Chapter 8
| General Security Measures
DHCP Snooping
– 273 –
â—† When the DHCP Snooping Information Option is enabled, clients can be
identified by the switch port to which they are connected rather than just their
MAC address. DHCP client-server exchange messages are then forwarded
directly between the server and client without having to flood them to the
entire VLAN.
â—† DHCP snooping must be enabled for the DHCP Option 82 information to be
inserted into packets. When enabled, the switch will only add/remove option
82 information in incoming DCHP packets but not relay them. Packets are
processed as follows:
â–
If an incoming packet is a DHCP request packet with option 82 information,
it will modify the option 82 information according to settings specified with
ip dhcp snooping information policy command.
â–
If an incoming packet is a DHCP request packet without option 82
information, enabling the DHCP snooping information option will add
option 82 information to the packet.
â–
If an incoming packet is a DHCP reply packet with option 82 information,
enabling the DHCP snooping information option will remove option 82
information from the packet.
â—† DHCP Snooping Information Option 82 and DHCP Relay Information Option 82
(see page 639) cannot both be enabled at the same time.
Example
This example enables the DHCP Snooping Information Option.
Console(config)#ip dhcp snooping information option
Console(config)#
ip dhcp snooping
information policy
This command sets the DHCP snooping information option policy for DHCP client
packets that include Option 82 information.
Syntax
ip dhcp snooping information policy {drop | keep | replace}
drop - Drops the client’s request packet instead of relaying it.
keep - Retains the Option 82 information in the client request, and
forwards the packets to trusted ports.
replace - Replaces the Option 82 information circuit-id and remote-id fields
in the client’s request with information about the relay agent itself, inserts
the relay agent’s address (when DHCP snooping is enabled), and forwards
the packets to trusted ports.
Default Setting
replace
To Next Page
Loading...
Need help?
General
