beautypg.com

Client requests with option 82 – Allied Telesis AT-8100 Series User Manual

Page 484

background image

Chapter 29: DHCP Relay Overview

484

Client Requests

with Option 82

The previous discussion deals with cases where DHCP requests do not
already contain option-82 information. However, it is possible that the
requests arriving from the clients to the relay agent could already contain
option-82 information. There are two main circumstances in which this can
occur:

1. A client is maliciously inserting bogus information into the packet in an

attempt to subvert the process of identifying the client’s location.

2. A layer-2 DHCP snooping switch, that sits between the clients and the

DCHP relay, is validly inserting the option-82 information into the
packets. The DHCP snooping switch is not acting as a relay agent, so
it is not filling in the giaddr field (the relay IP address field) in the
packet; it is only inserting the option-82 information.

In case 1, you would want to drop the packets that contain the bogus
information (or, at least remove the bogus information). In case 2, you
would want to forward the valid information to the DHCP server.

To configure the switch to check for the presence of option-82 information
in incoming DHCP requests, configure DHCP-relay agent-option
checking, with the command (in interface mode), use “IP DHCP-RELAY
AGENT-OPTION CHECKING” on page 497.

By default, this will cause the switch to act as follows:

If the incoming DHCP request has a null IP address (0.0.0.0) in the
giaddr field, and contains option-82 information, drop the packet.
This assumes that such a packet has been maliciously created by
a client.

If an incoming DHCP request has a non-null in the giaddr field, and
contains option-82 information, then replace the option-82 field
with the current switch’s own information. This assumes that a
non-null giaddr field indicates that the packet has already passed
through a valid DHCP relay device, and so the presence of the
option-82 information is not an indication of malicious intent.

The action taken on packets that have a null giaddr field and an option-82
field present cannot be altered once the agent-option check has been
enabled. But, the action taken on packets with a non-null giaddr field and
an option-82 field can be configured. The command to configure this
action is “IP DHCP-RELAY INFORMATION POLICY” on page 498.

See also other documents in the category Allied Telesis Computer hardware: