Configuring Dhcp Option 82 To Help Protect The Switching Devices Against Attacks (Cli Procedure) - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide
Configuring DHCP Option 82 to Help Protect the Switching Devices Against Attacks
(CLI Procedure)
396
You can use DHCP option 82, also known as the DHCP relay agent information option,
to help protect the switching device against attacks such as spoofing (forging) of IP
addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides
information about the network location of a DHCP client, and the DHCP server uses this
information to implement IP addresses or other parameters for the client.
You can configure the DHCP option 82 feature in two topologies:
The switching device, DHCP clients, and DHCP server are all on the same bridge domain.
The switching device forwards the clients' requests to the server and forwards the
server's responses to the clients. This topic describes this configuration.
The switching device functions as a relay agent when the DHCP clients or the DHCP
server are connected to the switching device through a Layer 3 interface. On the
switching device, these interfaces are configured as integrated routing and bridging
(IRB) interfaces. The switching device relays the clients' requests to the server and
then forwards the server's responses to the clients.
Before you configure DHCP option 82 on the switching device, perform these tasks:
Connect and configure the DHCP server.
NOTE: Your DHCP server must be configured to accept DHCP option 82.
If the server is not configured for DHCP option 82, the server does not use
the DHCP option 82 information in the requests sent to it when it formulates
its reply messages.
Configure a bridge domain on the switching device and associate the interfaces on
which the clients and the server connect, to the switch with that bridge domain.
To configure DHCP option 82:
Specify DHCP option 82 for the bridge domain that you configured:
1.
[edit bridge-domains bridge-domain-name forwarding-options dhcp-security]
user@device# set option-82
NOTE: If you want to enable DHCP option 82 on all bridge domains, you
must configure it separately for each specific bridge domain.
The remaining steps are optional.
Configure the prefix for the circuit ID suboption to include the hostname or the routing
2.
instance name for the bridge domain:
Copyright © 2017, Juniper Networks, Inc.