In its original form, DHCP has no safeguards to protect from attacks on the assignment of the network configuration. For example, if a client sends a 'DHCP discover' packet on the network in order to retrieve a valid network configuration from a DHCP server, an attacker can send the client fake 'DHCP offer' packets and trick it into using a false default gateway (DHCP spoofing).
With DHCP snooping, the devices that receive and redirect DHCP packets are able to analyze and change these data packets, and to filter them by certain criteria. Additionally inserted information about the origin of the DHCP packets improves a DHCP server's capacity to manage extensive networks. Further, as this additional information is missing from the attacker's DHCP packets, they can no longer be used to interfere with the DHCP negotiations between DHCP servers, DHCP relay agents and the DHCP clients.
The access point supports DHCP snooping on layer 2. This enables it, for example, to add information (such as the SSID) to the DHCP packets received from the client on the WLAN before forwarding them to the LAN. The access point then adds the DHCP relay agent information option (option 82) according to RFC 3046.
In LANconfig you can set up DHCP snooping for each interface under and a click on DHCP snooping.
After selecting the appropriate interface, you can set the following:
- Add DHCP agent info
- Here you decide whether the DHCP relay agent appends incoming DHCP packets with the DHCP option "relay agent info" (option 82), or modifies an existing entry, before forwarding the request to a DHCP server. The "relay agent info" is composed of values for the Remote ID and the Circuit ID.
- On present agent info
- Here you set how the DHCP relay agent handles the "relay agent info" in incoming DHCP packets. The following settings are possible:
- Keep content: In this setting, the DHCP relay agent forwards a DHCP packet and any existing "relay agent info" unchanged to the DHCP server.
- Replace content: In this setting, the DHCP relay agent replaces any existing "relay agent info" with the values specified in the fields Remote ID and Circuit ID.
- Drop packet: In this setting, the DHCP relay agent deletes any DHCP packet containing "relay agent info".
- Remote ID
- The remote ID is a sub-option of the "Relay agent info" option. It uniquely identifies the client making a DHCP request.
- Circuit ID
- The circuit ID is a sub-option of the "Relay agent info" option. It uniquely identifies the interface used by the client to make a DHCP request.
You can use the following variables for Remote ID and Circuit ID:
- %%: Inserts a percent sign.
- %c: Inserts the MAC address of the interface where the relay agent received the DHCP request. If a WLAN-SSID is involved, then this is the corresponding BSSID.
- %i: Inserts the name of the interface where the relay agent received the DHCP request.
- %n: Inserts the name of the DHCP relay agent as specified under .
- %v: Inserts the VLAN ID of the DHCP request packet. This VLAN ID is sourced either from the VLAN header of the DHCP packet or from the VLAN ID mapping for this interface.
- %p: Inserts the name of the Ethernet interface that received the DHCP packet. This variable is useful for devices featuring an Ethernet switch or Ethernet mapper, because they can map multiple physical interfaces to a single logical interface. For other devices, %p and %i are identical.
- %r: Inserts the interface-independent (i.e. valid throughout the system) MAC address of the device that received the DHCP request.
- %s: Inserts the WLAN SSID if the DHCP packet originates from a WLAN client. For other clients, this variable contains an empty string.
- %e: Inserts the serial number of the relay agent, to be found for example under .
