In this post we will see how DHCP option 82 works. The DHCP Information option (Option 82) is commonly used in large enterprise deployments to provide additional information on “physical attachment” of the client. Option 82 is supposed to be used in distributed DHCP server/relay environment, where relays insert additional information to identify the client’s point of attachment. Here is the topology for this post.
In my example CAT4 is acting as DHCP Relay & CAT2 acting as DHCP Server. First we will look at this from wired network perspective & then see how it configure in wireless environment. Here is the basic configuration of CAT2 & CAT4
CAT2 ip dhcp excluded-address 192.168.50.1 192.168.50.100 ip dhcp pool VLAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 CAT4 interface Vlan50 ip address 192.168.50.1 255.255.255.0 ip helper-address 10.10.10.3 ! interface FastEthernet1/0/5 switchport access vlan 50 switchport mode access spanning-tree portfast
As you can see below DHCP discovery message relayed by CAT4 does not have any DHCP option 82 information elements.
If you want to DHCP relay to add option 82 information you have to configure the DHCP relay for that. I have given a subscriber identification “MRN-DHCP82″
CAT4 interface Vlan50 ip dhcp relay information option subscriber-id MRN-DHCP82 ip dhcp relay information option-insert
Now if you do “debug ip dhcp server packet detail“ output on CAT2 you will see similar output like below.
*Mar 12 13:24:14.294: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c on interface Vlan50. *Mar 12 13:24:14.294: DHCPD: using received relay info. *Mar 12 13:24:14.294: DHCPD: Looking up binding using address 192.168.50.1 *Mar 12 13:24:14.294: DHCPD: setting giaddr to 192.168.50.1. *Mar 12 13:24:14.294: DHCPD: adding relay information option. *Mar 12 13:24:14.294: DHCPD: relay information option content (add/replace): *Mar 12 13:24:14.294: DHCPD: 521a020c020a0000c0a832010a000000060a4d524e2d444843503832 *Mar 12 13:24:14.294: DHCPD: BOOTREQUEST from 0100.1cc0.1a68.1c forwarded to 10.10.10.3. *Mar 12 13:24:14.302: DHCPD: Reload workspace interface FastEthernet1/0/23 tableid 0. *Mar 12 13:24:14.302: DHCPD: tableid for 172.16.99.10 on FastEthernet1/0/23 is 0
Here is the wireshark packet output for this DHCP discover messaged relayed by CAT4
DHCP option 82 message format is having <option><length> <option content>. 52 in hex is 82 in decimal which indicate it is option 82 information. Now in DHCP server you need to define a DHCP class which matches the subscriber identification to issue IP for this client. Also server should know the relay information it should expect. If these matches it will issue an IP to client. Otherwise DHCP packets will drop by the DHCP server. So here is the CAT2 configuration.
ip dhcp class MRN-DHCP82 relay agent information relay-information hex 020c020a0000c0a832010a000000060a4d524e2d444843503832 ! ip dhcp pool VLAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 class MRN-DHCP82 address range 192.168.50.200 192.168.50.210
If you do ” debug ip dhcp server packet detail” on CAT2 you will see something like this.
*Mar 13 00:22:44.899 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0. *Mar 13 00:22:44.899 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0 *Mar 13 00:22:44.899 AEDT: DHCPD: client's VPN is . *Mar 13 00:22:44.899 AEDT: DHCPD: using received relay info. *Mar 13 00:22:44.899 AEDT: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c through relay 192.168.51.1. *Mar 13 00:22:44.899 AEDT: DHCPD: using received relay info. *Mar 13 00:22:44.899 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default *Mar 13 00:22:44.899 AEDT: DHCPD: Searching for a match to 'relay-information 020c020a0000c0a833010b000000060a4d524e2d444843503832' *Mar 13 00:24:12.839 AEDT: DHCPD: DHCPDISCOVER received from client 0100.1cc0.1a68.1c through relay 192.168.50.1. *Mar 13 00:24:12.839 AEDT: DHCPD: using received relay info. *Mar 13 00:24:12.839 AEDT: DHCPD: Sending DHCPOFFER to client 0100.1cc0.1a68.1c (192.168.50.200). *Mar 13 00:24:12.839 AEDT: DHCPD: no option 125 *Mar 13 00:24:12.839 AEDT: DHCPD: unicasting BOOTREPLY for client 001c.c01a.681c to relay 192.168.50.1. *Mar 13 00:24:12.856 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0. *Mar 13 00:24:12.856 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0 *Mar 13 00:24:12.856 AEDT: DHCPD: client's VPN is . *Mar 13 00:24:12.856 AEDT: DHCPD: DHCPREQUEST received from client 0100.1cc0.1a68.1c. *Mar 13 00:24:12.856 AEDT: DHCPD: Sending DHCPACK to client 0100.1cc0.1a68.1c (192.168.50.200)
Now will see how this works in Wireless environment. As you know for a wireless client , WLC will act as DHCP-relay and pass the DHCP discover & request messages to DHCP server. We will create a WLAN with open authentication & assign it to vlan50 interface created on the controller. If you are familiar with WLC CLI command you can do this with following commands.
(WLC3) >config interface create vlan50 50 (WLC3) >config interface address dynamic-interface vlan50 192.168.50.20 255.255.255.0 192.168.50.1 (WLC3) >config interface dhcp dynamic-interface vlan50 primary 10.10.10.3 (WLC3) >config interface port vlan50 1 (WLC3) >config wlan create 15 dhcp-82 dhcp-82 (WLC3) >config wlan security wpa disable 15 (WLC3) >config wlan enable 15
Now if you trying to associate to this WLAN, you will not get an IP from the DHCP server. If you check the CAT2 “debug ip dhcp packet detail” output you would see similar output to this. Server is complain about DHCP option 82 information not available in the messages coming from the DHCP relay (WLC3)
*Mar 13 01:28:25.637 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0.
*Mar 13 01:28:25.637 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0
*Mar 13 01:28:25.637 AEDT: DHCPD: client's VPN is .
*Mar 13 01:28:25.637 AEDT: DHCPD: using received relay info.
*Mar 13 01:28:25.637 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:28:25.637 AEDT: DHCPD: using received relay info.
*Mar 13 01:28:25.637 AEDT: DHCPD: input does not contain option 82
This is the default behaviour of a WLC ( I am in 7.0.116.0 code) & you have to configure to add DHCP option 82. You can verify this by “show interface detail vlan50″ command outpt as well.
(WLC3) >show interface detailed vlan50 Interface Name................................... vlan50 MAC Address...................................... 00:1b:d5:cf:e6:00 IP Address....................................... 192.168.50.20 IP Netmask....................................... 255.255.255.0 IP Gateway....................................... 192.168.50.1 External NAT IP State............................ Disabled External NAT IP Address.......................... 0.0.0.0 VLAN............................................. 50 Quarantine-vlan.................................. 0 Physical Port.................................... 1 Primary DHCP Server.............................. 10.10.10.3 Secondary DHCP Server............................ Unconfigured DHCP Option 82................................... Disabled ACL.............................................. Unconfigured AP Manager....................................... No Guest Interface.................................. No L2 Multicast..................................... Enabled
You can enable it on an interface by using following CLI command
(WLC3) >config interface dhcp dynamic-interface vlan50 ?
primary Primary DHCP Server.
option-82 Configures the DHCP option 82 on the interface
(WLC3) >config interface dhcp dynamic-interface vlan50 option-82 ?
enable Enables the DHCP option 82 on the interface
disable Disables the DHCP option 82 on the interface
(WLC3) >config interface dhcp dynamic-interface vlan50 option-82 enable
Now if you check CAT2 debug output you should see the DHCP realy information provided option 82 information as below.
*Mar 13 01:37:10.682 AEDT: DHCPD: using received relay info.
*Mar 13 01:37:10.682 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20.
*Mar 13 01:37:10.682 AEDT: DHCPD: using received relay info.
*Mar 13 01:37:10.682 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 01:37:10.682 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206a0cf5b9ee820' in class MRN-DHCP82
We will define a new DHCP class & allocate different IP address range for wireless clients
ip dhcp class L3500 relay agent information relay-information hex 0104000000000206a0cf5b9ee820 ! ip dhcp pool VLAN50 network 192.168.50.0 255.255.255.0 default-router 192.168.50.1 class MRN-DHCP82 address range 192.168.50.200 192.168.50.210 class L3500 address range 192.168.50.222 192.168.50.230
Once you configure this you would see your wireless client get an IP from the range you specified. It should be within 192.16850.222-230 in my example.
*Mar 13 01:41:44.601 AEDT: DHCPD: using received relay info. *Mar 13 01:41:44.601 AEDT: DHCPD: DHCPDISCOVER received from client 0104.f7e4.ea5b.66 through relay 192.168.50.20. *Mar 13 01:41:44.601 AEDT: DHCPD: using received relay info. *Mar 13 01:41:44.601 AEDT: DHCPD: Sending DHCPOFFER to client 0104.f7e4.ea5b.66 (192.168.50.222). *Mar 13 01:41:44.601 AEDT: DHCPD: no option 125 *Mar 13 01:41:44.601 AEDT: DHCPD: unicasting BOOTREPLY for client 04f7.e4ea.5b66 to relay 192.168.50.20. *Mar 13 01:41:45.658 AEDT: DHCPD: Reload workspace interface FastEthernet1/0/4 tableid 0. *Mar 13 01:41:45.658 AEDT: DHCPD: tableid for 172.16.99.6 on FastEthernet1/0/4 is 0 *Mar 13 01:41:45.658 AEDT: DHCPD: client's VPN is . *Mar 13 01:41:45.658 AEDT: DHCPD: DHCPREQUEST received from client 0104.f7e4.ea5b.66. *Mar 13 01:41:45.658 AEDT: DHCPD: Sending DHCPACK to client 0104.f7e4.ea5b.66 (192.168.50.222).
Here is the wireshark packet capture of the DCHP discovery message relayed by WLC.
If you look at the DHCP option 82 information more closely you would see Agent Remote ID is AP Radio MAC address (a0cf5b9ee820). This is because by default WLC use AP Radio MAC address. You can verify this via controller GUI (Controller -> Advanced -> DHCP) or “show dhcp opt-82” CLI command.
(WLC3) >show dhcp opt-82 DHCP Opt-82 RID Format: <AP radio MAC address> (WLC3) >config dhcp opt-82 ? remote-id Set Format for RemoteId field in DHCP option 82 (WLC3) >config dhcp opt-82 remote-id ? ap-mac Set RemoteID format as <AP radio MAC address> apmac:ssid Set RemoteID format as <AP radio MAC address>:<SSID> ap-ethmac Set RemoteID format as <AP Ethernet MAC address>
As you can see other options are include AP Ethernet MAC address or AP Radio MAC & SSID. Let’s change this to AP Ethernet MAC & see the debug output. Before that will check the LAP2 MAC addresses.
Once we changed Option 82 Remote-ID to AP ethernet MAC (708105037cef) address we should see option 82 information contain that instead of AP Radio MAC address. You can change it via GUI or CLI. Below show the CLI command.
(WLC3) >config dhcp opt-82 remote-id ap-ethmac CAT2 *Mar 13 02:40:12.687 AEDT: DHCPD: using received relay info. *Mar 13 02:40:12.687 AEDT: DHCPD: DHCPDISCOVER received from client 0100.22fa.9468.58 through relay 192.168.50.20. *Mar 13 02:40:12.687 AEDT: DHCPD: using received relay info. *Mar 13 02:40:12.687 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default *Mar 13 02:40:12.687 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206708105037cef' in class MRN-DHCP82 *Mar 13 02:40:12.687 AEDT: DHCPD: Class 'L3500' matched by default *Mar 13 02:40:12.687 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000206708105037cef' in class L3500
As you can see now relay information include AP ethernet MAC address & we have to change the relay information on DHCP server (CAT2) in order to accept these messages coming from WLC & allocate an IP address for the client.
ip dhcp class L3500
relay agent information
relay-information hex 0104000000000206708105037cef
relay-information hex 0104000000000206a0cf5b9ee820
Now you can see the client get an IP & packet capture verify option 82 remote id is AP Ethernet MAC address as well.
Finally we change the option-82 remote id to AP-Radio MAC address & SSID option. This time you can see the DHCP option 82 information is different to previous times.
*Mar 13 03:08:30.441 AEDT: DHCPD: using received relay info.
*Mar 13 03:08:30.441 AEDT: DHCPD: DHCPDISCOVER received from client 0120.02af.12e4.f7 through relay 192.168.50.20.
*Mar 13 03:08:30.441 AEDT: DHCPD: using received relay info.
*Mar 13 03:08:30.441 AEDT: DHCPD: Class 'MRN-DHCP82' matched by default
*Mar 13 03:08:30.441 AEDT: DHCPD: Searching for a match to 'relay-information 0104000000000227a0cf5b9ee8203a646863702d383200000000000000000000000000000000000000000000000000' in class MRN-DHCP82
Once you add this information on to DHCP class relay information on CAT2 you would see client will get an IP.
ip dhcp class L3500
relay agent information
relay-information hex 0104000000000206708105037cef
relay-information hex 0104000000000206a0cf5b9ee820
relay-information hex 0104000000000227a0cf5b9ee8203a646863702d383200000000000000000000000000000000000000000000000000
Here is the wireshark capture of this time.
That’s cover the DHCP option 82. You can refer following youtube video from Jerome Henry for further information.
Related Posts
1. Understanding DHCP
2. Understanding DHCP Snooping
3. Understanding DHCP Option 43
4.
