DHCP Option 82 is an additional security mechanism over DHCP Snooping. DHCP Options 82 is also known as ”DHCP Relay Agent Information”. This additonal security mechanism is used whenever a DHCP Server and Clients are in the different networks. Here, when the client send a DHCP request message, it is sent via additional information, DHCP Option 82.
Option 82 in DHCP has created with RFC 3046.Basically the duty of this option is identifying both the DHCP Relay Agent (Switch, Router etc.) and the Client who sent DHCP Discover message.
There are more than 200 DHCP options. Each option has a specific duty and has a critical role for DHCP/BOOT P. According to these options, DHCP packet length can be different. Because every DHCP packet can has different number of DHCP options.
Now, let’s explaint this extra security mechanism step by step.
When a client sends a DHCP Discover message, DHCP Relay agent take this message and adds DHCP Option 82 to its header. Through the DHCP Server, if are there any nodes in the way, the same message with Option 82 traverses.
If the Discover message reached to DHCP Server in the other network, it replies back with DHCP Offer. Again, it adds DHCP Option 82 to the header. And this DHCP Offer comes through DHCP Relay Agent with Options 82. DHCP Relay Agent, removes this field and sends pure DHCP Offer to the client.
Here, the important thing is this: The interface that receives “DHCP Option 82” must be a “trusted” port. If not, the packet is dropped. Think about it. At the beginning, the client was connected to an untrusted port but it did not send a DHCP Discover Message with Option 82. It only sent DHCP Discover Message. But DHCP Relay Agent, added Option 82 to the message. After that, this message with Option 82 in DHCP always traveled through tursted ports. Also on the return way from DHCP Server to the DHCP Relay Agent. At the relay agent, the Option 82 field is removed and the pure DHCP Offer is sent to the client over untrusted port.