Alcatel-Lucent 6850-48 Guida Di Rete
Configuring DHCP Relay
Configuring DHCP Security Features
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 31-21
-> ip helper dhcp-snooping vlan 200 option-82 data-insertion disable
Note that if the binding table functionality is enabled, disabling Option-82 data insertion for the VLAN is
not allowed. See
not allowed. See
for more information.
Note. If DHCP Snooping is not enabled for a VLAN, then all ports associated with the VLAN are consid-
ered trusted ports. VLAN-level DHCP Snooping does not filter DHCP traffic on ports associated with a
VLAN that does not have this feature enabled.
ered trusted ports. VLAN-level DHCP Snooping does not filter DHCP traffic on ports associated with a
VLAN that does not have this feature enabled.
Configuring the Port Trust Mode
The DHCP Snooping trust mode for a port determines whether or not the port accepts all DHCP traffic,
client-only DHCP traffic, or blocks all DHCP traffic. The following trust modes for a port are config-
urable using the
client-only DHCP traffic, or blocks all DHCP traffic. The following trust modes for a port are config-
urable using the
• client-only—The default mode applied to ports when DHCP Snooping is enabled. This mode restricts
DHCP traffic on the port to only DHCP client-related traffic. When this mode is active for the port, the
port is considered an untrusted interface.
port is considered an untrusted interface.
• trust—This mode does not restrict DHCP traffic on the port. When this mode is active on a port, the
port is considered a trusted interface. In this mode the port behaves as if DHCP Snooping is not
enabled.
enabled.
• block—This mode blocks all DHCP traffic on the port. When this mode is active for the port, the port
is considered an untrusted interface.
To configure the trust mode for one or more ports, use the
command. For
example, the following command changes the trust mode for port 1/12 to blocked:
-> ip helper dhcp-snooping port 1/12 block
It is also possible to specify a range of ports. For example, the following command changes the trust mode
for ports 2/1 through 2/10 to trusted:
for ports 2/1 through 2/10 to trusted:
-> ip helper dhcp-snooping port 2/1-10 trust
Note that it is necessary to configure ports connected to DHCP servers within the network and/or firewall
as trusted ports so that necessary DHCP traffic to/from the server is not blocked. Configuring the port
mode as trusted also identifies the device connected to that port as a trusted device within the network.
as trusted ports so that necessary DHCP traffic to/from the server is not blocked. Configuring the port
mode as trusted also identifies the device connected to that port as a trusted device within the network.
Bypassing the Option-82 Check on Untrusted Ports
By default, DHCP Snooping checks packets received on untrusted ports (DHCP Snooping client-only or
blocked ports) to see if the packets contain the Option-82 data field. If a packet does contain this field, the
packet is dropped.
blocked ports) to see if the packets contain the Option-82 data field. If a packet does contain this field, the
packet is dropped.
To allow untrusted ports to receive and process DHCP packets that already contain the Option-82 data
field, use the
field, use the
command to disable the Option-82
check. For example:
-> ip helper dhcp-snooping bypass option-82-check enable