NOTE:
When this feature is configured, the client bypasses the DHCP relay component
and communicates directly with the DHCP server to request address renewal or to
release the address. The DHCP relay component has no role in determining when
or whether to remove the installed host route.
Treating All Packets as Originating at Trusted Sources
By default, the DHCP relay treats all packets destined for DHCP servers as if the
packets originated at an untrusted source; if the packets have a gateway IP address
(giaddr) of 0 and if option 82 information is present, these packets are dropped.
■
To enable the trust-all method on the DHCP relay:
host1(config)#
set dhcp relay trust-all
In the trust-all method, the DHCP relay treats the packets as if they are from trusted
sources and forwards the packets to the DHCP server. When you enable this
command:
■
If the DHCP packets contain option 82 and a giaddr field of 0, the DHCP relay
inserts its giaddr into the packets and then forwards the packets.
■
If the DHCP relay is configured to add option 82, it does not add an additional
option 82 if one is already present in the DHCP packets.
Assigning the Giaddr to Source IP Address
As a security measure, DHCP servers typically use the giaddr included in DHCP
packets to ensure that the packets come from a recognized DHCP gateway. The
servers verify that the giaddr in the DHCP packet matches the source IP address in
the IP packet header. You can use the
set dhcp relay assign-giaddr-source-ip
command to specify that the DHCP relay and DHCP relay proxy assign the giaddr
to the source IP packet header of packets they send to DHCP servers—the DHCP
servers can then compare the giaddr in the IP packet header to the giaddr in the
DHCP packets.
■
To assign the giaddr to the source IP packet header:
host1(config)#
set dhcp relay assign-giaddr-source-ip
Protecting Against Spoofed Giaddr and Relay Agent Option Values
DHCP relay includes an override feature that provides enhanced security to protect
against spoofed giaddr and relay agent option (option 82) values in packets destined
for DHCP servers.
DHCP relay can detect spoofed giaddrs when the giaddr value is equal to a local IP
address on which the DHCP relay can be accessed; otherwise, DHCP relay does not
Configuring DHCP Relay and BOOTP Relay
■
491
Chapter 20: Configuring DHCP Relay
Summary of Contents for JUNOSE 11.0.X MULTICAST ROUTING
Page 6: ...vi...
Page 28: ...xxviii Table of Contents JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 36: ...xxxvi List of Tables JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 42: ...2 Managing Remote Access JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 204: ...164 Managing RADIUS and TACACS JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 292: ...252 Monitoring RADIUS Relay Server JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 336: ...296 RADIUS Client Terminate Reasons JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 368: ...328 Managing L2TP JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 444: ...404 PPP Accounting Statistics JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 494: ...454 Managing DHCP JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 510: ...470 DHCP Local Server Configuration Tasks JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 556: ...516 Configuring DHCP Relay Proxy JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 616: ...576 Managing the Subscriber Environment JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 674: ...634 Managing Subscriber Services JUNOSe 11 0 x Broadband Access Configuration Guide...
Page 767: ...Part 7 Index Index on page 729 Index 727...
Page 768: ...728 Index JUNOSe 11 0 x Broadband Access Configuration Guide...