Understanding DHCP Option 82 for Port Security
You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Hosts on untrusted access interfaces on Ethernet LAN switches send requests for IP addresses in order to access the Internet. The switch forwards or relays these requests to DHCP servers, and the servers send offers for IP address leases in response. Attackers can use these messages to perpetrate address spoofing and starvation.
Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client. The Juniper Networks Junos operating system (Junos OS) implementation of DHCP option 82 supports RFC 3046, DHCP Relay Agent Information Option, at http://tools.ietf.org/html/rfc3046.
DHCP Option 82 Processing
If DHCP option 82 is enabled on the switch, then when a DHCP client that is connected to the switch on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or another parameter for the client. See Suboption Components of Option 82 for details about option 82 information.
You can enable DHCP option 82 on a single VLAN or on all VLANs on the switch. You can also configure it on Layer 3 interfaces (in routed VLAN interfaces, or RVIs) when the switch is functioning as a relay agent.
When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request:
- The switch receives the request and inserts the option 82 information in the packet header.
- The switch forwards or relays the request to the DHCP server.
- The server uses the DHCP option 82 information to formulate its reply and sends a response back to the switch. It does not alter the option 82 information.
- The switch strips the option 82 information from the response packet.
- The switch forwards the response packet to the client.
To use the DHCP option 82 feature, you must ensure that the DHCP server is configured to accept option 82. If it is not configured to accept option 82, then when it receives requests containing option 82 information, it does not use the information in setting parameters and it does not echo the information in its response message.
Suboption Components of Option 82
When configuring DHCP option 82, you can use the following suboptions:
circuit ID—Identifies the circuit (interface and/or VLAN) on the switch on which the request was received. The circuit ID contains the interface name and/or VLAN name, with the two elements separated by a colon—for example, xe-0/0/10:vlan1. If the request packet is received on a Layer 3 interface, the circuit ID is just the interface name—for example, xe-0/0/10.
Use the prefix option to add an optional prefix to the circuit ID. If you enable the prefix option, the hostname for the switch is used as the prefix; for example, switch1:xe-0/0/10:vlan1..
You can also specify that the interface description be used rather than the interface name and that the VLAN ID be used rather than the VLAN name.
remote ID—Identifies the host. By default, the remote ID is the MAC address of the switch. You can specify that the remote ID be the hostname of the switch, the interface description, or a character string of your choice. You can also add an optional prefix to the remote ID.
vendor ID—Identifies the vendor of the host. If you specify the vendor-id option but do not enter a value, the default value Juniper is used. To specify a value, you type a character string.
Configurations That Support Option 82
You can use option 82 with the following configurations:
The DHCP client and the DHCP server are on the same VLAN. In this case the switch forwards the requests from the clients on untrusted access interfaces to the server on a trusted interface. For this configuration, you set DHCP option 82 at the [edit ethernet-switching-options secure-access-port vlan] hierarchy level.
The DHCP client or the DHCP server is connected to the switch through a Layer 3 interface and the switch is configured to relay DHCP requests. Figure 1 illustrates a scenario for the switch-as-relay-agent; in this instance, the switch relays requests through a router to the server.
For the configuration shown in Figure 1, you set DHCP option 82 at the [edit forwarding-options helpers bootp] hierarchy level.