Solved: no ip dhcp snooping verify no-relay-agent-address

sarahr202 · ‎06-16-2012

Hi everybody.

I was reading an very interesting series on dhcp snooping at:

http://blog.ipexpert.com/2012/04/10/understanding-dhcp-snooping-part-four-operation-with-dhcp-relays/

Little Background:

R4 is dhcp relay agent connected to catsw3 as shown below;

R4--untrusted--Catsw3------trusted----R5(dhcp server)

When cat sw3 receives a dhcp message with giadd field set to ip, it drops the message. R4 is just setting the giadr field; it is not inserting any option 82.

The author mentions a possible solution by using the command :

no ip dhcp snooping verify no-relay-agent-address”,

My question: what does this command do? the author mentions it disables the verification of option 82. But again ,What do we mean by disabling the verification of option 82? Does a switch upon receiving dhcp message on its untrusted port with giadd field set to some ip, perform some kind of verification of option 82?

===============================================

Does a switch configured with dhcp snooping, check the src mac address against the client mac in dhcp message received on its untrusted port?

thanks and havea great weekend.

Reza Sharifi · ‎06-16-2012

Hi Sarah,

Here is s good doc on the use of option 82:

The DHCP Address Allocation Using Option 82 feature provides the Cisco IOS Dynamic Host Configuration Protocol (DHCP) server the ability to allocate dynamic IP addresses based on the relay information option (option 82) information sent by the relay agent.

Automatic DHCP address allocation is typically based on an IP address, whether it be the gateway address (giaddr field of the DHCP packet) or the incoming interface IP address. In some networks, it is necessary to use additional information to further determine which IP addresses to allocate. By using option 82, the Cisco IOS relay agent has long been able to include additional information about itself when forwarding client-originated DHCP packets to a DHCP server. The DHCP Address Allocation Using Option 82 feature now allows the Cisco IOS DHCP server to also use option 82 as a means to provide additional information to properly allocate IP addresses to DHCP clients.

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

also:

no ip dhcp snooping verify

this command is actually is

ip dhcp snooping verify mac-address

which enables the MAC address verification:

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

HTH

View solution in original post

Reza Sharifi · ‎06-16-2012

Hi Sarah,

Here is s good doc on the use of option 82:

The DHCP Address Allocation Using Option 82 feature provides the Cisco IOS Dynamic Host Configuration Protocol (DHCP) server the ability to allocate dynamic IP addresses based on the relay information option (option 82) information sent by the relay agent.

Automatic DHCP address allocation is typically based on an IP address, whether it be the gateway address (giaddr field of the DHCP packet) or the incoming interface IP address. In some networks, it is necessary to use additional information to further determine which IP addresses to allocate. By using option 82, the Cisco IOS relay agent has long been able to include additional information about itself when forwarding client-originated DHCP packets to a DHCP server. The DHCP Address Allocation Using Option 82 feature now allows the Cisco IOS DHCP server to also use option 82 as a means to provide additional information to properly allocate IP addresses to DHCP clients.

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

also:

no ip dhcp snooping verify

this command is actually is

ip dhcp snooping verify mac-address

which enables the MAC address verification:

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

HTH