Dhcp filtering – Allied Telesis x900-48 series User Manual

Page 11 | AlliedWare™ OS How To Note: DHCP snooping on AT-9900-style switches

DHCP filtering > Configuring Option 82

If the switch is acting as a DHCP relay and there is no requirement to also maintain a DHCP
snooping database, then the DHCP relay process can be configured to insert option 82
information into the relayed packets:

enable bootp relay option82

The subscriber ID to be used on any given port can be configured with:

set bootp relay option82 subscriberid=”xxxx”

Note:

The use of BOOTP relay without DHCP snooping will not be discussed any further
in this document.

Agent Circuit ID and Agent Remote ID are sub-options that are also sent as part of the
Option 82 data but they are not configurable.

DHCP filtering

The purpose of DHCP filtering is to prevent IP addresses from being falsified or ‘spoofed’.
This guarantees that customers cannot avoid detection by spoofing an IP address that was
not actually allocated to them.

DHCP filtering is achieved by creating dynamic classifiers. The dynamic classifiers are
configured with DHCP snooping placeholders for the source IP address (and possibly source
MAC address), to match on.

The dynamic classifiers are attached to filters, which are applied to a port. Only those
packets with a source IP address that matches one of the IP addresses allocated to the
devices connected to that port are allowed through.

Client A

Client B

Non-trusted Ports

Trusted Ports

Access Device

DHCP Server