Setup Guide
• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a
server against address exhaustion attacks.
• associate client MAC addresses with a relay agent to prevent oering an IP address to a client spoong the same MAC address on a
dierent relay agent.
• assign IP addresses according to the relay agent. This prevents generating DHCP oers in response to requests from an unauthorized
relay agent.
The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a
reply out the interface on which the request was received rather than ooding it on the entire VLAN.
The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
By default, Option 82 is not inserted in DHCP packets.
To insert Option 82 into DHCP packets, follow this step.
• Insert Option 82 into DHCP packets.
CONFIGURATION mode
ip dhcp relay information-option [trust-downstream]
For routers between the relay agent and the DHCP server, enter the trust-downstream option.
• Manually reset the remote ID for Option 82.
CONFIGURATION mode
ip dhcp relay information-option remote-id
DHCPv6 relay agent options
The DHCPv6 relay agent inserts Options 18 and 37 before forwarding DHCPv6 packets to the server. These DHCPv6 options are enabled
by default and are not congurable.
Interface ID (Option
18)
This is the interface on which the client-originated message is received.
The interface-ID is 12 bytes long and is constructed using three indexes: Logical, Received, and Physical. Each of
the index is 4 bytes long.
Remote ID (Option
37)
This identies the host from which the message is received.
The default values of the Options 18 and 37 are as follows:
• Default Agent Interface ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the
PortStr is represented as mainPort:subPort.
• Default Agent Remote ID is the system MAC address of the relay agent that adds Option 37 (in binary format)
DHCP Snooping
DHCP snooping is a feature that protects networks from spoong. It acts as a rewall between the DHCP server and DHCP clients.
DHCP snooping places the ports either in trusted or non-trusted mode. By default, all ports are set to the non-trusted mode. An attacker
can not connect to the DHCP server through trusted ports. While conguring DHCP snooping, manually congure ports connected to
legitimate servers and relay agents as trusted ports.
Dynamic Host
Conguration Protocol (DHCP) 285