Filter
Top Products
19-3
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 19 Configuring DHCP Features
Understanding DHCP Features
The switch drops a DHCP packet when one of these situations occurs:
• A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from outside the network or firewall.
• A packet is received on an untrusted interface, and the source MAC address and the DHCP client
hardware address do not match.
• The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that contains a MAC
address in the DHCP snooping binding table, but the interface information in the binding table does
not match the interface on which the message was received.
• A DHCP relay agent forwards a DHCP packet that includes an relay-agent IP address that is not
0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.
If the switch is an aggregation switch supporting DHCP snooping and is connected to an edge switch
that is inserting DHCP option-82 information, the switch drops packets with option-82 information when
packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on
a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connected devices
and cannot build a complete DHCP snooping binding database.
When option-82 information is inserted by an edge switch in software releases earlier than Cisco IOS
Release 12.1(22)EA3, you cannot configure DHCP snooping on an aggregation switch because the
DHCP snooping bindings database is not properly populated. You also cannot configure IP source guard
and dynamic Address Resolution Protocol (ARP) inspection on the switch unless you use static bindings
or ARP access control lists (ACLs).
In Cisco IOS Release 12.1(22)EA3 when an aggregation switch can be connected to an edge switch
through an untrusted interface and you enter the ip dhcp snooping information option allow-untrusted
global configuration command, the aggregation switch accepts packets with option-82 information from
the edge switch. The aggregation switch learns the bindings for hosts connected through an untrusted
switch interface. The DHCP security features, such as dynamic ARP or IP source guard, can still be
enabled on the aggregation switch while the switch receives packets with option-82 information on
ingress untrusted interfaces to which hosts are connected. The port on the edge switch that connects to
the aggregation switch must be configured as a trusted interface.
Option-82 Data Insertion
In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP address
assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the
switch, a subscriber device is identified by the switch port through which it connects to the network (in
addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port
on the access switch and are uniquely identified.
Note The DHCP option-82 feature is supported only when DHCP snooping is enabled globally and on the
VLANs to which subscriber devices using this feature are assigned. The switch also supports the DHCP
option-82 feature when DHCP is disabled.
Figure 19-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server
assigns IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients
and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent
(the Catalyst switch) is configured with a helper address to enable broadcast forwarding and to transfer
DHCP messages between the clients and the server.