Reference Guide

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000

321

322

323

324

325

326

327

328

329

330

320 | Dynamic Host Configuration Protocol (DHCP)

www.dell.com | support.dell.com

The relay agent strips Option 82 from DHCP responses before forwarding them to the client.

DHCP Snooping

DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either

trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers

cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.

When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—

containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.

Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.

The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,

DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is

legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded

to the the server for validation. This check-point prevents an attacker from spoofing a client and declining

or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK,

DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker

from impostering as a DHCP server to facilitate a man-in-the-middle attack.

Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,

DHCPNACK, DHCPDECLINE.

Task Command Syntax Command Mode

Insert Option 82 into DHCP packets.

For routers between the relay agent

and the DHCP server, enter the

trust-downstream option.

ip dhcp relay information-option

[trust-downstream]

CONFIGURATION

Manually reset the remote ID for

Option 82.

ip dhcp relay information-option

remote-id

CONFIGURATION

FTOS Behavior: Introduced in FTOS version 7.8.1.0, DHCP Snooping was available for Layer 3 only

and dependent on DHCP Relay Agent (ip helper-address). FTOS version 8.2.1.0 extends DHCP

Snooping to Layer 2, and you do not have to enable relay agent to snoop on Layer 2 interfaces.

FTOS Behavior: Binding table entries are deleted when a lease expires or when the relay agent

encounters a DHCPRELEASE. Starting with FTOS Release 8.2.1.2, line cards maintain a list of

snooped VLANs. When the binding table is exhausted, DHCP packets are dropped on snooped

VLANs, while these packets are forwarded across non-snooped VLANs. Since DHCP packets are

dropped, no new IP address assignments are made. However, DHCPRELEASE and DHCPDECLINE

packets are allowed so that the DHCP Snooping table can decrease in size. Once the table usage falls

below the maximum limit of 4000 entries, new IP address assignments are allowed.

Note: DHCP server packets will be dropped on all untrusted interfaces of a system configured for DHCP

Snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the

server-connected port.