DHCP Option 82 is organized as a single DHCP option that contains
information known by the relay agent. It provides additional security when DHCP
is used to allocate network addresses. It enables the controller to act as a
DHCP relay agent to prevent DHCP client requests from untrusted sources.
The controller can be configured to add option 82 information to DHCP
requests from clients before forwarding the requests to the DHCP server. DHCP
servers can then be configured to allocate IP addresses to the wireless client
based on the information present in DHCP Option 82. This document provides a
configuration example for this scenario.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and
4400 Wireless LAN Controller that runs firmware version 188.8.131.52
1131 Lightweight Access Point
1310 Lightweight Access Point
802.11a/b/g Wireless LAN Client Adapters that run software version
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the Cisco Technical Tips
Conventions for more information on document conventions.
DHCP provides a framework for passing configuration information to
hosts on a TCP/IP network. Configuration parameters and other control
information are carried in tagged data items that are stored in the options
field of the DHCP message. The data items themselves are also called
Option 82 contains information known by the relay agent.
The Relay Agent Information option is organized as
a single DHCP option that contains one or more sub-options that convey
information known by the relay agent. Option 82 was designed to allow a DHCP
Relay Agent to insert circuit-specific information into a request that is being
forwarded to a DHCP server. This option works by setting two
The Circuit ID suboption includes information specific to the circuit
the request came in on. This suboption is an identifier that is specific to the
relay agent, so what kind of circuit is described will vary depending on the
The Remote ID suboption includes information on the remote host end of
the circuit. This suboption usually contains information that identifies the
relay agent. In a wireless network, this would likely be a unique identifier of
the wireless access point.
In a Cisco Unified Wireless network, you can configure the controller
to append three types of information in the DHCP Option 82.
DHCP Option 82 is constructed as follows:
sub option 01, Length, Circuit ID, sub option 02, Length, Remote ID
Circuit ID is 0 for all WLANs. Length of suboption 2 will change
depending on whether AP MAC or AP MAC-SSID option is used.
For example, if the AP radio MAC address is 001c57437950 and we use the
AP-MAC option on the WLC, the DHCP Option 82 information that is appended in
the DHCP request will be as follows:
In this section, you are presented with the information to configure
the features described in this document.
In the setup, two lightweight access points are registered to the
Wireless LAN Controller (LAP1 and LAP2). You must configure the WLC as a DHCP
relay agent and configure DHCP Option 82 so that the clients receive IP
addresses from different ranges based on the AP to which they connect.
IP range for clients that connect to LAP1 - 192.168.1.10
IP range for clients that connect to LAP2 - 192.168.1.30
Here are the AP radio MAC addresses of the two LAPs:
LAP1 - 001c57437950
LAP2 - 001b53b99b00
This example uses a Cisco IOS® Router as a
DHCP server. In this example, a network scope is configured for the pool and
two sub scopes are created using the DHCP class feature. Next, the Cisco IOS
DHCP server is configured to allocate IP addresses from the two sub scopes
based on the relay agent information (DHCP option 82 information) that DHCP
server receives in the DHCP request.
Complete these steps in order to configure the wireless LAN controller
for DHCP Option 82:
From the WLC GUI, navigate to Controller > Advanced >
The DHCP parameters page appears.
On this page, check the Enable DHCP Proxy check
Choose a DCHP Option 82 remote ID field format from the DHCP
Option 82 Remote ID field format drop-down list.
As described earlier, the format defines the information that is sent
to the DHCP server in Option 82. This example uses the AP-MAC option.
Therefore, the AP radio MAC address will be sent in the DHCP request from the
WLC to the DHCP server.
Note: The AP includes two types of MAC addresses. AP MAC Address and Base
Radio MAC. The WLC appends the Base Radio MAC in Option 82. The base radio MAC
of an AP can be identified from the All APs > Details
page for the specific AP.
The next step is to configure the Cisco IOS DHCP server.
Complete these steps in order to configure the Cisco IOS DHCP
Create a DHCP pool and define a DHCP scope.
Create Classes to define multiple ranges within the scope.
Configure the DHCP relay agent information.
This sample code provides an example of how complete these
configuration steps on the Cisco IOS router.
!--- This command creates a new DHCP Pool “Option 82.”
ip dhcp pool Option82
!--- This command defines a network scope for the pool.
network 192.168.1.0 255.255.255.0
!--- This command defines the address range for Class AA.
address range 192.168.1.10 192.168.1.20
!--- This command defines the address range for Class BB.
address range 192.168.1.30 192.168.1.40
ip dhcp class Vendor
!--- This command defines a DHCP Class AA and configures
!--- relay agent information for the class.
ip dhcp class AA
relay agent information
relay-information hex 0104000000000206001c57437950
!--- This command defines a DHCP Class BB and configures
!--- relay agent information for the class.
ip dhcp class BB
relay agent information
relay-information hex 0104000000000206001b53b99b00
Note: Only the configuration relevant to the DHCP option 82 are shown here.
Add other DHCP configurations as required.
When the configuration is complete, the Cisco IOS software looks up a
pool based on IP address (giaddr or incoming IP address)
and then matches the request to a class or classes configured in the pool in
the order in which the classes are specified in the DHCP pool configuration.
When a DHCP address pool has been configured with one or more DHCP
classes, the pool becomes a restricted access pool, which means that no
addresses are allocated from the pool unless one or more of the classes in the
pool is matched. This design allows DHCP classes to be used for either access
control (no default class is configured on the pool) or to provide further
address range partitions with the subnet of the pool.
In this configuration example, when a client associated to LAP1 sends a
DHCP request, the request reaches the WLC. The WLC acts as a DHCP relay agent,
adds DHCP Option 82 information to the DHCP request, and then forwards the
request to the external DHCP server, which in this case is the Cisco IOS
The DHCP server looks at the DHCP request, examines Option 82
information, and matches it to Class AA. It then allocates an IP address
defined for class A. That is, it assigns an IP address from the range
192.168.1.10 - 192.168.1.20.
Similarly, for clients that are associated to LAP2, the DHCP server
will assign IP addresses from the range 192.168.1.30 - 192.168.1.40 based on
Option 82 information.
You can enable the debug ip dhcp server
class command on the Cisco IOS router CLI to display the class