DHCP policies based on Relay Agent Information Option (option 82), DHCP Snooping and IP Source Guard

Article
10/01/2012

Introduction

DHCP server in Windows Server 2012 provides support for provisioning customized IP address and network configurations to DHCP clients using DHCP policies. Policies can be created based on several criteria one of which is relay agent information option - commonly referred as option 82. To get a better understanding on DHCP server policies and how to configure a policy, please refer to this post. In this blog post, we will discuss how you can create and use DHCP policies based on relay agent information option. We will also talk abut how support for option 82 in DHCP server in Windows Server 2012 aids DHCP snooping and IP source guarding on the network switch.

Relay Agent Information Option - DHCP Option 82

A DHCP relay agent relays DHCP messages between DHCP clients and DHCP servers which are in different IP subnets. A DHCP relay agent allows an administrator to have one DHCP server serve several subnets by having a DHCP relay in each subnet, relay the client requests to the DHCP server and vice versa.

The relay agent can insert additional information about the client (like client's network ID, port of the switch to which the client is connected, subscriber identifier etc.) to DHCP requests before forwarding the message to DHCP server. The relay agent inserts this additional information using option 82 - relay agent information option. The DHCP server can configured with policies to provide customized configuration to clients based on these additional fields inserted by the relay agent in the DHCP client message. The customized configuration in the policy includes giving IP from a specific IP address range, lease duration and specific set of option values.

The relay agent information option (DHCP option 82) is an aggregation of sub options. Starting from Windows Server 2012, this option and associated sub-options are supported by Windows DHCP server. The list of options and sub-options supported are :

DHCP Relay Agent (RA) Information Option [Option 82] - RFC 3046
Circuit ID, RA Sub-Option [Sub Option ID - 1] - RFC 3046
Remote ID, RA Sub-Option [Remote Option ID - 2] - RFC 3046
Subscriber ID, RA Sub-Option [Sub Option ID - 6] - RFC 3993
Server Identifier Override Option, RA Sub-Option [Sub Option ID - 11] - RFC 5107

Using DHCP policies based on relay agent information option, you can use these fields (remote ID, circuit ID, subscriber id) to assign IP addresses and implement constraints such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID.

If your enterprise uses DHCP relay agent which supports option 82, this feature is for you!

Configuring Policies using Relay Agent Information and its sub-options

As mentioned earlier, DHCP server can give customized IP address and configuration options using option 82 and its sub-options. Policies are the way to achieve this in Windows Server 2012 DHCP server.

Figure 1: Configuring RA Option as Policy Condition

The policies can be created at DHCP server level (applicable server wide) and at DHCP scope level (applicable to the specific subnet). The IP address range and configuration options defined for these policies will now be applied to any client request containing option 82 (which is added by DHCP relay agent).

Figure 1 shows the DHCP MMC policy wizard page for configuring a policy condition based on relay agent information option. As seen in this figure, the DHCP server allows configuration of policies based on option 82 either as a single value or using its individual sub-options. In the former case, option 82 present in the DHCP request packets will be compared byte by byte with the policy condition value. In latter case, the contents of option 82 in the DHCP requests will be parsed for sub-options and each sub-option configured in policy condition value will be matched separately. DHCP server will send the response message to the client based on the IP address range and options of the matched policy. The values for policy condition should be provided in hexadecimal format. Hence if the sub-options take alphanumeric values as input, they need be converted to equivalent hex value and should be given as policy condition value. Also by default, the DHCP server echoes back option 82 received in DHCP request in all DHCP responses.

If you hadn't already noticed, the server identifier override sub-option is not used in policy condition value. Relay agents use this sub-option to provide IP address which should be included by the DHCP server in Server Identifier option [DHCP Option 54] instead of DHCP Server's IP address in DHCP replies. By default, only the DHCP messages which are broadcast by the client pass via the relay agent. The DHCP renew messages which are unicast by the DHCP client to the IP address of the DHCP server do not pass via the relay agent.

By inserting the IP address of the relay agent in the server identifier field, the DHCP server ensures that all DHCP requests pass through the DHCP relay agent including DHCP renew messages which will now be unicast to the IP address of the DHCP relay agent. The relay agent can now add option 82 and its sub-options to all DHCP client messages before they are seen by the DHCP server. This ensures the policy is applied for both unicast and broadcast DHCP requests.

DHCP snooping, IP Source Guard and DHCP Server Policies

DHCP Snooping and IP Source Guard are features provided by most popular network switches that can be used to secure a network by controlling traffic from untrusted clients. DHCP snooping when enabled on the switch, the switch builds a binding database containing the IP address, MAC address VLAN and interface to which the client is connected by “snooping” on DHCP transactions.

The snooping database can then be used on the switch for enabling IP source guard and dynamic ARP inspection to prevent ARP spoofing. IP source guard references the snooping database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to be spoofed and is discarded. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.

These scenarios are aided by the support for option 82 on the DHCP server. Even if no policies are configured for relay agent information option, DHCP server in Windows Server 2012 in it’s response to the client will echo the relay agent information option if the same was present in the DHCP request message and thus aid the switch in building the DHCP snooping database. DHCP server also logs the relay agent information option value in the server audit log which can be used by the administrator for physical tracking of each client device as the relay agent information contains the switch port information.

Conclusion

Relay agent information option and its sub-options can be used to specify conditions in policies on DHCP server. These policies can be used to provide customized IP address and options to clients based on circuit id, remote id etc. In general, this feature can be used in scenarios where the DHCP relay agent is capable of appending relay agent information option, including the networks where IP source guarding/DHCP snooping is deployed.

Any questions and feedback, we would be happy to hear and assist! Give it a try and we hope you find it useful.

Comments

Anonymous
January 01, 2003
Huilong, Yes this should work. MMC snapin will need to store the configuration on the DHCP server machine in an separate file/store.
Anonymous
January 01, 2003
Huilong, you can use the DHCP server callout API to write a callout dll. You can find the API reference here -http://msdn.microsoft.com/en-us/library/windows/desktop/aa363373(v=vs.85).aspx
Anonymous
January 01, 2003
Yes Huilong. That's correct.
Anonymous
January 01, 2003
Hi Huilong
The DHCP Server does not support option 82 sub-option 5 (Link selection sub-option) or vss sub-options for either v4 or v6 address assignments. Similarly Windows server does not support multiple VRF's too.
Thanks
Anonymous
January 01, 2003
Hi XiuFei, you can get IP address from a specific IP pool within a subnet by creating a DHCP policy with a condition based on Option 82 information.
Anonymous
January 01, 2003
Hi Ulrik, yes - you can configure a DHCP policy with a condition based on the relay agent information and with an IP address range. The IP address range should have the number of IP addresses that can be leased to devices connected to that switch port.
Anonymous
January 01, 2003
FC, Windows DHCP server supports server override option. There is no further configuration required on the DHCP server for this. You will need to configure the DHCP relay so that it includes a server override option when it forwards the DHCP client messages. You will need to get the details of how to do that on the DHCP relay from the vendor's documentation.
Anonymous
January 01, 2003
Hi Huilong, can you please confirm that you have built the dll for 64 bit platform.
Anonymous
January 01, 2003
Hi Joseph
To accomplish what you want you would need to have support for option 82 sub-option 5 in DHCP Server which is not supported in Windows DHCP Server.
Thanks
Anonymous
January 01, 2003
Hi Huilong
Not sure whether there exists a precise solution to your problem but you can try creating a bigger scope and select an IP address range within that scope based on circuit ID based policy. But keep in mind that you shall be able to control the address range but not the subnet scope by doing that. Tell us if that works for you.
Thanks
Anonymous
January 01, 2003
Hi FC, server identifier is a field which is populated by the DHCP server in the DHCP OFFER message automatically with the IP address of the DHCP server. You do not need to set this.
Can you elaborate on what scenario you are trying to accomplish.
Anonymous
April 08, 2014
Is there a way to configure a policy (or other method) to limit the number of IP addresses that will be handed out to clients with a specific value in Relay Agent Information?

This to limit the number of addresses that can be leased to devices connected to a specific port of a switch.
Anonymous
April 15, 2014
If i want to get the IP address subnet from DHCP server by Option 82 informationm, such as port+VLAN+sysname, is that possible?
Anonymous
April 15, 2014
Hi guys, if possible, how would you define a policy to direct a DHCP request that was relayed by a foreign agent (ie the relay and giaddr is on network x but we want an address from subnet y) to a specific pool using the option 82 fields?
Anonymous
July 31, 2014
Can i use option82 as an alternative for vlan pooling. Means i have 1000 clients connecting through a wireless controller and i want each these users in specfic subnets
Anonymous
August 02, 2014
Hi,

I am working on a project that needs to support Windows DHCP server. I have a few questions:

1) Does it support "link selection" suboption (RFC3527)?

2) Can I specify policy at DHCP server level to select scope basing on a specific value in option 82?

3) Does Windows DHCP server support multiple VRFs? considering that the same IP scope can appear on different VRFs?

Would you let me know the answers? Thanks a lot.

Huilong
Anonymous
August 04, 2014
The comment has been removed
Anonymous
August 04, 2014
Some more details about how I make dhcpd works in my use case: I define a class C matching on the subnet Y identifier in the Circuit ID. I also define a "shared-network" containing both subnet X and subnet Y. For subnet Y, I specify a policy that it "allows member of class C". The dhcpd can correctly select the subnet Y basing on the class and the policy.

I am wondering how can I do the same thing on windows server 2012? I do see that the dhcp policy can match on the circuit ID value. However I can not use the server level policy to select a subnet scope. I can only use the scope level policy to select an address range with the scope, but that is not what I want. What I want is to use the policy to select scope. How can I do that?

Best regards,
Huilong
Anonymous
August 07, 2014
Hi, teamdhcp,

Thanks a lot for your suggestion.

However using one big scope is too much restrictive, while we have subnets with quite different prefixes. It also has the issue that the returning subnet masks are not correct for the subnets: it returns the mask for the scope, but not for the ip address range. I don't see how to override it in the policy.

From another blog: http://blogs.technet.com/b/teamdhcp/archive/2009/06/12/option-based-ip-address-assignment-callout-dll.aspx , it seems windows DHCP server support callout DLL approach. Is it possible to write a callout DLL to resolve the problem? Any suggestions and comments on this approach? Where can I find the related document on how to write the callout DLL for windows DHCP server?

Best regards,
Huilong
Anonymous
August 08, 2014
Hi, teamdhcp,

Thanks a lot for your reply.

I am thinking of following design:

* User defines scopes, one for each subnets, on the DHCP server.
* Write an MMC snap-in to allow user define a map between circuit IDs and the scopes.
* The DHCP relay uses its subnet X address in GiAddr. It also puts an ID for subnet Y (client subnet) in circuit ID.
* Write a callout DLL that intercept packets using DhcpNewPktHook() and DhcpPktSendHook().
* In DhcpNewPktHook(), change the GiAddr to an address from subnet Y, so that the DHCP server will pick offer from scope Y.
* In DhcpPktSendHook(), change the GiAddr back to the original address from subnet X, so that the DHCP server will sends the response back to the relay agent through subnet X.

Do you think the design will work? Any comments/suggestions?

Best regards,
Huilong
Anonymous
August 19, 2014
Thank you for all your responses. One last thing I want to double check before I go with the callout DLL approach: on Windows DHCP server, GIAddr is the ONLY way to select scope, there is no way to work abound it (except to write a DLL as I planned), is that correct? Would you confirm this? Thanks a lot.
Anonymous
August 25, 2014
Hi,

Thanks a lot for your confirmation.

I am now working on the callout dll approach. However when I tried to load a testing DLL, I got following error in system log:

The DHCP service has failed to load one or more callout DLLs. The following error occured:
%1 is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.
is not a valid Win32 application.

The testing DLL was simply built from code in this blog: http://blogs.technet.com/b/teamdhcp/archive/2009/07/06/dhcp-server-callout-api-usage.aspx . What could be wrong?

I am running a Windows server 2012 64-bit. I heard the callout DLL approach may not work on 64 bit OS. Is that true?
Anonymous
November 14, 2014
Hi teamdhcp,

I need to set Server Identifier option [DHCP Option 54] on a W2012 DHCP for several scopes. Is that even possible?
I cannot find any documentation/examples how to do this.

Best regards,
FC
Anonymous
December 12, 2014
Hello teamdhcp, I'm using a dhcp relay service which has one setting: the dhcp server. The clienst can't get to the dhcp server directly (no route). So I'd like to try overriding the Server Identifier so clients can renew their ip quicker. Also I want to "hide" the real dhcp server.

Best regards,
FC
Anonymous
December 17, 2014
Hello teamdhcp, Thank you for your response.
Anonymous
July 05, 2015
We are trying to use DHCP policies, but have an issue when clients are renewing their leases. So far we have not been able to make the relay agent insert sub-option 11, and as a result the renewal request does not include option 82, and the server delivers options without the additional policy options.
While our network guy is trying to insert this server id override option, I am looking for alternatives.

In RFC 3046 I am noticing this:
Note that DHCP relay agents are not required to monitor unicast DHCP
messages sent directly between the client and server (i.e., those
that aren't sent via a relay agent). However, some relay agents MAY
chose to do such monitoring and add relay agent options.
Consequently, servers SHOULD be prepared to handle relay agent
options in unicast messages, but MUST NOT expect them to always be
there.

That is, server must not expect option 82 to always be there. But to me it seems as if MS DHCP does exactly this.
Is either of the following possible:
- To make DHCP server remember and reuse option 82 value(s) when renewing?
- To make DHCP server force Server override with relay agents IP, if sub-option 11 is not present?
Anonymous
July 06, 2015
Hello Jan, If your policy based on DHCP option 82 (relay agent information option), it will require that the relay agent be involved in the renew request as well since the policies are applied based on what is present in the request message. The way to have the relay agent be in the path of the request message is inserting the server override option (id 11) specified in RFC 5107.
Windows DHCP server does not remember/reuse option 82 values or force a server override even if sub-option 11 is not present.

Share via