DHCP Option 82 is organized as a single DHCP option that contains information known by the relay agent. It provides additional security when DHCP is used to allocate network addresses. It enables the controller to act as a DHCP relay agent to prevent DHCP client requests from untrusted sources.
The controller can be configured to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server. DHCP servers can then be configured to allocate IP addresses to the wireless client based on the information present in DHCP Option 82. This document provides a configuration example for this scenario.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
4400 Wireless LAN Controller that runs firmware version 126.96.36.199
1131 Lightweight Access Point
1310 Lightweight Access Point
802.11a/b/g Wireless LAN Client Adapters that run software version 4.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the options field of the DHCP message. The data items themselves are also called options.
Option 82 contains information known by the relay agent.
The Relay Agent Information option is organized as a single DHCP option that contains one or more sub-options that convey information known by the relay agent. Option 82 was designed to allow a DHCP Relay Agent to insert circuit-specific information into a request that is being forwarded to a DHCP server. This option works by setting two sub-options:
The Circuit ID suboption includes information specific to the circuit the request came in on. This suboption is an identifier that is specific to the relay agent, so what kind of circuit is described will vary depending on the relay agent.
The Remote ID suboption includes information on the remote host end of the circuit. This suboption usually contains information that identifies the relay agent. In a wireless network, this would likely be a unique identifier of the wireless access point.
In a Cisco Unified Wireless network, you can configure the controller to append three types of information in the DHCP Option 82.
DHCP Option 82 is constructed as follows:
sub option 01, Length, Circuit ID, sub option 02, Length, Remote ID
Circuit ID is 0 for all WLANs. Length of suboption 2 will change depending on whether AP MAC or AP MAC-SSID option is used.
For example, if the AP radio MAC address is 001c57437950 and we use the AP-MAC option on the WLC, the DHCP Option 82 information that is appended in the DHCP request will be as follows:
In this section, you are presented with the information to configure the features described in this document.
In the setup, two lightweight access points are registered to the Wireless LAN Controller (LAP1 and LAP2). You must configure the WLC as a DHCP relay agent and configure DHCP Option 82 so that the clients receive IP addresses from different ranges based on the AP to which they connect.
IP range for clients that connect to LAP1 - 192.168.1.10 192.168.1.20
IP range for clients that connect to LAP2 - 192.168.1.30 192.168.1.40
Here are the AP radio MAC addresses of the two LAPs:
LAP1 - 001c57437950
LAP2 - 001b53b99b00
This example uses a Cisco IOS® Router as a DHCP server. In this example, a network scope is configured for the pool and two sub scopes are created using the DHCP class feature. Next, the Cisco IOS DHCP server is configured to allocate IP addresses from the two sub scopes based on the relay agent information (DHCP option 82 information) that DHCP server receives in the DHCP request.
Complete these steps in order to configure the wireless LAN controller for DHCP Option 82:
From the WLC GUI, navigate to Controller > Advanced > DHCP.
The DHCP parameters page appears.
On this page, check the Enable DHCP Proxy check box.
Choose a DCHP Option 82 remote ID field format from the DHCP Option 82 Remote ID field format drop-down list.
As described earlier, the format defines the information that is sent to the DHCP server in Option 82. This example uses the AP-MAC option. Therefore, the AP radio MAC address will be sent in the DHCP request from the WLC to the DHCP server.
Note: The AP includes two types of MAC addresses. AP MAC Address and Base Radio MAC. The WLC appends the Base Radio MAC in Option 82. The base radio MAC of an AP can be identified from the All APs > Details page for the specific AP.
The next step is to configure the Cisco IOS DHCP server.
Complete these steps in order to configure the Cisco IOS DHCP server:
Create a DHCP pool and define a DHCP scope.
Create Classes to define multiple ranges within the scope.
Configure the DHCP relay agent information.
This sample code provides an example of how complete these configuration steps on the Cisco IOS router.
!--- This command creates a new DHCP Pool “Option 82.”
ip dhcp pool Option82
!--- This command defines a network scope for the pool.
network 192.168.1.0 255.255.255.0
!--- This command defines the address range for Class AA.
address range 192.168.1.10 192.168.1.20
!--- This command defines the address range for Class BB.
address range 192.168.1.30 192.168.1.40
ip dhcp class Vendor
!--- This command defines a DHCP Class AA and configures !--- relay agent information for the class.
ip dhcp class AA
relay agent information
relay-information hex 0104000000000206001c57437950
!--- This command defines a DHCP Class BB and configures !--- relay agent information for the class.
ip dhcp class BB
relay agent information
relay-information hex 0104000000000206001b53b99b00
Note: Only the configuration relevant to the DHCP option 82 are shown here. Add other DHCP configurations as required.
When the configuration is complete, the Cisco IOS software looks up a pool based on IP address (giaddr or incoming IP address) and then matches the request to a class or classes configured in the pool in the order in which the classes are specified in the DHCP pool configuration.
When a DHCP address pool has been configured with one or more DHCP classes, the pool becomes a restricted access pool, which means that no addresses are allocated from the pool unless one or more of the classes in the pool is matched. This design allows DHCP classes to be used for either access control (no default class is configured on the pool) or to provide further address range partitions with the subnet of the pool.
In this configuration example, when a client associated to LAP1 sends a DHCP request, the request reaches the WLC. The WLC acts as a DHCP relay agent, adds DHCP Option 82 information to the DHCP request, and then forwards the request to the external DHCP server, which in this case is the Cisco IOS router.
The DHCP server looks at the DHCP request, examines Option 82 information, and matches it to Class AA. It then allocates an IP address defined for class A. That is, it assigns an IP address from the range 192.168.1.10 - 192.168.1.20.
Similarly, for clients that are associated to LAP2, the DHCP server will assign IP addresses from the range 192.168.1.30 - 192.168.1.40 based on Option 82 information.
You can enable the debug ip dhcp server class command on the Cisco IOS router CLI to display the class matching results.