Technical Documentation

^New

Glossary

Portable Libraries

EX Series Search

Advanced Search |

Search Tips

Supported Platforms

EX Series

Example: Setting Up DHCP Option 82 on an EX Series Switch with No Relay Agent Between Clients and DHCP Server

You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the EX Series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.

This example describes how to configure DHCP option 82 on a switch with DHCP clients, DHCP server, and switch all on the same VLAN:

Requirements

This example uses the following hardware and software components:

One EX Series switch
Junos OS Release 9.3 or later for EX Series switches
A DHCP server to provide IP addresses to network devices on the switch

Before you configure DHCP option 82 on the switch, be sure you have:

Connected and configured the DHCP server.

Note: Your DHCP server must be configured to accept DHCP option 82. If it is not configured for DHCP option 82, it does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

Configured the employee VLAN on the switch and associated the interfaces on which the clients and the server connect to the switch with that VLAN. See Configuring VLANs for EX Series Switches (CLI Procedure).

Overview and Topology

If DHCP option 82 is enabled on the switch, then when a network device—a DHCP client—that is connected to the switch on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or other parameter for the client.

DHCP option 82 is enabled on an individual VLAN or on all VLANs on the switch.

When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request:

The switch receives the request and inserts the option 82 information in the packet header.
The switch forwards the request to the DHCP server.
The server uses the DHCP option 82 information to formulate its reply and sends a response back to the switch. It does not alter the option 82 information.
The switch strips the option 82 information from the response packet.
The switch forwards the response packet to the client.

Figure 1 illustrates the topology for this example.

Figure 1: Network Topology for Configuring DHCP Option 82 on a Switch That Is on the Same VLAN as the DHCP Clients and the DHCP Server

In this example, you configure DHCP option 82 on the EX Series switch. The switch connects to the DHCP server on interface ge-0/0/8. The DHCP clients connect to the switch on interfaces ge-0/0/1, ge-0/0/2, and ge-0/0/3. The switch, server, and clients are all members of the employee VLAN.

Configuration

To configure DHCP option 82:

CLI Quick Configuration

To quickly configure DHCP option 82, copy the following commands and paste them into the switch terminal window:

set ethernet-switching-options secure-access-port
vlan employee dhcp-option82
set ethernet-switching-options secure-access-port vlan employee dhcp-option82
circuit-id prefix hostname
set ethernet-switching-options secure-access-port vlan employee dhcp-option82
circuit-id use-vlan-id
set
ethernet-switching-options secure-access-port vlan employee dhcp-option82
remote-id
set ethernet-switching-options
secure-access-port vlan employee dhcp-option82 remote-id prefix mac
set ethernet-switching-options secure-access-port
vlan employee dhcp-option82 remote-id use-string employee-switch1
 set ethernet-switching-options secure-access-port
vlan employee dhcp-option82 vendor-id

Step-by-Step Procedure

To configure DHCP option 82:

Specify DHCP option 82 for the employee VLAN:

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82
Configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname
Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id
Specify that the remote ID suboption be included in the DHCP option 82 information:

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id
Configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id prefix mac
Specify that the remote ID suboption value contains a character string (here, the string is employee-switch1):

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 remote-id use-string employee-switch1
Configure a vendor ID suboption value, and use the default value. To use the default value, do not type a character string after the vendor-id option keyword:

[edit ethernet-switching-options secure-access-port] user@switch# set vlan employee dhcp-option82 vendor-id

Results

Check the results of the configuration:

[edit ethernet-switching-options secure-access-port]
user@switch# show

vlan employee {dhcp-option82 {circuit-id {prefix hostname;use-vlan-id;}remote-id {prefix mac;use-string employee-switch1;}vendor-id;}}

Choose Country

North America

Europe

Asia Pacific