06-09-2012 11:09 AM - edited 03-07-2019 07:09 AM
Hi everybody
Below is the excerpt from my book:
For messages received on trusted ports, no validation is performed. For messages received
on untrusted ports, the following steps are taken:
1)DHCP messages with a nonzero relay agent/gateway IP address (also called giaddr
field) or Option 82 data are dropped.
After few pages the book says:
2). DHCP snooping is Optn-82 friendly in the sense that it can insert or remove
DHCP relay information (Option-82 field) in forwarded DHCP request messages from
untrusted ports to the DHCP server.
The second paragraph contradicts the first paragraph . According to second paragraph, a switch can remove option 82 from dhcp message received on untrusted port while first paragraph says switch drops the dhcp message received on un trusted port if it carries option 82.
1)So my question is what exactly a switch does upon receiving option 82 in dhcp message on untrusted port?
======================================================================
2)Should we always connect our dhcp relay agents to trusted ports? what happens if we connect dhcp relay agent to untrusted port? Will switch put the port in errdisable state upon receiving dhcp message with gateway field set to ip some address?
========================================================================
Consider the following:
4DHCPDISCOVER messages, where the source MAC address does not match the
client Hardware Address field, are dropped. This helps to mitigate the DHCP
exhaustion attack. This check is performed only if the DHCP snooping MAC address
verification option is turned on.
Will switch also put port in errdisable state or it simply drops dhcp message ?
thanks and have a great weekend.
Solved! Go to Solution.
06-09-2012 05:05 PM
Hi Sarah,
If the relay agent inserts option 82 but does not set the giaddr field in the DHCP packet, switch drops the packet, and for that to work the DHCP server interface must be configured as a trusted interface by using the ip dhcp relay information trusted global configuration command.
by default, if the gateway address is set to all zeros 0.0.0.0 in the DHCP packet and the relay agent information option is already present in the packet, the DHCP relay agent will discard the packet. should use the ip dhcp relay information trust-all command to override this behavior and accept the packets.
(Also know that if a switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0 will drop the packet.)
or u can configure an individual interface as a trusted source of the DHCP relay information option by using the ip dhcp relay information trusted interface configuration mode command.
packets failing the DHCP snooping MAC address verification are simply dropped.
plz Rate if it helped.
Soroush.
06-09-2012 04:23 PM
Authorized dhcp servers should be configured as trusted ports. Dhcpoffer packet outbound on an untrusted port is dropped.
Sent from Cisco Technical Support iPad App
06-09-2012 05:05 PM
Hi Sarah,
If the relay agent inserts option 82 but does not set the giaddr field in the DHCP packet, switch drops the packet, and for that to work the DHCP server interface must be configured as a trusted interface by using the ip dhcp relay information trusted global configuration command.
by default, if the gateway address is set to all zeros 0.0.0.0 in the DHCP packet and the relay agent information option is already present in the packet, the DHCP relay agent will discard the packet. should use the ip dhcp relay information trust-all command to override this behavior and accept the packets.
(Also know that if a switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0 will drop the packet.)
or u can configure an individual interface as a trusted source of the DHCP relay information option by using the ip dhcp relay information trusted interface configuration mode command.
packets failing the DHCP snooping MAC address verification are simply dropped.
plz Rate if it helped.
Soroush.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide