Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

dhcp snooping and cisco switch

Hi everybody

By default when we configure dhcp snooping on cisco switch, the command "  ip dhcp snooping information option" is also enabled.  If disable this command, would switch still create dhcp binding table?

thanks and have a great  weekend.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

dhcp snooping and cisco switch

Hi Sarah,

This command enables the insertion and removal of option 82 information from DHCP packets. The no option disables the insertion and removal of option-82 information.

So, yes, the DHCP binding is still enabled.

HTH

3 REPLIES
VIP Super Bronze

dhcp snooping and cisco switch

Hi Sarah,

This command enables the insertion and removal of option 82 information from DHCP packets. The no option disables the insertion and removal of option-82 information.

So, yes, the DHCP binding is still enabled.

HTH

Bronze

dhcp snooping and cisco switch

Thanks Reza.

  I have yet to do some study on option 82. Surely , I would have some questions.

Bronze

Re: dhcp snooping and cisco switch

Hi Reza.

I discovered some new information about dhcp snooping( atleast for me)

.

For messages received on trusted ports, no validation is performed. For messages received

on untrusted ports, the following steps are taken:

1DHCP messages normally exchanged from a DHCP server to a client are dropped.

These messages are DHCPOFFER, DHCPACK, and DHCPNAK.

2DHCP messages with a nonzero relay agent/gateway IP address (also called giaddr

field) or Option 82 data are dropped.

3DHCPRELEASE/DHCPDECLINE messages are verified against the binding-table

entries to prevent a host from releasing/declining addresses leased to another host.

4DHCPDISCOVER messages, where the source MAC address does not match the

client Hardware Address field, are dropped. This helps to mitigate the DHCP

exhaustion attack. This check is performed only if the DHCP snooping MAC address

verification option is turned on.

================================================================

So a switch configured only with dhcp snooping not ip source guard/dynamic arp inspection performs following as well:

3DHCPRELEASE/DHCPDECLINE messages are verified against the binding-table

entries to prevent a host from releasing/declining addresses leased to another host.

4DHCPDISCOVER messages, where the source MAC address does not match the

client Hardware Address field, are dropped. This helps to mitigate the DHCP

exhaustion attack. This check is performed only if the DHCP snooping MAC address

verification option is turned on.

How do we configure  above mentioned " dhcp snooping mac address verification option " ?

========================================================================

I could not find a good link on option 82.  The question I have:

what is option 82 and why do we need it ?

I understand what is option 82 but still at loss as to why we need it.

thanks

Message was edited by: Sarah

399
Views
0
Helpful
3
Replies