Microsoft Windows DHCP Team Blog

The world's most deployed DHCP Server! Deploy and discuss about your fav. server, here!

DHCP policies based on Relay Agent Information Option (option 82), DHCP Snooping and IP Source Guard

DHCP policies based on Relay Agent Information Option (option 82), DHCP Snooping and IP Source Guard

  • Comments 20
  • Likes

Introduction

DHCP server in Windows Server 2012 provides support for provisioning customized IP address and network configurations to DHCP clients using DHCP policies. Policies can be created based on several criteria one of which is relay agent information option - commonly referred as option 82. To get a better understanding on DHCP server policies and how to configure a policy, please refer to this post. In this blog post, we will discuss how you can create and use DHCP policies based on relay agent information option. We will also talk abut how support for option 82 in DHCP server in Windows Server 2012 aids DHCP snooping and IP source guarding on the network switch.

Relay Agent Information Option - DHCP Option 82

A DHCP relay agent relays DHCP messages between DHCP clients and DHCP servers which are in different IP subnets. A DHCP relay agent allows an administrator to have one DHCP server serve several subnets by having a DHCP relay in each subnet, relay the client requests to the DHCP server and vice versa.

The relay agent can insert additional information about the client (like client's network ID, port of the switch to which the client is connected, subscriber identifier etc.) to DHCP requests before forwarding the message to DHCP server. The relay agent inserts this additional information using option 82 - relay agent information option. The DHCP server can configured with policies to provide customized configuration to clients based on these additional fields inserted by the relay agent in the DHCP client message. The customized configuration in the policy includes giving IP from a specific IP address range, lease duration and specific set of option values.

The relay agent information option (DHCP option 82) is an aggregation of sub options. Starting from Windows Server 2012, this option and associated sub-options are supported by  Windows DHCP server. The list of options and sub-options supported are :

  1. DHCP Relay Agent (RA) Information Option [Option 82] - RFC 3046
  2. Circuit ID, RA Sub-Option [Sub Option ID - 1] - RFC 3046
  3. Remote ID, RA Sub-Option [Remote Option ID - 2] - RFC 3046
  4. Subscriber ID, RA Sub-Option [Sub Option ID - 6] - RFC 3993
  5. Server Identifier Override Option, RA Sub-Option [Sub Option ID - 11] - RFC 5107

Using DHCP policies based on relay agent information option, you can use these fields (remote ID, circuit ID, subscriber id) to assign IP addresses and implement constraints such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID.

If your enterprise uses DHCP relay agent which supports option 82, this feature is for you!

Configuring Policies using Relay Agent Information and its sub-options

As mentioned earlier, DHCP server can give customized IP address and configuration options using option 82 and its sub-options. Policies are the way to achieve this in Windows Server 2012 DHCP server.

 
Figure 1: Configuring RA Option as Policy Condition

The policies can be created at DHCP server level (applicable server wide) and at DHCP scope level (applicable to the specific subnet). The IP address range and configuration options defined for these policies will now be applied to any client request containing option 82 (which is added by DHCP relay agent).

Figure 1 shows the DHCP MMC policy wizard page for configuring a policy condition based on relay agent information option. As seen in this figure, the DHCP server allows configuration of policies based on option 82 either as a single value or using its individual sub-options. In the former case, option 82 present in the DHCP request packets will be compared byte by byte with the policy condition value. In latter case, the contents of option 82 in the DHCP requests will be parsed for sub-options and each sub-option configured in policy condition value will be matched separately. DHCP server will send the response message to the client based on the IP address range and options of the matched policy. The values for policy condition should be provided in hexadecimal format.  Hence if the sub-options take alphanumeric values as input, they need be converted to equivalent hex value and should be given as policy condition value. Also by default, the DHCP server echoes back option 82 received in DHCP request in all DHCP responses.

If you hadn't already noticed, the server identifier override sub-option is not used in policy condition value. Relay agents use this sub-option to provide IP address which should be included by the DHCP server in Server Identifier option [DHCP Option 54] instead of DHCP Server's IP address in DHCP replies. By default, only the DHCP messages which are broadcast by the client pass via the relay agent. The DHCP renew messages which are unicast by the DHCP client to the IP address of the DHCP server do not pass via the relay agent.

By inserting the IP address of the relay agent in the server identifier field, the DHCP server ensures that all DHCP requests pass through the DHCP relay agent including DHCP renew messages which will now be unicast to the IP address of the DHCP relay agent. The relay agent can now add option 82 and its sub-options to all DHCP client messages before they are seen by the DHCP server. This ensures the policy is applied for both unicast and broadcast DHCP requests.

DHCP snooping, IP Source Guard and DHCP Server Policies

DHCP Snooping and IP Source Guard are features provided by most popular network switches that can be used to secure a network by controlling traffic from untrusted clients. DHCP snooping when enabled on the switch, the switch builds a binding database containing the IP address, MAC address VLAN and interface to which the client is connected by “snooping” on DHCP transactions.

The snooping database can then be used on the switch for enabling IP source guard and dynamic ARP inspection to prevent ARP spoofing. IP source guard references the snooping database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to be spoofed and is discarded. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.

These scenarios are aided by the support for option 82 on the DHCP server. Even if no policies are configured for relay agent information option, DHCP server in Windows Server 2012 in it’s response to the client will echo the relay agent information option if the same was present in the DHCP request message and thus aid the switch in building the DHCP snooping database. DHCP server also logs the relay agent information option value in the server audit log which can be used by the administrator for physical tracking of each client device as the relay agent information contains the switch port information.

Conclusion

Relay agent information option and its sub-options can be used to specify conditions in policies on DHCP server. These policies can be used to provide customized IP address and options to clients based on circuit id, remote id etc. In general, this feature can be used in scenarios where the DHCP relay agent is capable of appending relay agent information option, including the networks where IP source guarding/DHCP snooping is deployed.

Any questions and feedback, we would be happy to hear and assist! Give it a try and we hope you find it useful.

Other Links

Team Dhcp

Comments
  • Is there a way to configure a policy (or other method) to limit the number of IP addresses that will be handed out to clients with a specific value in Relay Agent Information?

    This to limit the number of addresses that can be leased to devices connected to a specific port of a switch.

  • Hi Ulrik, yes - you can configure a DHCP policy with a condition based on the relay agent information and with an IP address range. The IP address range should have the number of IP addresses that can be leased to devices connected to that switch port.

  • If i want to get the IP address subnet from DHCP server by Option 82 informationm, such as port+VLAN+sysname, is that possible?

  • Hi XiuFei, you can get IP address from a specific IP pool within a subnet by creating a DHCP policy with a condition based on Option 82 information.

  • Hi guys, if possible, how would you define a policy to direct a DHCP request that was relayed by a foreign agent (ie the relay and giaddr is on network x but we want an address from subnet y) to a specific pool using the option 82 fields?

  • Can i use option82 as an alternative for vlan pooling. Means i have 1000 clients connecting through a wireless controller and i want each these users in specfic subnets

  • Hi,

    I am working on a project that needs to support Windows DHCP server. I have a few questions:

    1) Does it support "link selection" suboption (RFC3527)?

    2) Can I specify policy at DHCP server level to select scope basing on a specific value in option 82?

    3) Does Windows DHCP server support multiple VRFs? considering that the same IP scope can appear on different VRFs?

    Would you let me know the answers? Thanks a lot.

    Huilong

  • Hi Huilong
    The DHCP Server does not support option 82 sub-option 5 (Link selection sub-option) or vss sub-options for either v4 or v6 address assignments. Similarly Windows server does not support multiple VRF's too.
    Thanks

  • Hi, teamdhcp,

    Thanks a lot for your reply.

    Actually my use case is following: the DHCP server is on a subnet X, the clients are on a subnet Y. The DHCP server can not reach subnet Y. I have a relay agent accessing both subnet X and subnet Y. The relay agent forwards the client requests to the DHCP server. It puts its subnet X address as giaddr (so the server can send reply back) and puts its subnet Y address in the link selection sub-option. The relay agent also puts an identifier for subnet Y in the circuit ID in option 82.

    For other DHCP servers, such as dhcpd, we can either use the circuit ID or the link selection to select the right scope for subnet Y. But on windows DHCP server, I could not make it work.

    As you said, link selection is not supported by windows server. Is it possible to use the circuit ID to select scope then? How to make it work?

    Please provide suggestions/comments. Your help is high appreciated.

    Best regards,
    Huilong

  • Some more details about how I make dhcpd works in my use case: I define a class C matching on the subnet Y identifier in the Circuit ID. I also define a "shared-network" containing both subnet X and subnet Y. For subnet Y, I specify a policy that it "allows member of class C". The dhcpd can correctly select the subnet Y basing on the class and the policy.

    I am wondering how can I do the same thing on windows server 2012? I do see that the dhcp policy can match on the circuit ID value. However I can not use the server level policy to select a subnet scope. I can only use the scope level policy to select an address range with the scope, but that is not what I want. What I want is to use the policy to select scope. How can I do that?

    Best regards,
    Huilong

  • Hi Huilong
    Not sure whether there exists a precise solution to your problem but you can try creating a bigger scope and select an IP address range within that scope based on circuit ID based policy. But keep in mind that you shall be able to control the address range but not the subnet scope by doing that. Tell us if that works for you.
    Thanks

  • Hi Joseph
    To accomplish what you want you would need to have support for option 82 sub-option 5 in DHCP Server which is not supported in Windows DHCP Server.
    Thanks

  • Hi, teamdhcp,

    Thanks a lot for your suggestion.

    However using one big scope is too much restrictive, while we have subnets with quite different prefixes. It also has the issue that the returning subnet masks are not correct for the subnets: it returns the mask for the scope, but not for the ip address range. I don't see how to override it in the policy.

    From another blog: http://blogs.technet.com/b/teamdhcp/archive/2009/06/12/option-based-ip-address-assignment-callout-dll.aspx , it seems windows DHCP server support callout DLL approach. Is it possible to write a callout DLL to resolve the problem? Any suggestions and comments on this approach? Where can I find the related document on how to write the callout DLL for windows DHCP server?

    Best regards,
    Huilong

  • Huilong, you can use the DHCP server callout API to write a callout dll. You can find the API reference here - http://msdn.microsoft.com/en-us/library/windows/desktop/aa363373(v=vs.85).aspx

  • Hi, teamdhcp,

    Thanks a lot for your reply.

    I am thinking of following design:

    * User defines scopes, one for each subnets, on the DHCP server.
    * Write an MMC snap-in to allow user define a map between circuit IDs and the scopes.
    * The DHCP relay uses its subnet X address in GiAddr. It also puts an ID for subnet Y (client subnet) in circuit ID.
    * Write a callout DLL that intercept packets using DhcpNewPktHook() and DhcpPktSendHook().
    * In DhcpNewPktHook(), change the GiAddr to an address from subnet Y, so that the DHCP server will pick offer from scope Y.
    * In DhcpPktSendHook(), change the GiAddr back to the original address from subnet X, so that the DHCP server will sends the response back to the relay agent through subnet X.

    Do you think the design will work? Any comments/suggestions?

    Best regards,
    Huilong

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment