Alcatel-Lucent 6600 Switch User Manual


 
Configuring DHCP Relay Configuring DHCP Security Features
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 18-17
Enabling the Relay Agent Information Option-82
Use the ip helper agent-information command to enable the DHCP Option-82 feature for the switch. For
example:
-> ip helper agent-information enable
This same command is also used to disable this feature. For example:
-> ip helper agent-information disable
Note that because this feature is not available on a per-VLAN basis, DHCP Option-82 functionality is not
restricted to ports associated with a specific VLAN. Instead, DHCP traffic received on all ports is eligible
for Option-82 data insertion when it is relayed by the agent.
Configuring a Relay Agent Information Option-82 Policy
As previously mentioned, when the relay agent receives a DHCP packet from a client that already contains
Option-82 data, the packet is dropped by default. However, it is possible to configure a DHCP Option-82
policy that directs the relay agent to drop, keep, or replace the existing Option-82 data and then forward
the packet to the server.
To configure a DHCP Option-82 policy, use the ip helper agent-information policy command. The
following parameters are available with this command to specify the policy action:
drop—The DHCP packet is dropped (the default).
keep—The existing Option-82 data in the DHCP packet is retained and the packet is forwarded to the
server.
replace—The existing Option-82 data in the DHCP packet is replaced with local relay agent data and
then forwarded to the server.
For example, the following commands configure DHCP Option-82 policies:
-> ip helper agent-information policy drop
-> ip helper agent-information policy keep
-> ip helper agent-information policy replace
Note that this type of policy applies to all DHCP packets received on all switch ports. In addition, if a
packet that contains existing Option-82 data also contains a gateway IP address that matches a local subnet
address, the relay agent will drop the packet and not apply any existing Option-82 policy.
Using DHCP Snooping
Using DHCP Snooping improves network security by filtering DHCP messages received from devices
outside the network and building and maintaining a binding table (database) to track access information
for such devices.
In order to identify DHCP traffic that originates from outside the network, DHCP Snooping categorizes
ports as either trusted or untrusted. A port is trusted if it is connected to a device inside the network, such
as a DHCP server. A port is untrusted if it is connected to a device outside the network, such as a customer
switch or workstation.