Alcatel-Lucent 6600 Switch User Manual


 
Configuring DHCP Security Features Configuring DHCP Relay
page 18-18 OmniSwitch 6600 Family Network Configuration Guide April 2006
When DHCP Snooping is first enabled, all ports are considered untrusted. It is important to then configure
ports connected to a DHCP server inside the network as a trusted port. See “Configuring the Port Trust
Mode” on page 18-20 for more information.
If a DHCP packet is received on an untrusted port, then it is considered an untrusted packet. If a DHCP
packet is received on a trusted port, then it is considered a trusted packet. DHCP Snooping only filters
untrusted packets and will drop such packets if one or more of the following conditions are true:
The packet received is a DHCP server packet, such as a DHCPOFFER, DHCPACK, or DHCPNAK
packet. When a server packet is received on an untrusted port, DHCP Snooping knows that it is not
from a trusted server and discards the packet.
The source MAC address of the packet and the DHCP client hardware address contained in the packet
are not the same address.
The packet is a DHCPRELEASE or DHCPDECLINE broadcast message that contains a source MAC
address found in the DHCP Snooping binding table, but the interface information in the binding table
does not match the interface on which the message was received.
The packet includes a relay agent IP address that is a non-zero value.
The packet already contains Option-82 data in the options field.
If none of the above are true, then the relay agent accepts and forwards the packet. When the relay agent
receives a DHCPACK packet from a server, the agent extracts the following information to create an entry
in the DHCP Snooping binding table:
MAC address of the DHCP client.
IP address for the client that was assigned by the DHCP server.
The port from where the DHCP packet originated.
The VLAN associated with the port from where the DHCP packet originated.
The lease time for the assigned IP address.
The binding entry type; dynamic or static (user-configured).
After extracting the above information and populating the binding table, the agent then forwards the
packet to the port from where the packet originated. Basically, the DHCP Snooping features prevents the
normal flooding of DHCP traffic. Instead, packets are delivered only to the appropriate client and server
ports.
Note that DHCP Snooping only applies to traffic that is relayed between VLANs. If a DHCP server and
client reside within the same VLAN domain, then DHCP Snooping is not applied to communications
between these devices.
DHCP Snooping Configuration Guidelines
Consider the following when configuring the DHCP Snooping feature:
DHCP Snooping requires the use of the relay agent to process DHCP packets. As a result, DHCP
clients and servers must reside in different VLANs so that the relay agent is engaged to forward pack-
ets between the VLAN domains. See “Configuring BOOTP/DHCP Relay Parameters” on page 18-10
for information about how to configure the relay agent on the switch.
Configure ports connected to DHCP servers within the network as trusted ports. See “Configuring the
Port Trust Mode” on page 18-20 for more information.