Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure)

You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the EX Series switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.

You can configure the DHCP option 82 feature in two topologies:

• The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch forwards the clients' requests to the server and forwards the server's replies to the clients. This topic describes this configuration.
• The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays the clients' requests to the server and then forwards the server's replies to the clients. This configuration is described in Setting Up DHCP Option 82 with the Switch as a Relay Agent Between Clients and DHCP Server (CLI Procedure).

Before you configure DHCP option 82 on the switch, perform these tasks:

• Connect and configure the DHCP server.

  Note: Your DHCP server must be configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

• Configure a VLAN on the switch and associate the interfaces on which the clients and the server connect to the switch with that VLAN.

To configure DHCP option 82:

Note: Replace values displayed in italics with values for your configuration.

1. Specify DHCP option 82 for all VLANs associated with the switch or for a specified VLAN. (You can also configure the feature for a VLAN range.)
   
   • On a specific VLAN:
     
     

     [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82
   • On all VLANs:
     
     

     [edit ethernet-switching-options secure-access-port]
user@switch# set vlan all dhcp-option82

     
     

     The remaining steps are optional.

2. To configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 circuit-id prefix hostname

   
   
3. To specify that the circuit ID suboption value contains the interface description rather than the interface name (the default):
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 circuit-id use-interface-description

   
   
4. To specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 circuit-id use-vlan-id

   
   
5. To specify that the remote ID suboption is included in the DHCP option 82 information:
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 remote-id

   
   
6. To configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 remote-id prefix mac

   
   
7. To specify that the prefix for the remote ID suboption is the hostname of the switch rather than the MAC address of the switch (the default):
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 remote-id prefix hostname

   
   
8. To specify that the remote ID suboption value contains the interface description:
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 remote-id use-interface-description

   
   
9. To specify that the remote ID suboption value contains a character string:
   
   

   [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 remote-id use-stringmystring

   
   
10. To configure a vendor ID suboption and use the default value (the default value is Juniper), do not type a character string after the vendor-id option keyword:
    
    

    [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 vendor-id

    
    
11. To specify that the vendor ID suboption value contains a character string value that you specify rather than Juniper (the default):
    
    

    [edit ethernet-switching-options secure-access-port]
user@switch# set vlan employee dhcp-option82 vendor-id mystring

    
    

To view results of the configuration steps before committing the configuration, type the show command at the user prompt.

To commit these changes to the active configuration, type the commit command at the user prompt.