Catalyst 3550 Multilayer Switch Software Configuration Guide, 12.1(13)EA1
Configuring the DHCP Option 82 for Subscriber Identification
Downloads: This chapterpdf (PDF - 225.0KB) The complete bookPDF (PDF - 11.03MB) | Feedback

Configuring the DHCP Option 82 for Subscriber Identification

Table Of Contents

Configuring the DHCP Option 82 for Subscriber Identification

Understanding the DHCP and Option 82 Subscriber Identification

Configuring the DHCP Relay Agent

Default DHCP Configuration

DHCP Configuration Guidelines

Enabling the DHCP Relay Agent and Relay Agent Information

Validating the Relay Agent Information Option 82

Configuring the Reforwarding Policy

Specifying the Packet Forwarding Address

Suppressing DHCP Broadcasts and Achieving Port-to-Port Isolation

Displaying the DHCP Information


Configuring the DHCP Option 82 for Subscriber Identification


This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) relay agent information (option 82) feature. This feature enables the DHCP relay agent (Catalyst 3550 switch) to include information about itself and the attached client when forwarding DHCP requests from a DHCP client to a DHCP server.

The DHCP server can use this information to assign IP addresses, perform access control, and set quality of service (QoS) and security policies (or other parameter-assignment policies) for each subscriber of a service-provider network.


Note For complete syntax and usage information for the commands used in this chapter, refer to the "IP Addressing and Services" section in the Cisco IOS IP and IP Routing Command Reference for Release 12.1.


This chapter consists of these sections:

Understanding the DHCP and Option 82 Subscriber Identification

Configuring the DHCP Relay Agent

Displaying the DHCP Information

Understanding the DHCP and Option 82 Subscriber Identification

The DHCP is widely used in LAN environments to dynamically assign host IP addresses from a centralized server, which significantly reduces the overhead of administrating IP addresses. The DHCP also helps conserve the limited IP address space because IP addresses no longer need to be permanently assigned to hosts; only those hosts that are connected to the network require IP addresses.

In the residential, metropolitan Ethernet-access environment, the DHCP can centrally manage the IP address assignment for a large number of subscribers. By enabling the DCHP option-82 feature on the switch, a subscriber is identified by the switch port through which it connects to the network (rather than by its MAC address). Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquely identified.

Figure 18-1 is an example of a metropolitan Ethernet network in which a centralized DHCP server assigns IP addresses to subscribers connected to the Catalyst 3550 switch at the access layer. Because the DHCP clients and their associated DHCP servers do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst 3550 switch) is configured with a helper address to enable broadcast forwarding and to transfer DHCP messages between the clients and the server.

Figure 18-1 DCHP Relay Agent in a Metropolitan Ethernet Network

With the DHCP option-82 feature enabled on the switch, port-to-port DHCP broadcast isolation is achieved when the client ports are within a single VLAN. During client-to-server exchanges, broadcast requests from clients connected to VLAN access ports are intercepted by the relay agent and are not flooded to other clients on the same VLAN. The relay agent forwards the request to the DHCP server. During server-to-client exchanges, the DHCP server sends a broadcast reply that contains the option-82 field. The relay agent uses this information to identify which port connects to the requesting client and avoids forwarding the reply to the entire VLAN.

When you enable the DHCP relay agent option 82 on the switch, these events occur:

The host (DHCP client) generates a DHCP request and broadcasts it on the network.

The switch (DHCP relay agent) intercepts the broadcast DHCP request packet and inserts the relay agent information option (option 82) in the packet. The relay information option contains the switch's MAC address (the remote ID suboption) and the port SNMP ifindex from which the packet is received (circuit ID suboption).

The switch forwards the DHCP request that includes the option-82 field to the DHCP server.

The DHCP server receives the packet. If the server is option-82 capable, it might use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. Then the DHCP server echoes the option-82 field in the DHCP reply.

If the server does not support option 82, it ignores the option and does not echo it in the reply.

The DHCP server unicasts the reply to the relay agent. The relay agent makes sure that the packet is destined for it by checking the IP destination address in the packet, which is the same as the Layer 3 interface where the ip helper-address interface configuration command is configured. The relay agent removes the option-82 field and forwards the packet to the switch port that connects to the DHCP client, which sent the DHCP request.

Configuring the DHCP Relay Agent

These sections describe how to configure the DHCP relay agent and option 82 on your switch:

Default DHCP Configuration

DHCP Configuration Guidelines

Enabling the DHCP Relay Agent and Relay Agent Information (required)

Validating the Relay Agent Information Option 82 (optional)

Configuring the Reforwarding Policy (optional)

Specifying the Packet Forwarding Address (optional)

Suppressing DHCP Broadcasts and Achieving Port-to-Port Isolation (optional)

Default DHCP Configuration

Table 18-1 shows the default DHCP configuration.

Table 18-1 Default DHCP Configuration

Feature
Default Setting

DHCP server and DHCP relay agent

Enabled

DHCP packet forwarding address (ip helper-address)

None configured

Insert and remove DHCP relay information (option-82 field) in forwarded request messages from the DHCP client to the server

Disabled

Check (validate) the relay agent information option in forwarded reply messages from the DHCP server to the client

Enabled (invalid messages are dropped)

DHCP relay agent reforwarding policy

Replace (overwrite) existing relay agent information


DHCP Configuration Guidelines

Before configuring the DHCP relay agent on your switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude, configure DHCP options for devices, or set up the DHCP database agent.

If your DHCP server is a Cisco device, refer to the "IP Addressing and Services" section in the "Configuring DHCP" chapter of the Cisco IOS IP and IP Routing Configuration Guide for Release 12.1. Otherwise, refer to the documentation that shipped with the server.

Enabling the DHCP Relay Agent and Relay Agent Information

Beginning in privileged EXEC mode, follow these steps to enable the DHCP relay agent and the relay agent information on the switch. This procedure is required.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

service dhcp

Enable the DHCP server and relay agent on your switch. By default, this feature is enabled.

Step 3 

ip dhcp relay information option

Enable the switch to insert and remove DHCP relay information (option-82 field) in forwarded DHCP request messages to the DHCP server.

By default, this feature is disabled.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show running-config

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable the DHCP server and relay agent, use the no service dhcp global configuration command. To disable the insertion and removal of the option-82 field, use the no ip dhcp relay information option global configuration command.

Validating the Relay Agent Information Option 82

By default, the switch checks that the option-82 field in DHCP reply packet it receives from the DHCP server is valid. If an invalid message is received, the switch drops it. If a valid message is received, the switch removes the option-82 field and forwards the packet.

If you want to disable this feature, use the no ip dhcp relay information check global configuration command. When disabled, the switch does not check the option-82 field for validity, but still removes the option from the packet and forwards it.


Note If the switch receives a packet that contains the option-82 field from a DHCP client and the information checking feature is enabled, the switch drops the packet because it is invalid. However, in some instances, you might configure a client with the option-82 field. In this situation, you should disable the information-check feature so that the switch does not remove the option-82 field from the packet. You can configure the action that the switch takes when it receives a packet with existing option-82 information by using the ip dhcp relay information policy global configuration command. For more information, see the "Configuring the Reforwarding Policy" section.


Configuring the Reforwarding Policy

By default, the reforwarding policy of the switch is to replace existing relay information in packets received from DHCP clients with switch DHCP relay information. If the default action is not suitable for your network configuration, you can use the ip dhcp relay information policy {drop | keep | replace} global configuration command to change it.


Note To ensure the correct operation of the reforwarding policy, make sure to disable the relay agent information check by using the no ip dhcp relay information check global configuration command.


Beginning in privileged EXEC mode, follow these steps to change the action of the reforwarding policy. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

ip dhcp relay information policy {drop | keep | replace}

Configure the reforwarding policy. The default is to replace (overwrite) existing information with switch DHCP relay information.

Use the drop keyword if you want the switch to discard messages with existing relay information if the option-82 information is also present.

Use the keep keyword if you want the switch to retain the existing relay information.

Step 3 

end

Return to privileged EXEC mode.

Step 4 

show running-config

Verify your entries.

Step 5 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return to the default reforwarding policy, use the no ip dhcp relay information policy global configuration command.

Specifying the Packet Forwarding Address

A DHCP relay agent is any device that forwards DHCP packets between clients and servers when they are not on the same physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router, where IP datagrams are transparently switched between networks. By contrast, relay agents receive DHCP messages and then generate a new DHCP message to send on another interface.

If the DHCP server and the DHCP clients are on different networks or subnets, you must configure the switch with the ip helper-address address interface configuration command. The general rule is to configure the command on the Layer 3 interface closest to the client. The address used in the ip helper-address command can be a specific DHCP server IP address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables any DHCP server to respond to requests.

Beginning in privileged EXEC mode, follow these steps to specify the packet forwarding address. This procedure is optional.

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface vlan vlan-id

Enter interface configuration mode, and create a switch virtual interface.

Step 3 

ip address ip-address subnet-mask

Configure the interface with an IP address and an IP subnet.

Step 4 

ip helper-address address

Specify the DHCP packet forwarding address.

The helper address can be a specific DHCP server address, or it can be the network address if other DHCP servers are on the destination network segment. Using the network address enables other servers to respond to DHCP requests.

If you have multiple servers, you can configure one helper address for each server.

Step 5 

exit

Return to global configuration mode.

Step 6 

interface range port-range

or

interface interface-id

Configure multiple physical ports that are connected to the DHCP clients, and enter interface range configuration mode.

or

Configure a single physical port that is connected to the DHCP client, and enter interface configuration mode.

Step 7 

switchport mode access

Define the VLAN membership mode for the port.

Step 8 

switchport access vlan vlan-id

Assign the ports to the same VLAN as configured in Step 2.

Step 9 

end

Return to privileged EXEC mode.

Step 10 

show running-config

Verify your entries.

Step 11 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To remove the DHCP packet forwarding address, use the no ip helper-address address interface configuration command.

This example shows how to enable the DHCP server, the relay agent, and the insertion and removal of the DHCP relay information (option 82). It creates a switch virtual interface with VLAN ID 10, assigns it an IP address, and specifies the DHCP packet forwarding address of 30.0.0.2 (DHCP server address). Two interfaces (Gigabit Ethernet 0/1 and 0/2) that connect to the DHCP clients are configured as static access ports in VLAN 10 (see Figure 18-1):

Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch(config)# service dhcp
Switch(config)# ip dhcp relay information option
Switch(config)# interface vlan 10
Switch(config-if)# ip address 10.0.0.1 255.0.0.0
Switch(config-if)# ip helper-address 30.0.0.2
Switch(config-if)# exit
Switch(config)# interface range gigabitethernet0/1 - 2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)# exit

Suppressing DHCP Broadcasts and Achieving Port-to-Port Isolation

If a DHCP client requests broadcast replies from the DHCP server, the switch broadcasts these replies to all of its switch ports within the VLAN and attached LAN segments. However, in the metropolitan Ethernet environment, you must ensure security and provide total isolation among different subscribers.

To achieve total isolation of among between client ports so that one client cannot receive another client's traffic, you can configure each client port with the protected port feature by using the switchport protected interface configuration command. Protected ports ensure that there is no exchange of unicast, broadcast, or multicast traffic with any other switch port that is also a protected port.

For more information, see the "Configuring Protected Ports" section.

Displaying the DHCP Information

To display the status of the insertion and removal of the DHCP relay information option-82 field on all interfaces, use the show running-config privileged EXEC command.