Packet Validation; Dhcp Snooping Option-82 Data Insertion - Cisco 7604 Configuration Manual

Chapter 37 Configuring DHCP Snooping
The DHCP snooping feature updates the database when the switch receives specific DHCP messages.
For example, the feature adds an entry to the database when the switch receives a DHCPACK message
from the server. The feature removes the entry in the database when the IP address lease expires or the
switch receives a DHCPRELEASE message from the host.
Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP
address, the lease time, the binding type, and the VLAN number and interface information associated
with the host.

Packet Validation

The router validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping
enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which
case the packet is dropped):
•
•
•
•
In releases earlier than Release 12.2(18)SXF1, the router drops DHCP packets that include option-82
information that are received on untrusted ports. With Release 12.2(18)SXF1 and later releases, to
support trusted edge routers that are connected to untrusted aggregation-router ports, you can enable the
DHCP option-82 on untrusted port feature, which enables untrusted aggregation-router ports to accept
DHCP packets that include option-82 information. Configure the port on the edge router that connects
to the aggregation switch as a trusted port.
With the DHCP option-82 on untrusted port feature enabled, use dynamic ARP inspection on the
Note
aggregation router to protect untrusted input interfaces.

DHCP Snooping Option-82 Data Insertion

In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address
assignments for a large number of subscribers. When the DHCP snooping option-82 feature is enabled
on the router, a subscriber device is identified by the router port through which it connects to the network
(in addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same
port on the access router and are uniquely identified.
Figure 37-1
assigns IP addresses to subscribers connected to the router at the access layer. Because the DHCP clients
and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent
is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages
between the clients and the server.
OL-4266-08
The router receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
The router receives a packet on an untrusted interface, and the source MAC address and the DHCP
client hardware address do not match. This check is performed only if the DHCP snooping MAC
address verification option is turned on.
The router receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an
entry in the DHCP snooping binding table, and the interface information in the binding table does
not match the interface on which the message was received.
The router receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.
is an example of a metropolitan Ethernet network in which a centralized DHCP server
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding DHCP Snooping
37-3