Dhcp snooping option 82 configuration
Upcoming SlideShare
Loading in...5
×
 

Dhcp snooping option 82 configuration

on

  • 3,250 views

Dhcp snooping option 82 configuration examples

Dhcp snooping option 82 configuration examples

Statistics

Views

Total Views
3,250
Views on SlideShare
3,246
Embed Views
4

Actions

Likes
1
Downloads
34
Comments
0

2 Embeds 4

https://twitter.com 3
http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Dhcp snooping option 82 configuration Dhcp snooping option 82 configuration Document Transcript

  • DHCP Snooping Option 82 Configuration ExamplesThis document describes the typical application environment and configurationexamples for DHCP snooping Option 82.Acronyms: Acronym Full spelling DHCP Dynamic Host Configuration Protocol DNS Domain Name System giaddr Gateway IP address WINS Windows Internet Naming Service1 Feature OverviewOption 82 is the relay agent option which records the location information of theDHCP client. When a DHCP snooping device receives a client’s request, it adds Option82 to the request message and sends it to the server. Then, the DHCP server canassign a proper IP address and other parameters for the client. The administrator canalso use Option 82 to implement security control and accounting.2 Application ScenariosFigure 1 Option 82 applicationTypically, a DHCP server assigns an IP address based on the giaddr filed of the client’srequest or the IP address of the interface that received the client’s request. In Figure1, the DHCP server assign IP addresses to Host A and Host B from the networksegment where the clients belong.http://blog.router-switch.com/
  • Traditionally, the DHCP server cannot assign to Host A an IP address that is in adifferent network segment from the IP address assigned to Host B. However, this canbe achieved through Option 82, with which, the DHCP server can assign IP addressesbased on the DHCP snooping interface connected to the clients and the giaddr filedin DHCP requests.A client’s ID can be recognized by Option 82. Therefore, the DHCP server can assign aunique IP address to each client, to further implement QoS, security and accountingmanagement.3 Configuration Guidelines The DHCP snooping Option 82 function can take effect only after you enable DHCP snooping. DHCP snooping does not support link aggregation. If a Layer 2 Ethernet interface is added into an aggregation group, DHCP snooping configuration on it will not take effect. When the interface is removed from the group, DHCP snooping can take effect. The DHCP snooping enabled device does not work if it resides between a DHCP relay agent and DHCP server, and it can work when it resides between a DHCP client and relay agent or between a DHCP client and server. You are recommended to enable the DHCP snooping Option 82 function on the DHCP snooping device closest to the DHCP client for locating the client accurately. The DHCP snooping enabled device cannot act as a DHCP server or DHCP relay agent. You are not recommended to enable the DHCP client, BOOTP client, and DHCP snooping on the same device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTP client/DHCP client may fail to obtain an IP address.4 Configuration Examples4.1 Network RequirementsThe work area of an enterprise is divided into three groups, group 1, group 2, andgroup 3, which are located in three rooms. A DHCP server is deployed to assign IPaddresses of different segments to the three groups.It is required that: The DHCP server assigns IP addresses on the network segment 192.168.10.0/24 to devices in the work area. The lease time is 12 hours, and the DNS and WINS server addresses are 192.168.100.2 and 192.168.100.3 respectively. Group 1, group 2 and group 3 are connected to the DHCP snooping device through Ethernet1/1, Ethernet1/2 and Ethernet1/3 respectively to communicate with the DHCP server. The DHCP server assigns IP addresses ranging from 192.168.10.2 to 192.168.10.25 to clients in group 1, assigns IP addresses ranging from 192.168.10.100 to 192.168.10.150 to clients in group 2, and assigns IP addresseshttp://blog.router-switch.com/
  • ranging from 192.168.10.151 to 192.168.10.200 to clients in group 3.Figure 2 Network diagram for DHCP snooping4.2 Configuration Considerations Enable Option 82 support on the DHCP snooping device. Configure the Option 82 sub-option, so that the clients in different groups can send packets carrying different Option 82 information. To do so, you can manually specify the circuit ID sub-option. Configure IP address assignment policy on the DHCP server, so that the DHCP server can assign proper IP addresses to the DHCP clients according to Option 82.4.3 Software Version UsedThis example is configured and verified on Comware V500R002B42D001.4.4 Configuration ProceduresNote:The following configurations are made on devices that are using defaultsettings and verified in a lab environment. When using the following configurationson your devices in a live network, make sure they do not conflict with your currentconfigurations to prevent potential negative impact on your network.4.4.1 Configuration on the DHCP Snooping DeviceI. Configuration steps# Enable DHCP snooping.<Switch> system-view[Switch] dhcp-snooping# Configure Ethernet 1/4 as a DHCP snooping trusted port.[Switch] interface ethernet 1/4http://blog.router-switch.com/
  • [Switch-Ethernet1/4] dhcp-snooping trust[Switch-Ethernet1/4] quit# Enable Ethernet 1/1 to support Option 82.[Switch] interface ethernet 1/1[Switch-Ethernet1/1] dhcp-snooping information enable# Pad the Option 82 circuit ID sub-option with group 1.[Switch-Ethernet1/1] dhcp-snooping information circuit-id string group1[Switch-Ethernet1/1] quit# Enable Ethernet 1/2 to support Option 82.[Switch] interface ethernet 1/2[Switch-Ethernet1/2] dhcp-snooping information enable# Pad the Option 82 circuit ID sub-option with group 2.[Switch-Ethernet1/2] dhcp-snooping information circuit-id string group2[Switch-Ethernet1/2] quit# Enable Ethernet 1/3 to support Option 82.[Switch] interface ethernet 1/3[Switch-Ethernet1/3] dhcp-snooping information enable[Switch-Ethernet1/3] quit# Pad the Option 82 circuit ID sub-option with group 3.[Switch-Ethernet1/3] dhcp-snooping information circuit-id string group3[Switch-Ethernet1/3] quitII. Configuration file<Switch> display current-configuration#interface Ethernet1/1 port link-mode bridge dhcp-snooping information enable dhcp-snooping information circuit-id string group1#interface Ethernet1/2 port link-mode bridge dhcp-snooping information enable dhcp-snooping information circuit-id string group2#interface Ethernet1/3 port link-mode bridge dhcp-snooping information enable dhcp-snooping information circuit-id string group3#interface Ethernet1/4 port link-mode bridge dhcp-snooping trust#http://blog.router-switch.com/
  • 4.4.2 Configuration on the DHCP ServerI. Configuration stepsYou can use the following two methods to configure Option 82:1. User-defined method: Manually specify the content of Option 82.2. Non-user-defined method: Pad Option 82 in the default normal or verbose format.For the second method, the circuit ID sub-option format is as shown in Figure 3 .Figure 3 Circuit ID sub-option formatFor example, for clients connected to Ethernet 1/1, the circuit ID sub-option ispadded with group 1. The circuit ID sub-option in DHCP packets should contain thefollowing information: 0x010667726F757031, in which 0106 refers to the numberand length of the circuit ID sub-option, and 67726F757031 refers to the hexadecimalvalue of the character string group 1.In this example, IP addresses are assigned according to the group number; therefore,the DHCP server only needs to assign IP addresses based on the group numberpadded in the circuit ID sub-option.Note:The DHCP server is configured on a Cisco Catalyst 3745 switch with softwareversion IOS 12.3(11)T2. To configure a device of another type or version as the DHCPserver, refer to the related user manual.# Configure the server interface IP address as 192.168.10.1/24.Server> enableServer# configure terminalServer(config)# interface fastethernet 0/0Server(config-if)# ip address 192.168.10.1 255.255.255.0Server(config-if)# exit# Enable DHCP server, and configure the DHCP server to assign IP addresses based onOption 82.Server(config)# service dhcpServer(config)# ipdhcp use class# Create a DHCP class for clients in group 1, and specify the corresponding circuit IDsub-option for matching. For the content not to be matched, enter the wildcard ”*”.Server(config)# ipdhcp class group1Server(dhcp-class)# relay agent informationServer(dhcp-class-relayinfo)# relay-information hex 010667726F757031*Server(dhcp-class-relayinfo)# exithttp://blog.router-switch.com/
  • # Create a DHCP class for clients in group 2, and specify the corresponding circuit IDsub-option for matching.Server(config)# ipdhcp class group2Server(dhcp-class)# relay agent informationServer(dhcp-class-relayinfo)# relay-information hex 010667726F757032*Server(dhcp-class-relayinfo)# exit# Create a DHCP class for clients in group 3 and specify the corresponding circuit IDsub-option for matching.Server(config)# ipdhcp class group3Server(dhcp-class)# relay agent informationServer(dhcp-class-relayinfo)# relay-information hex 010667726F757033*Server(dhcp-class-relayinfo)# exit# Create a DHCP address pool named office, and specify the lease time, gatewayaddress, DNS server address, and WINS server address for clients.Server(config)# ipdhcp pool officeServer(dhcp-config)# network 192.168.10.0Server(dhcp-config)# lease 0 12Server(dhcp-config)# default-router 192.168.10.1Server(dhcp-config)# dns-server 192.168.100.2Server(dhcp-config)# netbios-name-server 192.168.100.3# Specify address ranges for the three DHCP classes respectively.Server(dhcp-config)# class group1Server(dhcp-pool-class)# address range 192.168.10.2 192.168.10.25Server(dhcp-pool-class)# class group2Server(dhcp-pool-class)# address range 192.168.10.100 192.168.10.150Server(dhcp-pool-class)# class group3Server(dhcp-pool-class)# address range 192.168.10.151 192.168.10.2004.4.3 VerificationAfter completing the above configurations, the DHCP server can automatically assignIP addresses of the specified range, gateway address, DNS server address, and WINSserver address for clients of each group in the work area.More Related DHCP Snooping Tips:How to Configure DHCP Snooping?http://blog.router-switch.com/