Hi Julio,

I know what is an option 82. But I can't figure out why a DHCP Snooping feature inserts this option on untrusted ports by default. I think of it over and over, but can't understand the logic behind it. That's why I asked the question here. I hoped there will be a person who can answer it, not just giving me a link which explains what is an option 82.

Hi Amil,

Apologies, by default all the ports are considered as unstrusted, now if you want to protect them you should use: 

ip dhcp relay information trust all (Global)

ip dhcp relay information trusted (interface)

When you enable the DHCP snooping information option-82 on the switch, this sequence of events occurs:

The host (DHCP client) generates a DHCP request and broadcasts it on the network.

When the switch receives the DHCP request, it adds the option-82 information in the packet. The option-82 information contains the switch MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption).

If IEEE 802.1X port-based authentication is enabled, the switch will also add the host's 802.1X authenticated user identity information (the RADIUS attributes suboption) to the packet. See the "Understanding 802.1X Authentication with DHCP Snooping" section.

If the IP address of the relay agent is configured, the switch adds the IP address in the DHCP packet.

The switch forwards the DHCP request that includes the option-82 field to the DHCP server.

The DHCP server receives the packet. If the server is option-82 capable, it can use the remote ID, or the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server then echoes the option-82 field in the DHCP reply.

The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. When the client and server are on the same subnet, the server broadcasts the reply. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.

Julio,

I really appreciate your efforts to describe to me the process of how it works. However, I would like to hear your reasoning about WHY a DHCP Snooping inserts an option 82, not how it works. 

A friend of mine asked me the same question which made me look at him with my mouth open. It made me seek an answer to this question in Google. But I found nothing. This forum is great. There're many pros here. That's why I asked this question here.Hope to hear your considerations.