06-08-2012 03:07 PM - edited 03-07-2019 07:09 AM
Hi everybody
By default when we configure dhcp snooping on cisco switch, the command " ip dhcp snooping information option" is also enabled. If disable this command, would switch still create dhcp binding table?
thanks and have a great weekend.
Solved! Go to Solution.
06-08-2012 04:19 PM
Hi Sarah,
This command enables the insertion and removal of option 82 information from DHCP packets. The no option disables the insertion and removal of option-82 information.
So, yes, the DHCP binding is still enabled.
HTH
06-08-2012 04:19 PM
Hi Sarah,
This command enables the insertion and removal of option 82 information from DHCP packets. The no option disables the insertion and removal of option-82 information.
So, yes, the DHCP binding is still enabled.
HTH
06-08-2012 05:02 PM
Thanks Reza.
I have yet to do some study on option 82. Surely , I would have some questions.
06-08-2012 07:32 PM
Hi Reza.
I discovered some new information about dhcp snooping( atleast for me)
.
For messages received on trusted ports, no validation is performed. For messages received
on untrusted ports, the following steps are taken:
1DHCP messages normally exchanged from a DHCP server to a client are dropped.
These messages are DHCPOFFER, DHCPACK, and DHCPNAK.
2DHCP messages with a nonzero relay agent/gateway IP address (also called giaddr
field) or Option 82 data are dropped.
3DHCPRELEASE/DHCPDECLINE messages are verified against the binding-table
entries to prevent a host from releasing/declining addresses leased to another host.
4DHCPDISCOVER messages, where the source MAC address does not match the
client Hardware Address field, are dropped. This helps to mitigate the DHCP
exhaustion attack. This check is performed only if the DHCP snooping MAC address
verification option is turned on.
================================================================
So a switch configured only with dhcp snooping not ip source guard/dynamic arp inspection performs following as well:
3DHCPRELEASE/DHCPDECLINE messages are verified against the binding-table
entries to prevent a host from releasing/declining addresses leased to another host.
4DHCPDISCOVER messages, where the source MAC address does not match the
client Hardware Address field, are dropped. This helps to mitigate the DHCP
exhaustion attack. This check is performed only if the DHCP snooping MAC address
verification option is turned on.
How do we configure above mentioned " dhcp snooping mac address verification option " ?
========================================================================
I could not find a good link on option 82. The question I have:
what is option 82 and why do we need it ?
I understand what is option 82 but still at loss as to why we need it.
thanks
Message was edited by: Sarah
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: