Filter
Top Products
60-89
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 60 Router Device Administration
DHCP on Cisco IOS Routers
For example, you can have the DHCP relay agent replace the forwarded message with a new relay
message. Additionally, you can choose whether to have the relay agent check the validity of relay
information contained within forwarded BOOTREPLY messages.
Related Topics
• Understanding DHCP Database Agents, page 60-88
• Understanding DHCP Option 82, page 60-89
• Understanding Secured ARP, page 60-89
• Defining DHCP Policies, page 60-90
• DHCP on Cisco IOS Routers, page 60-87
Understanding DHCP Option 82
DHCP option 82 enables the DHCP relay agent to include information about itself and its attached client
when it forwards requests from a DHCP client to a DHCP server. The DHCP server can use this
information to assign IP addresses, perform access control, and set quality of service (QoS) and security
policies for each of its subscribers. When the DHCP option 82 feature is enabled, a subscriber is
identified by the switch port through which it connects to the networks, instead of by its MAC address.
Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are
uniquely identified. Option 82 also enhances security on access switches by providing the ability to use
a user’s IP address to locate the port on which a user is attached.
Related Topics
• Understanding DHCP Database Agents, page 60-88
• Understanding DHCP Relay Agents, page 60-88
• Understanding Secured ARP, page 60-89
• Defining DHCP Policies, page 60-90
• DHCP on Cisco IOS Routers, page 60-87
Understanding Secured ARP
The DHCP Secure IP Address Assignment feature (also called DHCP Authorized ARP) enables you to
secure Address Resolution Protocol (ARP) table entries to DHCP leases in the DHCP database. This
feature secures and synchronizes the client’s MAC address to the DHCP binding, preventing
unauthorized clients or hackers from spoofing the DHCP server and taking over a DHCP lease of an
authorized client.
When you enable this feature and the DHCP server assigns an IP address to the DHCP client, the DHCP
server adds a secure ARP entry to the ARP table with the assigned IP address and the MAC address of
the client. These ARP entries cannot be updated by any other dynamic ARP packets, and they exist in
the ARP table for as long as the lease is active.
Secure ARP entries can be deleted only by an explicit termination message from the DHCP client or by
the DHCP server when the binding expires. To detect when a client has logged out, Secured ARP sends
periodic ARP messages to which only authorized users can respond. Unauthorized responses are blocked
at the DHCP server, providing an additional level of security.