C
HAPTER
24
| General Security Measures
DHCPv4 Snooping
– 895 –
â—† When the DHCP Snooping Information Option is enabled, clients can be
identified by the switch port to which they are connected rather than
just their MAC address. DHCP client-server exchange messages are
then forwarded directly between the server and client without having to
flood them to the entire VLAN.
â—† DHCP snooping must be enabled for the DHCP Option 82 information to
be inserted into packets. When enabled, the switch will only add/
remove option 82 information in incoming DCHP packets but not relay
them. Packets are processed as follows:
â–
If an incoming packet is a DHCP request packet with option 82
information, it will modify the option 82 information according to
settings specified with ip dhcp snooping information policy
command.
â–
If an incoming packet is a DHCP request packet without option 82
information, enabling the DHCP snooping information option will
add option 82 information to the packet.
â–
If an incoming packet is a DHCP reply packet with option 82
information, enabling the DHCP snooping information option will
remove option 82 information from the packet.
â—† DHCP Snooping Information Option 82 and DHCP Relay Information
Option 82 (see page 1381) cannot both be enabled at the same time.
EXAMPLE
This example enables the DHCP Snooping Information Option.
Console(config)#ip dhcp snooping information option
Console(config)#
ip dhcp snooping
information policy
This command sets the DHCP snooping information option policy for DHCP
client packets that include Option 82 information.
SYNTAX
ip dhcp snooping information policy {drop | keep | replace}
drop - Drops the client’s request packet instead of relaying it.
keep - Retains the Option 82 information in the client request, and
forwards the packets to trusted ports.
replace - Replaces the Option 82 information circuit-id and
remote-id fields in the client’s request with information about the
relay agent itself, inserts the relay agent’s address (when DHCP
snooping is enabled), and forwards the packets to trusted ports.
DEFAULT SETTING
replace
To Next Page
Loading...
Need help?
General
