This section describes how to configure the DHCP (Dynamic Host Configuration Protocol) Relay agent option for Layer 2 forwarded DHCP packets.
The DHCP relay agent option feature inserts a piece of information, called option 82, into any DHCP request packet that is to be relayed by the switch. Similarly, if a DHCP reply received by the switch contains a valid relay agent option, the option will be stripped from the packet before it is relayed to the client. This is a Layer 2 option that functions only when the switch is not configured as a Layer 3 BOOTP relay.
The Agent remote ID sub-option always contains the Ethernet MAC address of the relaying switch. You can display the Ethernet MAC address of the switch by issuing the show switch command.
The contents of the inserted option 82 sub-options is as follows:
Code (1 byte) |
Length (1 byte) |
Sub- Option (1 byte) |
Length (1 byte) |
Value (1-32 bytes) |
Sub-Option (1 byte) |
Length (1 byte) |
Switch MAC address (6 bytes) |
---|---|---|---|---|---|---|---|
82 | 1 (Circuit ID) | 1-32 | vlan_info-port_info | 2 (Remote ID) | 6 |
To enable the DHCP relay agent option at Layer 2, use the following command:
configure ip-security dhcp-snooping information optionNote
When DHCP relay is configured in a DHCP snooping environment, the relay agent IP address should be configured as the trusted server.DHCP Request: When the switch (relay agent) receives a DHCP request, option 82 is added at the end of the packet. If the option has already been enabled, then the action taken depends on the configured policy (drop packet, keep existing option 82 value, or replace the existing option). Unless configured otherwise using the configure ip-security dhcp-snooping information circuit-id vlan-information vlan_info {vlan} [vlan_name | all] , the vlan_info portion of the circuit ID added will be the VLAN (Virtual LAN) ID of the ingress VLAN.
DHCP Reply: When the option 82 information check is enabled, the packets received from the DHCP server are checked for option 82 information. If the remote ID sub-option is the switch's MAC address, the packet is sent to the client; if not, the packet is dropped. If the check is not enabled. The packets are forwarded as-is.
To disable the DHCP relay agent option, use the following command:
unconfigure ip-security dhcp-snooping information optionIn some instances, a DHCP server may not properly handle a DHCP request packet containing a relay agent option.
To prevent DHCP reply packets with invalid or missing relay agent options from being forwarded to the client, use the following command:
configure ip-security dhcp-snooping information checkTo disable checking of DHCP replies, use this command:
unconfigure ip-security dhcp-snooping information checkA DHCP relay agent may receive a client DHCP packet that has been forwarded from another relay agent.
If this relayed packet already contains a relay agent option, then the switch will handle this packet according to the configured DHCP relay agent option policy. The possible actions are to replace the option information, to keep the information, or to drop packets containing option 82 information. To configure this policy, use the following command:
configure ip-security dhcp-snooping information policy [drop | keep | replace]The default relay policy is replace.
To configure the policy to the default, use this command:
unconfigure ip-security dhcp-snooping information policyThe Layer 2 relay agent option allows you to configure the circuit ID on a VLAN or port basis., the Circuit-ID can contain a variable length (up to 32 bytes long) ASCII string with the following format:
<VLAN Info>-<Port Info>
If the configuration of either VLAN Info or Port Info causes the total string length of <VLAN Info>-<Port Info> to exceed 32 bytes, then it is truncated to 32 bytes. The string is not NULL terminated, since the total circuit ID length is being specified.
When neither VLAN Info or Port Info is specified, circuit ID value is = 200-3005
When VLAN Info is configured to SomeInfo and Port Info is not specified, the circuit ID value is SomeInfo-3005
When VLAN Info is not specified and Port Info is configured to User1, the circuit ID value is 200-User1
When VLAN Info is configured to SomeInfo and Port Info to User1, the circuit ID value is SomeInfo-User1
VLAN Info is configurable per VLAN.
When not explicitly configured for a VLAN, VLAN Info defaults to the ASCII string representation of the ingress VLAN ID. To configure the circuit ID on a VLAN, use the following command:
configure ip-security dhcp-snooping information circuit-id vlan-information vlan_info {vlan} [vlan_name | all]
To unconfigure the circuit ID on a VLAN, use the following command:
unconfigure ip-security dhcp-snooping information circuit-id vlan-information [dynamic | {vlan} vlan_name |all]
Port Info is configurable.
When not explicitly configured for a port, port info defaults to the ASCII representation of the ingress port‘s SNMP (Simple Network Management Protocol) ifIndex. To configure the port information portion of the circuit-ID, use the following command:
configure ip-security dhcp-snooping information circuit-id port-information port_info port portTo unconfigure the port information portion of the circuit-ID, use the following command:
unconfigure ip-security dhcp-snooping information circuit-id port-information ports [port_list | all]Note
When this feature is enabled, all DHCP traffic must be forwarded in slowpath only, which means that this feature functions only in the context of IP Security and only on interfaces where DHCP snooping is enabled in enforcement (violation-action of ‘drop‘) mode. In other words, with DHCP snooping not configured with a violation-action of ‘none‘ (which is pure monitoring mode).