Reference Guide

ManualsBrandsDell ManualsserversDell Force10 S60-44T

251

252

253

254

255

256

257

258

259

260

256 | Dynamic Host Configuration Protocol (DHCP)

www.dell.com | support.dell.com

The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can

use this information to:

• track the number of address requests per relay agent; restricting the number of addresses available per

relay agent can harden a server against address exhaustion attacks.

• associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing

the same MAC address on a different relay agent.

• assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to

requests from an unauthorized relay agent.

The server echoes the option back to the relay agent in its response, and the relay agent can use the

information in the option to forward a reply out the interface on which the request was received rather than

flooding it on the entire VLAN.

The relay agent strips Option 82 from DHCP responses before forwarding them to the client.

DHCP Snooping

DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either

trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers

cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted.

When DHCP Snooping is enabled, the relay agent builds a binding table—using DHCPACK messages—

containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type.

Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table.

The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE,

DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is

legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded

to the server for validation. This check-point prevents an attacker from spoofing a client and declining or

releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK)

that arrive on an untrusted port are also dropped. This check-point prevents an attacker from impostering

as a DHCP server to facilitate a man-in-the-middle attack.

Task Command Syntax Command Mode

Insert Option 82 into DHCP packets. For routers

between the relay agent and the DHCP server, enter

the

trust-downstream option.

ip dhcp relay information-option

[

trust-downstream]

CONFIGURATION

Configure the system to enable remote-id string in

Option 82.

ip dhcp relay information-option

[

remote-id]

CONFIGURATION