Tuesday, July 30, 2013

The confusion over dhcp option#82

Option 82 has drawn a lot of confusion, and in this post we will look very closely at the  option#82 and "Relay Agent information" that's provided to the DHCP server. Keep in mind, if a dhcp-server does not recognize the option#82 field, it will just ignore this option. This option is  optional.

DHCP relay agents offer this option for providing  client information to the DHCP server. This information could consists of the switch vlan and port information or other circuit information as deemed by the server provider. A lot of service providers that uses  PPPoE,  inserts the option 82 information for tracking, statistics and billing means.

We will use a  cisco 3560 and with dhcp snooping enable with the default of installing DHCP relay agent information for this post.

1st here our dhcp-snooping configuration for vlan 1,2, & 333



We also enable dhcp trust for gi 0/1,  which is the port that our  dhcp-server is located at ;

note: my dhcp server on port gi 0/1 ignores options #82 information

This set the base for our diagnostics and capture. I'm capturing traffic on gi 0/1 and will replay this using tshark and with the display filter " 'bootp.option.agent_information_option.suboption' "


1st here's our  show  DHCP snooping output  for vlan 1, 2, 333




Notice the custom circuit-ids are not populated? 

by default a switch inserts the circuit-id in this fashion; vlan# module# and port # 



Okay here's a packet capture for a client in vlan1 on port #2,  and the option 82 details which reflects the  client vlan and port #.
 



Notice the  circuit-id 000400010102 ?

This reflects the client at port #2 and vlan #1

If we move the client to port#5, the display would look like the following;




Notice the  circuit-id 000400010105 ?



Okay that was simple. Now let's look at the  agent-remote-ID. This value is computed from the  switch 1st available mac_address



DHCP snoop or dhcp relay information configurations, will insert this mac_address for the  Agent Remote ID. So keep this in mind if your looking at  remote-id information.

And finally, I will reconfigure the above for vlan 2 and then vlan 333 so you can see  the change in the client information that's relayed to the DHCP server;


vlan2





vlan333 ( hex 0x14d )



And finally, to disable this feature ;


( for a  dhcp snooping enable switch )




( for a  ip helper  )



 I hope this helps with your understanding of the option #82 and it's place with regards to the DHCP relay and server.

Ken Felix
Freelance Network/Security Engineer
kfelix ----@---- socpuppets ---.----com

    ^    ^
=( *  * )=
     @
    /  \



No comments:

Post a Comment