18-3
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter18 Configuring DHCP Feat ures and IP Source Guard Understanding DHCP Features
The switch drops a DHCP packet when one of these situations occurs:
A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from outside the network or firewall.
A packet is received on an untrusted interface, and the source MAC address and the DHCP client
hardware address do not match.
The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC
address in the DHCP snooping binding database, but the interface infor ma tion in the bi nding
database does not match the interface on which the message was received.
A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not
0.0.0.0, or the relay agent forwards a packet that includes option -82 information to an untrusted port.
If the switch is an aggregation switch supporting DHCP snooping and i s conne cte d to a n edge sw itch
that is inserting DHCP option-82 information, the switch drops packets with option-82 information when
packets are received on an untrusted interface. If DHCP snooping is enab led and packets are received on
a trusted port, the aggregation switch does not learn the DHCP snooping bindings for connect ed devices
and cannot build a complete DHCP snooping binding database.
When an aggregation switch can be connected to an edge switch through an untrusted inte rface and you
enter the ip dhcp snooping information option allowed-trust global configuration command, the
aggregation switch accepts packets with option-82 information from the edge switch. The aggregation
switch learns the bindings for hosts connected through an untrusted switch interface. The DHCP security
features, such as dynamic ARP inspection or IP source guard on a Cisco ME 3400 switch running the
metro access or metro IP access image, can still be enabled on the aggregation switch while the switch
receives packets with option-82 information on ingress untrusted interfaces to which hosts are
connected. The port on the edge switch that connects to the aggregation switch must be configured as a
trusted interface.
Option-82 Data Insertion
In residential, metropolitan Ethernet-access environments, DHCP can centrally manage the IP addre ss
assignments for a large number of subscribers. When the DHCP option-82 feature is enabled on the
switch, a subscriber device is identified by the switch port through which it connects to the network (in
addition to its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port
on the access switch and are uniquely identified.
Note The DHCP option-82 feature is supported only when DHCP snooping is globally enabl ed and on the
VLANs to which subscriber devices using this feature are assigned.
Figure 18-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server
assigns IP addresses to subscribers connected to the switch at the access layer . Because the DHCP clie nts
and their associated DHCP server do not reside on the same IP network or subnet, a DH CP rel ay a gent
(the Cisco ME switch) is configured with a helper address to enable broadcast forwardi ng and to tr ansfer
DHCP messages between the clients and the server.