Alcatel-Lucent OmniSwitch 6800 Series Network Configuration Manual page 450

Configuring DHCP Security Features
Switch-level DHCP Snooping
By default, DHCP Snooping is disabled for the switch. To enable this feature at the switch level, use the
ip helper dhcp-snooping
-> ip helper dhcp-snooping enable
When DHCP Snooping is enabled at the switch level, all DHCP packets received on all switch ports are
screened/filtered by DHCP Snooping. By default, only client DHCP traffic is allowed on the ports, unless
the trust mode for a port is configured to block or allow all DHCP traffic. See
Mode" on page 22-21
In addition, the following functionality is also activated by default when switch-level DHCP Snooping is
enabled:
•
The DHCP Snooping binding table is created and maintained. To configure the status or add a static
entry to this table, use the
•
MAC address verification is performed to compare the source MAC address of the DHCP packet with
the client hardware address contained in the packet. To configure the status of MAC address verifica-
tion, use the ip helper dhcp-snooping mac-address verification
•
Option-82 data is inserted into the packet and then DHCP reply packets are only sent to the port from
where the DHCP request originated, instead of flooding these packets to all ports. To configure the
status of Option-82 data insertion, use the
command.
•
The base MAC address of the switch is inserted into the Circuit ID and Remote ID sub-options of the
Option-82 field. To configure the type of data (base MAC address, system name, or user-defined) that
is inserted into the Option-82 suboptions, use the
command.
Note the following when disabling DHCP Snooping functionality:
•
Disabling Option-82 is not allowed if the binding table is enabled.
•
Enabling the binding table is not allowed if Option-82 data insertion is not enabled at either the switch
or VLAN level.
VLAN-Level DHCP Snooping
To enable DHCP Snooping at the VLAN level, use the
example, the following command enables DHCP Snooping for VLAN 200:
-> ip helper dhcp-snooping vlan 200
When this feature is enabled at the VLAN level, DHCP Snooping functionality is only applied to ports that
are associated with a VLAN that has this feature enabled. Up to 64 VLANs can have DHCP Snooping
enabled. Note that enabling DHCP Snooping at the switch level is not allowed if it is enabled for one or
more VLANs.
By default, when DHCP Snooping is enabled for a specific VLAN, MAC address verification and Option-
82 data insertion is also enabled for the VLAN by default. To disable or enable either of these two
features, use the ip helper dhcp-snooping vlan command with either the mac-address verification or
option-82 data-insertion parameters. For example:
-> ip helper dhcp-snooping vlan 200 mac-address verification disable
-> ip helper dhcp-snooping vlan 200 option-82 data-insertion disable
page 22-20
command. For example:
for more information.
ip helper dhcp-snooping binding
ip helper dhcp-snooping option-82 data-insertion
OmniSwitch 6800/6850/9000 Network Configuration Guide
command.
command.
ip helper dhcp-snooping option-82 format
ip helper dhcp-snooping vlan
Configuring DHCP Relay
"Configuring the Port Trust
command. For
March 2008