Introduction to DHCP
Overview
Dynamic Host Configuration Protocol (DHCP) dynamically configures and uniformly manages network parameters of the hosts in a TCP/IP network, and allocates IP addresses to the network hosts. PICOS switch supports two basic DHCP functions: DHCP snooping and DHCP relay.
DHCP snooping is a network security feature, which is used to ensure that DHCP clients obtain IP addresses from legitimate DHCP servers, and record the binding relationship between IP addresses and MAC addresses of DHCP clients, so as to prevent DHCP attacks on the network.
Device enabled with DHCP snooping forwards the DHCP request messages from the DHCP client to the legitimate DHCP server through the trust interface, then generates a DHCP snooping binding table according to the DHCP Ack message responded by the DHCP server. The DHCP snooping binding table will be synchronized to ARP inspection table to validate ARP packets in a network to prevent ARP attacks and ARP request message flood, for details about Dynamic ARP Inspection (DAI), please refer to Dynamic ARP Inspection (DAI).
NOTE: If Dynamic ARP Inspection (DAI) is to be deployed on the device, when configuring from the CLI, it is required to enable DAI before DHCP snooping can be enabled to make the two features function normally. |
DHCP relay is a Layer 3 feature. When the DHCP client and DHCP server are not in the same physical subnet, DHCP relay can be deployed on the Layer 3 device laid between the DHCP client and DHCP server to forward DHCP messages, implementing allocation of IP addresses to the network hosts across different Layer 3 subnets.
DHCP Snooping and DHCP Relay Networking Applications
As shown in figure 1, an enterprise has Department A, Department B and Department C, the gateway server of the enterprise network serves as the DHCP server. The hosts in the three departments are not in the same subnet with the DHCP server. The enterprise wants to dynamically assign IP addresses to the hosts of all the departments by the same DHCP server. The network administrator can deploy a DHCP relay agent between the hosts and the DHCP server to achieve this.
Figure 1 DHCP snooping and DHCP relay networking
Usually, the DHCP relay agent is deployed on the gateway device of the departments, the DHCP server can be deployed on the gateway of the enterprise, or a dedicated DHCP server.
As DHCP request messages are broadcasted in the same subnet, there are often DHCP attacks in the network (e.g., DHCP Server Spoofing, Denial of Service attacks, etc.). In order to prevent attacks by DHCP messages and to improve security, DHCP snooping can be deployed between the DHCP clients and DHCP server to ensure that DHCP clients obtain IP address from the legitimate DHCP server. DHCP snooping is generally deployed on devices close to the DHCP client (e.g., switch 1 and switch 3).
NOTE: DHCP snooping and DHCP relay are two modules which are working independently and in parallel. If both DHCP snooping and DHCP relay are enabled on one switch, the DHCP messages will be processed and forwarded by the two modules independently. |
DHCP Option 82
Option 82 records the location information of the DHCP client, it can be configured on a DHCP relay or DHCP snooping device. For the DHCP packet received from the DHCP client, the Option 82 carried in that packet will be processed according to the Option 82 policy before sending to the DHCP server.
DHCP server allocates IP addresses and other parameters to the clients based on the Option 82 information carried in the DHCP packet, which provides more flexible address allocation schemes.
Option 82 contains two common sub-options: Circuit ID and Remote ID. Circuit ID is mainly used to identify the VLAN and the interface of the client, Remote ID identifies the device from which the client accessed, usually the MAC address of the device.
Packet Format
Circuit ID Sub-option
Circuit ID includes three types: Type 0 (value is port index), Type 1 (value is port name + VLAN ID) and Type 2 (value is port description + VLAN ID). The format is listed below by types.
- Type 0 (port index)
Circuit ID type is 0, where physical or LAG interface is used for Circuit ID sub-option.
When configuring DHCP snooping and DHCP relay in MLAG topology, MLAG Link ID and Port Index are used for circuit ID field with an offset, see the following table for details:
MLAG Port | Non-MLAG Port | |
MLAG Node 0 | 512 + MLAG Link ID | Local Port Index |
MLAG Node 1 | 512 + MLAG Link ID | 1024 + Local Port Index |
- Type 1 (port name)
Circuit ID type is 1, where port name and VLAN ID make up the Circuit ID sub-option value.
- Type 2 (port description)
Circuit ID type is 1, where port name and VLAN ID make up the Circuit ID sub-option value.
Remote ID Sub-option
Remote ID includes two types: Type 0 (value is system MAC) and Type 1 (value is host name). The format is listed below by types.
- Type 0 (system MAC)
Remote ID type is 0, where system MAC is used for Remote ID sub-option.
Note that: The format of DHCP Option 82 sub-options remote ID is fixed as MLAG domain MAC address in MLAG topology.
- Type 1 (hostname)
Remote ID type is 1, where hostname is used for Remote ID sub-option.
How to Handle Option 82?
The system handles Option 82 in the received DHCP packets according to the following rules:
- When a DHCP Discover/Request/Release/Decline/Inform message without giaddr but with Option 82 is received,
- If Option 82 trust-all is disabled, then drop the message.
- If Option 82 trust-all is enabled, such kind of message is processed according to the user configuration of Option 82 policy. There are four types of operations that can be set for Option 82 policy: Keep, Drop, Insert and Replace. The default operation is Keep which means Option 82 in the DHCP message received from the DHCP client remains unchanged and forwarded.
- When a DHCP Discover/Request/Release/Decline/Inform message of any other type but the one above, the message is allowed on receiving and processed depending on the Option 82 policy.
- When a DHCP Offer/Ack/Nak message without Option 82 is received, the message is forwarded without Option 82.
- When a DHCP Offer/Ack/Nak message with Option 82 is received, Option 82 is removed before the message is forwarded.
Option 82 settings are supported respectively on both DHCP relay agent or on the Layer 2 access device enabled with DHCP snooping function. The related commands are listed below:
Set Option policy for DHCP snooping:
set protocols dhcp snooping vlan <vlan-id> option82-policy <drop | keep | insert | replace>
When option82-policy is set to “insert” or “replace”, you can use the following commands to set the format of sub-options circuit ID and remote ID:
set protocols dhcp snooping option82 circuit-id <port-index | port-name | port-description>
set protocols dhcp snooping option82 remote-id <system-mac | hostname>
Set Option policy for DHCP Relay:
set protocols dhcp relay interface <vlan-interface-name> option82-policy <drop | keep | insert | replace>
When option82-policy is set to “insert” or “replace”, you can use the following commands to set the format of sub-options circuit ID and remote ID:
set protocols dhcp relay option82 circuit-id <port-index | port-name | port-description>
set protocols dhcp relay option82 remote-id <system-mac | hostname>
We can use the following table to summarize the Option 82 policy.
NOTE: DHCP snooping and DHCP relay can handle Option 82 independently and in parallel since they are two completely separated modules. |
Option 82 trust-all
DHCP Discover/Request/Release/Decline/Inform packets received on the switch without giaddr but containing Option 82 are dropped by default. However, if Option 82 trust all function is enabled, such packets will be allowed and processed.
Therefore, when configuring the Option 82 policy, you need to take into consideration the network topology and the configuration of trust all together, especially if there is a switch between the client and the relay agent/the DHCP snooping enabled device that may insert Option 82. Enable DHCP Option 82 trust all on this device to ensure that these packets do not get dropped.
For example, in the following topology, the configurations on Switch 1 and Switch 2 are:
- DHCP snooping is enabled on Switch 1, and DHCP relay is enabled on Switch 2.
- DHCP snooping trust port is configured on the physical or L2 aggregated port towards Switch 2 on Switch 1.
Figure 2 DHCP Snooping and DHCP Relay Topology
DHCP snooping Option 82 can be enabled on Switch 1, and DHCP relay Option 82 can be enabled on Switch 2. It is optional. But if Option 82 is inserted on Switch 1, DHCP relay Option 82 trust all should be enabled on Switch 2.
Interaction with Other Protocols
MLAG
Devices in the MLAG topology support enabling DHCP snooping or DHCP relay function on the MLAG peer devices to implement address allocation for the DHCP clients.
When configuring DHCP snooping and DHCP relay in MLAG topology, pay attention to the following points:
- DHCP snooping configurations, such as Option 82 policy, VLANs enabled or disabled DHCP snooping, should be configured identically on both MLAG peer devices, the inconsistent configuration can cause undesirable behavior in the traffic flow.
- If the VLANs enabled or disabled DHCP snooping are not identical on MLAG peer devices or the MLAG global configuration are not identical on MLAG peer devices, the DHCP binding table entries will be cleared.
- When configuring DHCP snooping, the ports directly or indirectly connect the DHCP server should be configured as trust port on the network device between the DHCP Client and the Server, including the MLAG peer devices.
- DHCP relay configurations should be configured identically on both MLAG peer devices.
DHCP snooping and DHCP relay in MLAG topology present the following characteristics:
- DHCP snooping binding table and DHCP relay table of the MLAG member ports will be synchronized to the associated member ports on MLAG peer device.
- If both the MLAG configuration consistency check as well as the DHCP snooping configuration consistency check pass, the MLAG system syncs the DHCP snooping binding table and DHCP relay table; If any of the MLAG or DHCP snooping configuration consistency check fails, the DHCP binding table entries will be cleared.
- DHCP snooping binding table and DHCP relay table of the single-homed ports will not be synchronized to the MLAG peer device.
- When receiving a DHCP message (especially for broadcast messages), the message will be forwarded by DHCP relay, and at the same time flooded in the same VLAN.
- MLAG flood control module processes DHCP packets just like other packets: When the MLAG member port is in the FULL state, DHCP packets received from the peer link port cannot be forwarded out from the MLAG member port; However, when the MLAG interface state changes to AS_LOCAL, the prohibition is lifted.
- The format of DHCP Option 82 sub-options remote ID and circuit ID is fixed in MLAG topology,
- MLAG domain MAC address is used to fill in remote ID field.
- MLAG Link ID and Port Index are used for circuit ID field with an offset, see the following table for details:
MLAG Port | Non-MLAG Port | |
MLAG Node 0 | 512 + MLAG Link ID | Local Port Index |
MLAG Node 1 | 512 + MLAG Link ID | 1024 + Local Port Index |
Note that, when configuring Option 82 in MLAG environment, remote ID should be set to “system-mac” and circuit ID should be set to “port-index”.
VRRP
The DHCP relay feature can be implemented in the VRRP network, allowing the VRRP Master and Backup devices to act as the DHCP relay agents.
When configuring DHCP relay in VRRP topology, pay attention to the following points:
- DHCP relay configurations must be identical on both VRRP Master/Backup devices, such as the DHCP server address.
- In VRRP topology, DHCP relay only works on the L3 VLAN interface with single IP address and single VRID.
- DHCP relay agent address is required in VRRP topology, and it must be specified as the virtual IP address of the VRRP group. The command set protocols dhcp relay interface <vlan-interface-name> relay-agent-address <agent-ipv4-address> can be used to set the DHCP relay agent address. It is used to fill in the giaddr field to identify the client gateway in the DHCP relay Discover/Request/Inform/Release/Decline message where the giaddr is zero. For those DHCP messages in which the giaddr isn’t zero, the giaddr remains unchanged.
- Dynamic ARP Inspection (DAI) is supported in the Active-Active VRRP mode, but NOT supported in the standard VRRP mode.
Copyright © 2024 Pica8 Inc. All Rights Reserved.