Reference Guide
Dynamic Host Configuration Protocol (DHCP) | 283
The server echoes the option back to the relay agent in its response, and the relay agent can use the
information in the option to forward a reply out the interface on which the request was received rather than
flooding it on the entire VLAN.
The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
DHCP Snooping
DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either
trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers
cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.
When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.
Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.
The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,
DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is
legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded
to the the server for validation. This check-point prevents an attacker from spoofing a client and declining
or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK,
DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker
from impostering as a DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, DHCPDECLINE.
Task Command Syntax Command Mode
Insert Option 82 into DHCP packets.
For routers between the relay agent
and the DHCP server, enter the
trust-downstream option.
ip dhcp relay information-option
[trust-downstream]
CONFIGURATION
FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP Snooping was available for Layer 3 only
and dependent on DHCP Relay Agent (ip helper-address). FTOS version 8.2.1.0 extends DHCP
Snooping to Layer 2, and you do not have to enable relay agent to snoop on Layer 2 interfaces.
FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent
encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.2, line cards maintain a list of
snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped
VLANs, while these packets are forwarded across non-snooped VLANs. Since DHCP packets are
dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE
packets are allowed so that the DHCP snooping table can decrease in size. Once the table usage falls
below the maximum limit of 4000 entries, new IP address assignments are allowed.