DHCP option 82

Hi

 

I know there are some posts in the forum regarding the issue but I still have some questions regarding this matter after reading the other posts

http://blog.ine.com/2009/07/22/understanding-dhcp-option-82/

 

After reading Petr post regarding this issue I still have a couple of questions, mainly regarding the following sentences:

"Notice that by default Cisco IOS devices reject packets with zero “giaddr” and by default Cisco Catalyst switches use “giaddr” of zero when configured for DHCP snooping!"

and

"By default, when you enable DHCP snooping in a 3550/3560 switch, the switch will be inserting the information option but will set “giaddr” to zero. To handle this in an IOS router, use the command ip dhcp relay information trust-all to accept packets with zero “giaddr”."

 

1. Cisco IOS routers configured has relay agents (not has DHCP server) will drop DHCP packets (DHCPDISCOVER, DHCPREQUEST) that entered through a switch configured with "dhcp snooping" (by default the 3550/3560 attach option 82 when configured for DHCP snooping) because the packet arrived at the relay agent with a giaddr=0.0.0.0 plus the OPTION 82 (both attached by the switch)......is this assumption correct ?

2. A normal DHCP client connected to a switch not implementing DHCP Snooping (so no option 82 attached by the switch), will have giaddr=0.0.0.0 but since it arrives at the relay agent without the option 82 attached it will be relayed 

 

Kind Regards,

Bruno Fernandes

Comments

  • Hi Bruno,

    This is my understanding about ip dhcp relay information trust-all:

    If the gateway address is set to all zeros in the DHCP packet and the relay agent information option is already present in the packet, the DHCP relay agent will discard the packet. we Use ip dhcp relay information trust-all command to override this behavior and accept the packets.

    ip dhcp relay information trust-all is useful if there is a switch in between the client and the relay agent that may insert option 82. Use this command to ensure that these packets do not get dropped.

    HAPPY STUDY

    [:D]

  • Hi nnn,

     

    Your understanding is somehow equal to mine, but following your understanding (and mine also) if I have a 3560 that is both Access switch with dhcp snooping configured (so option 82 attached by default) and I also have an SVI configured (in the same switch), and under that SVI I'm pointing to another DHCP server in onother VLAN (so I have used "ip helper-address" to forward the bootp requests, so it's working has dhcp-relay agent) the bootp (DISCOVER, REQUEST) should be discarded....do you agree ?

    My point here is:

    1. The packet is tagged by the switch with option 82

    2. The DHCPDISCOVER is relayed to another vlan..in this case in my opinion should be discarded.........correct ?

     

    Example:

    !

    ip dhcp snooping

    ip dhcp snooping vlan 9

    !

    interface vlan 9

      ip address 192.168.9.1 255.255.255.0

      ip helper-address 172.16.1.10

    !

      ip route 0.0.0.0 0.0.0.0 192.168.9.254

    !

     

    Kind regards,

    Bruno Fernandes

  • Hi Bruno,

    According to your scenario: These are the sequences of DHCP client and Server, good explanation I found at Cisco site:

    -The host (DHCP client) generates a DHCP request and broadcasts it on the network.

    - When the switch receives the DHCP request, it adds the option-82 information in the packet. By default, the remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier, vlan-mod-port, from which the packet is received.
    - If the IP address of the relay agent is configured, the switch adds this IP address in the DHCP packet.
    - The switch forwards the DHCP request that includes the option-82 field to the DHCP server.
    - The DHCP server receives the packet. If the server is option-82-capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.
    -The DHCP server unicasts the reply to the switch if the request was relayed to the server by the switch. The switch verifies that it originally inserted the option-82 data by inspecting the remote ID and possibly the circuit ID fields. The switch removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request.
    -If the DHCP relay agent is enabled but DHCP snooping is disabled, the DHCP option-82 data insertion feature is not supported.

    More details is available here:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html

    HAPPY STUDY

    [:D]

  • if I have a 3560 that is both Access switch with dhcp snooping configured (so option 82 attached by default) and I also have an SVI configured (in the same switch), and under that SVI I'm pointing to another DHCP server in onother VLAN (so I have used "ip helper-address" to forward the bootp requests, so it's working has dhcp-relay agent) the bootp (DISCOVER, REQUEST) should be discarded....do you agree ?

    My point here is:

    1. The packet is tagged by the switch with option 82

    2. The DHCPDISCOVER is relayed to another vlan..in this case in my opinion should be discarded.........correct ?

    Yup, this is my understanding. But I tried on a router that is doing DHCP relay. May be you can try it on the switch using SVI and let me know if it behaves the same? 
    Command "ip dhcp relay information trust-all" is needed to make the router to relay the DHCP Discover/Request.

  • Hi Alexander,

     

    Yup I have on my office a 3560 that is both Access and Core switch, does DHCP-Relay and also dhcp snooping.....(LOL one man show)

    and the bootp request are simply relayed to another VLAN. This is duality of behaviour (Router vs Switch) that makes me wonder...why does this happens ?

     

    Just a couple of shows and config 

     


    RT_SW_Core#sh ip dhcp snooping

    Switch DHCP snooping is enabled

    DHCP snooping is configured on following VLANs:

    8-9,100

    Insertion of option 82 is enabled

       circuit-id format: vlan-mod-port

        remote-id format: MAC

    Option 82 on untrusted port is not allowed

    Verification of hwaddr field is enabled

    Interface                    Trusted     Rate limit (pps)

    ------------------------     -------     ----------------

    FastEthernet0/27             yes         unlimited

    GigabitEthernet0/1           yes         unlimited

    Port-channel1                yes         unlimited




    interface Vlan8

     description Rede Wireless corporativa

     ip address 172.20.8.1 255.255.255.0

     ip helper-address 172.20.10.101

    end

    !

    interface Vlan2

     description Vlan Servidores

     ip address 172.20.10.1 255.255.255.0

    end





    Kind regards,

    Bruno Fernandes



  • Good to know! Thanks for sharing Bruno.

  • Hi all,

       Difference is somehow obvious: if you have client--->l2 switch(which inserts option 82)--->L3 router which has DHCP server configured, the router will discard the DHCP Request, cause is outlined by yourself. However, when  you have client--->l2/l3 switch (which inserst DHCP snooping and is also a DHCP server or relay agent), the switch does not drop the message, cause option 82 is inserted when the switch forwards the message (if it is a DHCP server it never forwards the message; if it is a relay agent it encapsulates the packet in a unicast message which is accepted by the DHCP server).

    Good luck with your studies!

  • Hi Cristian,

     

    You are assuming that the Option 82 is added only when the switch forwards the bootp message to the server (L2/L3 switch plus relay-agent)

     

    ######


    When you enable the DHCP snooping information option 82 on the switch, this sequence of events occurs:

    imageThe host (DHCP client) generates a DHCP request and broadcasts it on the network.

    imageWhen the switch receives the DHCP request, it adds the option-82 information in the packet. By default, the remote-ID suboption is the switch MAC address, and the circuit-ID suboption is the port identifier, vlan-mod-port, from which the packet is received.

    ######

     

    From the 3560 documentation I was assuming that option 82 is added first......but somehow your assumption makes sense to me....Or it's me interpreting wrongly the documentation ?

     

    Thanks's for your help,

    Bruno Fernandes

  • Hi Bruno,

       You understand that we can only assume, but for the case the switch is also a DHCP server, because the packet never goes to an outgoing interface, the switch does not need to add option 82.

    Good luck with your studies!

Sign In or Register to comment.