Solved: option 82 ,dhcp relay agent on untrusted port

sarahr202 · ‎06-09-2012

Hi everybody

Below is the excerpt from my book:

For messages received on trusted ports, no validation is performed. For messages received

on untrusted ports, the following steps are taken:

1)DHCP messages with a nonzero relay agent/gateway IP address (also called giaddr

ﬁeld) or Option 82 data are dropped.

After few pages the book says:

2). DHCP snooping is Optn-82 friendly in the sense that it can insert or remove

DHCP relay information (Option-82 ﬁeld) in forwarded DHCP request messages from

untrusted ports to the DHCP server.

The second paragraph contradicts the first paragraph . According to second paragraph, a switch can remove option 82 from dhcp message received on untrusted port while first paragraph says switch drops the dhcp message received on un trusted port if it carries option 82.

1)So my question is what exactly a switch does upon receiving option 82 in dhcp message on untrusted port?

======================================================================

2)Should we always connect our dhcp relay agents to trusted ports? what happens if we connect dhcp relay agent to untrusted port? Will switch put the port in errdisable state upon receiving dhcp message with gateway field set to ip some address?

========================================================================

Consider the following:

4DHCPDISCOVER messages, where the source MAC address does not match the

client Hardware Address ﬁeld, are dropped. This helps to mitigate the DHCP

exhaustion attack. This check is performed only if the DHCP snooping MAC address

veriﬁcation option is turned on.

Will switch also put port in errdisable state or it simply drops dhcp message ?

thanks and have a great weekend.

smehrnia · ‎06-09-2012

Hi Sarah,

If the relay agent inserts option 82 but does not set the giaddr field in the DHCP packet, switch drops the packet, and for that to work the DHCP server interface must be configured as a trusted interface by using the ip dhcp relay information trusted global configuration command.

by default, if the gateway address is set to all zeros 0.0.0.0 in the DHCP packet and the relay agent information option is already present in the packet, the DHCP relay agent will discard the packet. should use the ip dhcp relay information trust-all command to override this behavior and accept the packets.

(Also know that if a switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0 will drop the packet.)

or u can configure an individual interface as a trusted source of the DHCP relay information option by using the ip dhcp relay information trusted interface configuration mode command.

packets failing the DHCP snooping MAC address veriﬁcation are simply dropped.

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.

View solution in original post

Jeff Van Houten · ‎06-09-2012

Authorized dhcp servers should be configured as trusted ports. Dhcpoffer packet outbound on an untrusted port is dropped.

Sent from Cisco Technical Support iPad App

smehrnia · ‎06-09-2012