Header Only - DO NOT REMOVE - Extreme Networks

dhcp-snooping, switch don't insert option 82 information


Userlevel 6
Hello, colleagues!

I need to insert option 82 information in dhcp-packets.
Try bootprelay - all work fine.

Trying dhcp-snooping - switch don't insert option 82 information.

My config:
enable ip-security dhcp-snooping vlan v74_Users port 16 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 20 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 21 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 26 violation-action none
enable ip-security dhcp-snooping vlan v74_Users port 27 violation-action none
configure trusted-ports 26 trust-for dhcp-server
configure ip-security dhcp-snooping information option
configure ip-security dhcp-snooping information check
configure ip-security dhcp-snooping information circuit-id vlan-information v74 vlan v74_Users
configure ip-security dhcp-snooping information circuit-id vlan-information v75 vlan v75_Users2
configure ip-security dhcp-bindings storage write-interval 1440
configure ip-security dhcp-bindings storage filename bind.txt.xsf
enable ip-security dhcp-bindings restoration

User_Guide say:
When DHCP relay is configured in a DHCP snooping environment, the relay agent IP address should be configured as the trusted server.

“configure trusted-servers {vlan} add server [i] trust-for dhcp-server”

Should I add IP-address of DHCP-server or/and configure Extreme's switch as trusted-server? But I have "configure trusted-ports 26 trust-for dhcp-server"

Any ideas?

Thank you!

21 replies

Userlevel 3
Pardon me if I am wrong. You mean You want to insert DHCP option 82 inside the DHCP request from the endpoint devices itself ?

That is not possible. No switches can do that. The DHCP option 82 request always comes from the endpoint devices.

You can have a look at DHCP Relay info.

http://documentation.extremenetworks.com/exos/EXOS_All/Security/r_configuring-the-dhcp-relay-agent-o...
Userlevel 6
I think you have some wrong.
In this case switch have to work as relay agent and insert option 82 information (in my case - v74).
Also switch can replace option 82 information.

EXOS-User-Guide said this.

Thank you!
Userlevel 3
Alexandr P wrote:

I think you have some wrong.
In this case switch have to work as relay agent and insert option 82 information (in my case - v74).
Also switch can replace option 82 information.

EXOS-User-Guide said this.

Thank you!

Yes you are right.

Do note.

Note

When this feature is enabled, all DHCP traffic must be forwarded in slowpath only, which means that this feature functions only in the context of IP Security and only on interfaces where DHCP snooping is enabled in enforcement (violation-action of ?drop‘) mode. In other words, with DHCP snooping not configured with a violation-action of ?none‘ (which is pure monitoring mode).

Which means

enable ip-security dhcp-snooping vlan v74_Users port 16 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 20 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 21 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 26 violation-action drop
enable ip-security dhcp-snooping vlan v74_Users port 27 violation-action drop
Userlevel 6
You are right.

But main problem that I can see option 82 in DHCP-Discover packets (with my information), but I can't see this information in DHCP-Request packets.

Userlevel 6
Any ideas - why option 82 insert in the DHCP-Discover, but not in DHCP-Request?

Or I something miss?

Thank you!
Userlevel 3
Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek
Userlevel 6
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Hi, Jarek!

I rely on the information given in the EXOS_User_Guide, which says: "The DHCP relay agent option feature inserts a piece of information, called option 82, into any DHCP request packet that is to be relayed by the switch"

I understand that after DHCP-Discover message (with option 82) DHCP-server offer some IP-address for client.
But why then User_Guide said that option 82 have to insert in DHCP-Request packet?

Thank you!
Userlevel 3
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

I think we should ask person who was wrote this document 🙂.

Maybe phrase " DHCP request packet "  is it not the same as "DHCP Request packet"

--
Jarek
Userlevel 6
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

May be you are right )))
Userlevel 7
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Thanks for pointing this one out - we'll take a look to see if the wording needs to be updated. Our documentation team has been notified.
Userlevel 6
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Thank you, Drew!
Userlevel 7
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Brandon Clay pointed out to me that RFC3046 states:

A DHCP relay agent adding a Relay Agent Information field SHALL add it as the last option (but before 'End Option' 255, if present) in the DHCP options field of any recognized BOOTP or DHCP packet forwarded from a client to a server.

If that's the case, then there may be something wrong in EXOS that we'd need to look at and fix. Can you please open a ticket and get this reviewed?
Userlevel 6
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Hi, Drew!

I think EXOS work normally, if think logically - first packet (with MAC-address of client) which go from client should be taken relay-agent and add option 82, this first packet is DHCP-Discover. And then DHCP-server have to offer some IP-address based on circuit ID information, or doing some other manipulation. (In this case we don't take secure component of dhcp-snooping).

In this case some wrong in documentation.

I'll open case for today and update information with case number.

Thank you!
Userlevel 7
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Hi Alexandr,

I agree, logically it makes sense that this is only needed in the DHCP discover. However, after reading the RFC, it seems that this should be inserted in any packets relayed from the client.

Let us know what you hear from your case.

-Brandon
Userlevel 6
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

I agree with you, but it only says that RFC does not give specifics (concretic).
Userlevel 3
Jarek wrote:

Hi,

all information was sent to DHCP server in Discover packet + data in option 82, why should the relay add the same information twice to the DHCP server ?

--
Jarek

Maybe we should update the RFC 🙂 ?

--
Jarek
Userlevel 6
Hi!

Case number 01150094.
After consideration and communication with TAC I'ii updated information.

Thank you!
Userlevel 7
Alexandr P wrote:

Hi!

Case number 01150094.
After consideration and communication with TAC I'ii updated information.

Thank you!

Hi Alexandr, Can we consider this one solved?
Userlevel 6
Alexandr P wrote:

Hi!

Case number 01150094.
After consideration and communication with TAC I'ii updated information.

Thank you!

Hi, Drew!

If you mean - HUB's post, then yes.
If you mean case - then the issue is considered, case is still open.

Thank you!
Userlevel 7
Alexandr P wrote:

Hi!

Case number 01150094.
After consideration and communication with TAC I'ii updated information.

Thank you!

Yes - I was referring to the post here on The Hub. Thanks!
Userlevel 6
Alexandr P wrote:

Hi!

Case number 01150094.
After consideration and communication with TAC I'ii updated information.

Thank you!

Hi, all!

I think it was a problem with client or with dhcp-server.
After change client PC and PC with dhcp-server I see normal behavior - dhcp-request packets come with option 82.

Sorry for wasted time.

Thank you!

Reply