Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048T-ON

331

332

333

334

335

336

337

338

339

340

• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a

server against address exhaustion attacks.

• associate client MAC addresses with a relay agent to prevent oering an IP address to a client spoong the same MAC address on a

dierent relay agent.

• assign IP addresses according to the relay agent. This prevents generating DHCP oers in response to requests from an unauthorized

relay agent.

The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a

reply out the interface on which the request was received rather than ooding it on the entire VLAN.

The relay agent strips Option 82 from DHCP responses before forwarding them to the client.

By default, Option 82 is not inserted in DHCP packets.

To insert Option 82 into DHCP packets, follow this step.

• Insert Option 82 into DHCP packets.

CONFIGURATION mode

ip dhcp relay information-option [trust-downstream]

For routers between the relay agent and the DHCP server, enter the trust-downstream option.

• Manually reset the remote ID for Option 82.

CONFIGURATION mode

ip dhcp relay information-option remote-id

DHCPv6 relay agent options

By default, the DHCPv6 relay agent inserts Options 18 and 37 before forwarding DHCPv6 packets to the server.

Interface ID (Option

18)

This is the interface on which the client-originated message is received.

Default format: The default format of this option is VLAN ID:LAG ID:slot ID:port ID.

Remote ID (Option

37)

This identies the host from which the message is received.

Default values: The default value of this option is the MAC address of the relay agent that adds Option 37.

DHCP Snooping

DHCP snooping is a feature that protects networks from spoong. It acts as a rewall between the DHCP server and DHCP clients.

DHCP snooping places the ports either in trusted or non-trusted mode. By default, all ports are set to the non-trusted mode. An attacker

can not connect to the DHCP server through trusted ports. While conguring DHCP snooping, manually congure ports connected to

legitimate servers and relay agents as trusted ports.

When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC

address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted

port, it adds an entry to the table.

The relay agent checks all subsequent DHCP client-originated IP trac (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the

binding table to ensure that the MAC-IP address pair is legitimate and that the packet arrived on the correct port. Packets that do not pass

this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoong a client and declining or releasing

Dynamic Host

Conguration Protocol (DHCP) 335