Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

no ip dhcp snooping verify no-relay-agent-address

Hi everybody.

I was reading an very interesting series on dhcp snooping at:

http://blog.ipexpert.com/2012/04/10/understanding-dhcp-snooping-part-four-operation-with-dhcp-relays/

Little Background:

  R4 is dhcp relay agent connected to catsw3  as shown below;

    R4--untrusted--Catsw3------trusted----R5(dhcp server)

   When cat sw3 receives a dhcp message with giadd field set to ip, it drops the message. R4 is just setting the giadr field; it is not inserting any option 82.

The author mentions a possible solution by using the command :

no ip dhcp snooping verify no-relay-agent-address”,

My question: what does this command do?  the author mentions it disables the verification of option 82.   But again ,What do we mean by disabling the verification of option 82?  Does a switch upon receiving dhcp message on its untrusted port with giadd field set to some ip, perform some kind of verification of option 82?

===============================================

Does a switch configured with dhcp snooping, check the src mac address against the client mac in dhcp message received on its untrusted port?

thanks and havea great weekend.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

no ip dhcp snooping verify no-relay-agent-address

Hi Sarah,

Here is s good doc on the use of option 82:

The DHCP Address Allocation Using Option 82 feature provides the Cisco  IOS Dynamic Host Configuration Protocol (DHCP) server the ability to  allocate dynamic IP addresses based on the relay information option  (option 82) information sent by the relay agent.

Automatic DHCP address allocation is typically based on an IP address, whether it be the gateway address (giaddr  field of the DHCP packet) or the incoming interface IP address. In some  networks, it is necessary to use additional information to further  determine which IP addresses to allocate. By using option 82, the Cisco  IOS relay agent has long been able to include additional information  about itself when forwarding client-originated DHCP packets to a DHCP  server. The DHCP Address Allocation Using Option 82 feature now allows  the Cisco IOS DHCP server to also use option 82 as a means to provide  additional information to properly allocate IP addresses to DHCP  clients.

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

also:

no ip dhcp snooping verify

this command is actually is

ip  dhcp snooping verify mac-address

which enables the MAC address verification:

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

HTH

1 REPLY
VIP Super Bronze

no ip dhcp snooping verify no-relay-agent-address

Hi Sarah,

Here is s good doc on the use of option 82:

The DHCP Address Allocation Using Option 82 feature provides the Cisco  IOS Dynamic Host Configuration Protocol (DHCP) server the ability to  allocate dynamic IP addresses based on the relay information option  (option 82) information sent by the relay agent.

Automatic DHCP address allocation is typically based on an IP address, whether it be the gateway address (giaddr  field of the DHCP packet) or the incoming interface IP address. In some  networks, it is necessary to use additional information to further  determine which IP addresses to allocate. By using option 82, the Cisco  IOS relay agent has long been able to include additional information  about itself when forwarding client-originated DHCP packets to a DHCP  server. The DHCP Address Allocation Using Option 82 feature now allows  the Cisco IOS DHCP server to also use option 82 as a means to provide  additional information to properly allocate IP addresses to DHCP  clients.

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

also:

no ip dhcp snooping verify

this command is actually is

ip  dhcp snooping verify mac-address

which enables the MAC address verification:

link:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html

HTH

1179
Views
0
Helpful
1
Replies