer 3 trac. DHCP snooping on Layer 2 interfaces does not require a relay agent.
NOTE
: In DHCP relay agent, congure DHCP snooping such that the packet from DHCP client must not pass through DHCP
snooping-enabled switches twice before reaching the DHCP server.
Binding table entries are deleted when a lease expires or when the relay agent encounters a DHCPRELEASE. Line cards maintain a list of
snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded
across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCPRELEASE
and DHCPDECLINE packets are allowed so that the DHCP snooping table can decrease in size. After the table usage falls below the
maximum limit of 4000 entries, new IP address assignments are allowed.
NOTE
: DHCP server packets are dropped on all non-trusted interfaces of a system congured for DHCP snooping. To prevent
these packets from being dropped, congure ip dhcp snooping trust on the server-connected port.
Dynamic Host Conguration Protocol (DHCP) 365