General Security Measures
3-107
3
DHCP Snooping Information Option Configuration
DHCP provides a relay mechanism for sending information about the switch and its
DHCP clients to the DHCP server. Known as DHCP Option 82, it allows compatible
DHCP servers to use the information when assigning IP addresses, or to set other
services or policies for clients. It is also an effective tool in preventing malicious
network attacks from attached clients on DHCP services, such as IP Spoofing, Client
Identifier Spoofing, MAC Address Spoofing, and Address Exhaustion.
Command Usage
• DHCP Snooping (see page 3-105) must be enabled for Option 82 information to be
inserted into request packets.
• When Option 82 is enabled, the requesting client (or an intermediate relay agent
that has used the information fields to describe itself) can be identified in the DHCP
request packets forwarded by the switch and in reply packets sent back from the
DHCP server.
• When the DHCP Snooping Information Option is enabled, clients can be identified
by the switch port to which they are connected rather than just their MAC address.
DHCP client-server exchange messages are then forwarded directly between the
server and client without having to flood them to the entire VLAN.
• If Option 82 is enabled on the switch, information about the switch itself may be
included in any relayed request packet.
• In some cases, the switch may receive DHCP packets from a client that already
includes DHCP Option 82 information. The switch can be configured to set the
action policy for these packets. The switch can either drop the DHCP packets, keep
the existing information, or replace it with the switch’s relay information.
Command Attributes
•
DHCP Snooping Information Option Status
– Enables or disables DHCP Option
82 information relay. (Default: Disabled)
•
DHCP Snooping Information Option Policy
– Specifies how to handle DHCP
client request packets which already contain Option 82 information.
-
Drop
– Drops the client’s request packet instead of relaying it.
-
Keep
– Retains the Option 82 information in the client request, and forwards the
packets to trusted ports.
-
Replace
– Replaces the Option 82 information in the client’s request with
information about the relay agent itself, inserts the relay agent’s address (when
DHCP snooping is enabled), and forwards the packets to trusted ports. (This is
the default policy.)
Summary of Contents for DG-GS1550
Page 24: ...Tables xxx ...
Page 46: ...Initial Configuration 2 10 2 ...
Page 642: ...Command Line Interface 4 342 4 ...
Page 664: ...Index 8 Index ...
Page 665: ......