Administrator Guide
The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to:
• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a
server against address exhaustion attacks.
• associate client MAC addresses with a relay agent to prevent oering an IP address to a client spoong the same MAC address on a
dierent relay agent.
• assign IP addresses according to the relay agent. This prevents generating DHCP oers in response to requests from an unauthorized
relay agent.
The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a
reply out the interface on which the request was received rather than ooding it on the entire VLAN.
The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
To insert Option 82 into DHCP packets, follow this step.
• Insert Option 82 into DHCP packets.
CONFIGURATION mode
ip dhcp relay information-option [trust-downstream]
For routers between the relay agent and the DHCP server, enter the trust-downstream option.
DHCP Snooping
DHCP snooping protects networks from spoong. In the context of DHCP snooping, ports are either trusted or not trusted.
By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually congure ports connected
to legitimate servers and relay agents as trusted.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC
address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted
port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP trac (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the
binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not pass
this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoong a client and declining or releasing
the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also
dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE.
DHCP snooping is supported on Layer 2 and Layer 3 VLANs. DHCP snooping on Layer 3 interfaces depends on the congured DHCP relay
agent (ip helper-address). DHCP snooping on Layer 2 interfaces does not require a relay agent.
When DHCP snooping VLAN interface is deleted or the operation is down, the corresponding learned entries are also removed from the
snooping table.
NOTE
: DHCP server packets are dropped on all not trusted interfaces of a system congured for DHCP snooping. To prevent
these packets from being dropped, congure ip dhcp snooping trust on the server-connected port.
NOTE: DHCP snooping is supported in a VLT environment.
Restrictions for DHCP Snooping
• DHCP Snooping is supported only for port extender interfaces connected to the VLT peers.
• DHCP server must be connected to the VLT peers only using VLT Port-channel.
• DHCP Snooping is supported only FOR SPANNED VLANs.
Dynamic Host
Conguration Protocol (DHCP) 353