Service Manual
To insert Option 82 into DHCP packets, follow this step.
• Insert Option 82 into DHCP packets.
CONFIGURATION mode
ip dhcp relay information-option [trust-downstream]
For routers between the relay agent and the DHCP server, enter the trust-downstream option.
• Manually reset the remote ID for Option 82.
CONFIGURATION mode
ip dhcp relay information-option remote-id
DHCP Snooping
DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either
trusted or not trusted.
By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.
Manually configure ports connected to legitimate servers and relay agents as trusted.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages —
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.
Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and
DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the
packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for
validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real
client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not
trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a
DHCP server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, or DHCPDECLINE.
Dell Networking OS Behavior: Introduced in Dell Networking OS version 7.8.1.0, DHCP snooping was
available for Layer 3 only and dependent on DHCP relay agent (ip helper-address). Dell Networking
OS version 8.2.1.0 extends DHCP snooping to Layer 2 and you do not have to enable relay agent to
snoop on Layer 2 interfaces.
Dell Networking OS Behavior: Binding table entries are deleted when a lease expires or when the relay
agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table
is exhausted, DHCP packets are dropped on snooped VLANs, while these packets are forwarded across
non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made.
However, DHCPRELEASE and DHCPDECLINE packets are allowed so that the DHCP snooping table can
decrease in size. After the table usage falls below the maximum limit of 4000 entries, new IP address
assignments are allowed.
NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for
DHCP snooping. To prevent these packets from being dropped, configure ip dhcp snooping
trust
on the server-connected port.
338
Dynamic Host Configuration Protocol (DHCP)