Treating All Packets As Originating At Trusted Sources; Assigning The Giaddr To Source Ip Address; Protecting Against Spoofed Giaddr And Relay Agent Option Values - Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual
For e series broadband services routers - broadband access configuration
Hide thumbs
Also See for JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010:
- Configuration manual (712 pages)
Table of Contents
Advertisement
NOTE: When this feature is configured, the client bypasses the DHCP relay component
and communicates directly with the DHCP server to request address renewal or to
release the address. The DHCP relay component has no role in determining when
or whether to remove the installed host route.
Treating All Packets as Originating at Trusted Sources
By default, the DHCP relay treats all packets destined for DHCP servers as if the
packets originated at an untrusted source; if the packets have a gateway IP address
(giaddr) of 0 and if option 82 information is present, these packets are dropped.
In the trust-all method, the DHCP relay treats the packets as if they are from trusted
sources and forwards the packets to the DHCP server. When you enable this
command:
Assigning the Giaddr to Source IP Address
As a security measure, DHCP servers typically use the giaddr included in DHCP
packets to ensure that the packets come from a recognized DHCP gateway. The
servers verify that the giaddr in the DHCP packet matches the source IP address in
the IP packet header. You can use the set dhcp relay assign-giaddr-source-ip
command to specify that the DHCP relay and DHCP relay proxy assign the giaddr
to the source IP packet header of packets they send to DHCP servers the DHCP
servers can then compare the giaddr in the IP packet header to the giaddr in the
DHCP packets.
Protecting Against Spoofed Giaddr and Relay Agent Option Values
DHCP relay includes an override feature that provides enhanced security to protect
against spoofed giaddr and relay agent option (option 82) values in packets destined
for DHCP servers.
DHCP relay can detect spoofed giaddrs when the giaddr value is equal to a local IP
address on which the DHCP relay can be accessed; otherwise, DHCP relay does not
To enable the trust-all method on the DHCP relay:
host1(config)#set dhcp relay trust-all
If the DHCP packets contain option 82 and a giaddr field of 0, the DHCP relay
inserts its giaddr into the packets and then forwards the packets.
If the DHCP relay is configured to add option 82, it does not add an additional
option 82 if one is already present in the DHCP packets.
To assign the giaddr to the source IP packet header:
host1(config)#set dhcp relay assign-giaddr-source-ip
Chapter 20: Configuring DHCP Relay
Configuring DHCP Relay and BOOTP Relay
491
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 and is the answer not in the manual?