beautypg.com

5 dhcp option 82, Dhcp option 82 – Siemens S223 User Manual

Page 252

background image

UMN:CLI User Manual

SURPASS hiD 6615 S223/S323 R1.5

252 A50010-Y3-C150-2-7619

To enable the smart relay agent forwarding, use the following command.

Command Mode

Description

ip dhcp smart-relay

Enables a smart relay.

no ip dhcp smart-relay

Global

Disables a smart relay.

8.8.5

DHCP Option 82

In some networks, it is necessary to use additional information to further determine which
IP addresses to allocate. By using the DHCP option 82, a DHCP relay agent can include
additional information about itself when forwarding client-originated DHCP packets to a
DHCP server. The DHCP relay agent will automatically add the circuit ID and the remote
ID to the option 82 field in the DHCP packets and forward them to the DHCP server.

The DHCP option 82 resolves the following issues in an environment in which untrusted
hosts access the internet via a circuit based public network:

Broadcast Forwarding

The DHCP option 82 allows a DHCP relay agent to reduce unnecessary broadcast flood-
ing by forwarding the normally broadcasted DHCP response only on the circuit indicated
in the circuit ID.

DHCP Address Exhaustion

In general, a DHCP server may be extended to maintain a DHCP lease database with an
IP address, hardware address and remote ID. The DHCP server should implement poli-
cies that restrict the number of IP addresses to be assigned to a single remote ID.

Static Assignment

A DHCP server may use the remote ID to select the IP address to be assigned. It may
permit static assignment of IP addresses to particular remote IDs, and disallow an ad-
dress request from an unauthorized remote ID.

IP Spoofing

A DHCP client may associate the IP address assigned by a DHCP server in a forwarded
DHCP_ACK message with the circuit to which it was forwarded. The circuit access device
may prevent forwarding of IP packets with source IP addresses, other than, those it has
associated with the receiving circuit. This prevents simple IP spoofing attacks on the cen-
tral LAN, and IP spoofing of other hosts.

MAC Address Spoofing

By associating a MAC address with a remote ID, a DHCP server can prevent offering an
IP address to an attacker spoofing the same MAC address on a different remote ID.

This manual is related to the following products: