Dell Force10 S55T S55 Configuration Guide FTOS 8.3.5.3 - Page 244
DHCP Snooping, Every time the relay agent receives a DHCPACK on an trusted port - s55 manual
![]() |
View all Dell Force10 S55T manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 244 highlights
www.dell.com | support.dell.com The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • track the number of address requests per relay agent; restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent. The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task All platforms: Enable Option 82. Remote ID is the MAC of the switch. S4810, S60, S55: Enables Option 82. Remote ID is the hostname of the switch. S4810, S60, S55: Enables Option 82. Remote ID is remote-id Command Syntax ip dhcp relay information-option ip dhcp relay information-option remote-id hostname ip dhcp relay information-option remote-id remote-id Command Mode CONFIGURATION CONFIGURATION CONFIGURATION DHCP Snooping DHCP Snooping protects networks from spoofing. In the context of DHCP Snooping, all ports are either trusted or untrusted. By default, all ports are untrusted. Trusted ports are ports through which attackers cannot connect. Manually configure ports connected to legitimate servers and relay agents as trusted. When DHCP Snooping is enabled, the relay agent builds a binding table-using DHCPACK messages- containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on an trusted port, it adds an entry to the table. The relay agent then checks all subsequent DHCP client-originated IP traffic (DHCPRELEASE, DHCPNACK, and DHCPDECLINE) against the binding table to ensure that the MAC-IP address pair is legitimate, and that the packet arrived on the correct port; packets that do not pass this check are forwarded to the server for validation. This check-point prevents an attacker from spoofing a client and declining or releasing the real client's address. Server-originated packets (DHCPOFFER, DHCPACK, DHCPNACK) that arrive on an untrusted port are also dropped. This check-point prevents an attacker from impostering as a DHCP server to facilitate a man-in-the-middle attack. 244 | Dynamic Host Configuration Protocol (DHCP)
![](/manual_guide/products/dell-force10-s55t-s55-configuration-guide-ftos-8353-8e78b83/244.png)