Dhcp Snooping - Dell C9000 Series Networking Configuration Manual

The server echoes the option back to the relay agent in its response, and the relay agent can use the
information in the option to forward a reply out the interface on which the request was received rather than
flooding it on the entire VLAN.
The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
To insert Option 82 into DHCP packets, follow this step.
• Insert Option 82 into DHCP packets.
CONFIGURATION mode
ip dhcp relay information-option [trust-downstream]
For routers between the relay agent and the DHCP server, enter the trust-downstream option.

DHCP Snooping

DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted
or not trusted.
By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect. Manually
configure ports connected to legitimate servers and relay agents as trusted.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages —
containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every
time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
The relay agent checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and
DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate and that the
packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for
validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real
client's address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not
trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP
server to facilitate a man-in-the-middle attack.
Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE,
DHCPNACK, or DHCPDECLINE.
DHCP snooping is supported on Layer 2 and Layer 3 VLANs. DHCP snooping on Layer 3 interfaces depends
on the configured DHCP relay agent (ip helper-address). DHCP snooping on Layer 2 interfaces does not
require a relay agent.
When DHCP snooping VLAN interface is deleted or the operation is down, the corresponding learned entries
are also removed from the snooping table.
NOTE: DHCP server packets are dropped on all not trusted interfaces of a system configured for DHCP
snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the
server-connected port.
NOTE: DHCP snooping is supported in a VLT environment.
Dynamic Host Configuration Protocol (DHCP) 404