Using DHCP snooping with option 82

DHCP adds Option 82 (relay information option) to DHCP request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the management and configuration guide for more information on Option 82.)

When DHCP is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCP relay, the settings for the DHCP relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCP relay or when the server is on the same subnet as the client.
NOTE:

DHCP snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANs without snooping enabled.

If DHCP snooping is enabled on a switch where an edge switch is also using DHCP snooping, it is desirable to have the packets forwarded so the DHCP bindings are learned. To configure the policy for DHCP packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.

Syntax:


[no] dhcp-snooping option 82 [remote-id <mac|subnet-ip|mgmt-ip>][untrusted-policy <drop|keep|replace>]

Enables DHCP Option 82 insertion in the packet

remote-id
Set the value used for the remote-id field of the relay information option.
mac

The switch mac address is used for the remote-id. This is the default.

subnet-ip

The IP address of the VLAN the packet was received on is used for the remote-id. If subnet-ip is specified but the value is not set, the MAC address is used.

mgmt-ip

The management VLAN IP address is used as the remote-id. If mgmt-ip is specified but the value is not set, the MAC address is used.

untrusted-policy
Configures DHCP snooping behavior when forwarding a DHCP packet from an untrusted port that already contains DHCP relay information (Option 82). The default is drop.
drop

The packet is dropped.

keep

The packet is forwarded without replacing the option information.

replace

The existing option is replaced with a new Option 82 generated by the switch.

NOTE:

The default drop policy should remain in effect if there are any untrusted nodes, such as clients, directly connected to this switch.