Alcatel-Lucent 6850-48 ネットワークガイド
Configuring DHCP Relay
Configuring DHCP Security Features
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 31-19
• The port from where the DHCP packet originated.
• The VLAN associated with the port from where the DHCP packet originated.
• The lease time for the assigned IP address.
• The binding entry type; dynamic or static (user-configured).
After extracting the above information and populating the binding table, the packet is then forwarded to
the port from where the packet originated. Basically, the DHCP Snooping features prevents the normal
flooding of DHCP traffic. Instead, packets are delivered only to the appropriate client and server ports.
the port from where the packet originated. Basically, the DHCP Snooping features prevents the normal
flooding of DHCP traffic. Instead, packets are delivered only to the appropriate client and server ports.
DHCP Snooping Configuration Guidelines
Consider the following when configuring the DHCP Snooping feature:
• Layer 3 DHCP Snooping requires the use of the relay agent to process DHCP packets. As a result,
DHCP clients and servers must reside in different VLANs so that the relay agent is engaged to forward
packets between the VLAN domains. See
packets between the VLAN domains. See
for information about how to configure the relay agent on the switch.
• Layer 2 DHCP Snooping does not require the use of the relay agent to process DHCP packets. As a
result, an IP interface is not needed for the client/server VLAN. See
for more information.
• Both Layer 2 and Layer 3 DHCP Snooping are active when DHCP Snooping is globally enabled for
the switch or enabled on a one or more VLANs. See
for
more information.
• Configure ports connected to DHCP servers within the network as trusted ports. See
for more information.
• Make sure that Option-82 data insertion is always enabled at the switch or VLAN level. See
for more information.
• DHCP packets received on untrusted ports that already contain the Option-82 data field are discarded
by default. To accept such packets, configure DHCP Snooping to bypass the Option-82 check. See
for more information.
• By default, rate limiting of DHCP traffic is done at a rate of 512 DHCP messages per second per
switching ASIC. Each switching ASIC controls 12 ports (e.g., ports 1–12, 13–24, etc.) on an OS6800
and 24 ports (e.g. ports 1–24, 25–48, etc.) on an OS6850 unit or OS9000 module.
and 24 ports (e.g. ports 1–24, 25–48, etc.) on an OS6850 unit or OS9000 module.
Enabling DHCP Snooping
There are two levels of operation available for the DHCP Snooping feature: switch level or VLAN level.
These two levels are exclusive of each other in that they both cannot operate on the switch at the same
time. In addition, if the global DHCP relay agent information option (Option-82) is enabled for the switch,
then DHCP Snooping at any level is not available. See
These two levels are exclusive of each other in that they both cannot operate on the switch at the same
time. In addition, if the global DHCP relay agent information option (Option-82) is enabled for the switch,
then DHCP Snooping at any level is not available. See
for more information.
Note. DHCP Snooping drops server packets received on untrusted ports (ports that connect to devices
outside the network or firewall). It is important to configure ports connected to DHCP servers as trusted
ports so that traffic to/from the server is not dropped.
outside the network or firewall). It is important to configure ports connected to DHCP servers as trusted
ports so that traffic to/from the server is not dropped.