Configuring DHCP Relay Configuring DHCP Security Features
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 18-15
Configuring DHCP Security Features
There are two DHCP security features available: DHCP relay agent information option (Option-82) and
DHCP Snooping. The DHCP Option-82 feature enables the relay agent to insert identifying information
into client-originated DHCP packets before the packets are forwarded to the DHCP server. The DHCP
Snooping feature filters DHCP packets between untrusted sources and a trusted DHCP server and builds a
binding database to log DHCP client information.
Although DHCP Option-82 is a subcomponent of DHCP Snooping, these two features are mutually exclu-
sive. If the DHCP Option-82 feature is enabled for the switch, then DHCP Snooping is not available. The
reverse is also true; if DHCP Snooping is enabled, then DHCP Option-82 is not available. In addition, the
following differences exist between these two features:
• DHCP Snooping does require and use the Option-82 data insertion capability, but does not implement
any other behaviors defined in RFC 3046.
• DHCP Snooping will automatically drop client DHCP packets that already have Option-82 informa-
tion present. The DHCP Option-82 feature provides configurable options for dealing with such pack-
ets.
• DHCP Snooping is configurable at the switch level and on a per-VLAN basis, but DHCP Option-82 is
only configurable at the switch level.
The following sections provide additional information about each DHCP security feature and how to
configure feature parameters using the Command Line Interface (CLI).
Using the Relay Agent Information Option (Option-82)
This implementation of the DHCP relay agent information option (Option-82) feature is based on the
functionality defined in RFC 3046. By default DHCP Option-82 functionality is disabled. The ip helper
agent-information command is used to enable this feature at the switch level.
When this feature is enabled, communications between a DHCP client and a DHCP server are authenti-
cated by the relay agent. To accomplish this task, the agent adds Option-82 data to the end of the options
field in DHCP packets sent from a client to a DHCP server. Option-82 consists of two suboptions: Circuit
ID and Remote ID. The agent fills in the following information for each of these suboptions:
• Circuit ID—the VLAN ID and slot/port from where the DHCP packet originated.
• Remote ID—the MAC address of the router interface associated with the VLAN ID specified in the
Circuit ID suboption.
The DHCP Option-82 feature is only applicable when DHCP relay is used to forward DHCP packets
between clients and servers associated with different VLANs. In addition, a secure IP network must exist
between the relay agent and the DHCP server.