Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

DHCP Relay Agent Information Option (Option 82)

 

The DHCP relay agent information option (option 82) enables you to include additional useful information in the client-originated DHCP packets that the DHCP relay forwards to a DHCP server. You can configure the option 82 support globally or for a named group of interfaces. For more information, read this topic.

Using DHCP Relay Agent Option 82 Information

Subscriber management enables you to configure the DHCP relay agent to include additional option 82 information in the DHCP packets that the relay agent receives from clients and forwards to a DHCP server. The DHCP server uses the additional information to determine the IP address to assign to the client. The server might also use the information for other purposes—for example, to determine which services to grant the client, or to provide additional security against threats such as address spoofing. The DHCP server sends its reply back to the DHCP relay agent, and the agent removes the option 82 information from the message and forwards the packet to the client.

To configure support for the DHCP relay agent information option 82, you use the relay-option-82 statement. You can configure the DHCP relay agent to include the following suboptions in the packet the relay agent sends to the DHCP server:

  • Agent Circuit ID (suboption 1)—An ASCII string that identifies the interface on which the client DHCP packet is received.

    Note

    If relay-option-82 is configured, but none of the attributes under relay-option-82 (that is, circuit-id | remote-id | server-id-override) are explicitly configured, then the default behavior is for the circuit-id (that is, suboption 1) to always be included in the option-82 value. This is true whether or not the vendor-specific attribute under relay-option-82 is configured.

  • Agent Remote ID (suboption 2)—An ASCII string assigned by the DHCP relay agent that securely identifies the client.

You can configure the option 82 support globally or for a named group of interfaces.

To restore the default behavior, in which option 82 information is not inserted into DHCP packets, you use the delete relay-option-82 statement.

Note

The DHCPv6 relay agent provides similar Agent Circuit ID and Agent Remote ID support for DHCPv6 clients. For DHCPv6, subscriber management uses DHCPv6 option 18 to include the circuit ID in the packets that the relay agent sends to a DHCPv6 server, and option 37 to include the remote ID in the packets. See DHCPv6 Relay Agent Options.

The following sections describe the option 82 operations you can configure:

Configuring Option 82 Information

You use the relay-option-82 statement to configure the DHCP relay agent to insert option 82 information in DHCP packets that the relay agent receives from clients and forwards to a DHCP server. When you configure option 82, you can include one of the suboption statements to specify the type of information you want to include in the DHCP packets. If you configure option 82 without including one of the suboption statements, the Agent Circuit ID option is included by default. Use the circuit-id statement to include the Agent Circuit ID (suboption 1) in the packets, or the remote-id statement to include the Agent Remote ID (suboption 2).

You can optionally configure DHCP relay agent to include a prefix or the interface description as part of the suboption information. If you specify the circuit-id or remote-id statement without including any of the optional prefix, use-interface-description, use-vlan-id, include-irb-and-l2, or no-vlan-interface-name statements, the format of the Agent Circuit ID or Agent Remote ID information for Fast Ethernet (fe), Gigabit Ethernet (ge), and integrated routing and bridging (irb) interfaces is one of the following, depending on your network configuration:

  • For Fast Ethernet or Gigabit Ethernet interfaces that do not use VLANs, stacked VLANs (S-VLANs), or bridge domains:

    Note

    For remote systems, the subunit is required and is used to differentiate an interface.

  • For Fast Ethernet or Gigabit Ethernet interfaces that use VLANs:

  • For Fast Ethernet or Gigabit Ethernet interfaces that use S-VLANs:

Note

Integrated routing and bridging (IRB) provides simultaneous support for Layer 2 bridging and Layer 3 IP routing on the same interface. IRB enables you to route local packets to another routed interface or to another bridging domain that has a Layer 3 protocol configured.

The interface to bridge domain relationship might be implicit (the interface is mapped to the bridge domain by the system based on the VLAN tag) or explicit (the interface is mapped to the bridge domain by configuring it in the bridge domain definition). For the explicit case, tagging might not be relevant for the mapping.

In the case of an IRB interface, the format displays the Layer 2 interface instead of the IRB interface along with the bridge domain name. For IRB interfaces (or other pseudo devices) the default format is as follows:

  • IRB interfaces that use bridge domains but do not use VLANs or S-VLANs:

  • IRB interfaces that use VLANs:

To include the IRB interface name with the Layer 2 interface name, configure the include-irb-and-l2 statement. The format is as follows:

  • IRB interfaces that use bridge domains but do not use VLANs or S-VLANs:

  • IRB interfaces that use VLANs:

To include only the IRB interface name without the Layer 2 interface and bridge domain or VLAN, configure the no-vlan-interface-name statement. The format is as follows:

To enable insertion of option 82 information:

  1. Specify that you want to configure option 82 support.
  2. Configure the DHCP relay agent to insert the Agent Circuit ID suboption, the Agent Remote ID suboption, or both.
    • To insert the Agent Circuit ID:

    • To insert the Agent Remote ID:

    • To insert both, configure both set commands.

  3. (Optional) Configure a prefix that is used in the option 82 information in the DHCP packets.

    See Including a Prefix in DHCP Options.

  4. (Optional) Configure the DHCP relay agent to include the interface’s textual description instead of the interface identifier in the option 82 information.

    See Including a Textual Description in DHCP Options.

Overriding Option 82 Information

You can configure the DHCP relay agent to add or remove the DHCP relay agent information option (option 82) in DHCP packets.

This feature causes the DHCP relay agent to perform one of the following actions, depending on the configuration:

  • If the DHCP relay agent is configured to add option 82 information to DHCP packets, it clears the existing option 82 values from the DHCP packets and inserts the new values before forwarding the packets to the DHCP server.

  • If the DHCP relay agent is not configured to add option 82 information to DHCP packets, it clears the existing option 82 values from the packets, but does not add any new values before forwarding the packets to the DHCP server.

To override the default option 82 information in DHCP packets destined for a DHCP server:

  1. Specify that you want to configure override options.
  2. Specify that the option 82 information in DHCP packets is overwritten.

Including a Prefix in DHCP Options

When you configure the DHCP relay agent to include DHCP options in the packets that the relay agent sends to a DHCP server, you can specify that the relay agent add a prefix to the DHCP option. You can add a prefix to the following DHCP options:

  • DHCPv4 option 82 Agent Circuit ID (suboption 1)

  • DHCPv4 option 82 Agent Remote ID (suboption 2)

  • DHCPv6 option 18 Relay Agent Interface-ID

  • DHCPv6 option 37 Relay Agent Remote-ID

The prefix is separated from the DHCP option information by a colon (:), and it can include any combination of the host-name, logical-system-name, and routing-instance-name options. The DHCP relay agent obtains the values for the host-name, logical-system-name, and routing-instance-name as follows:

  • If you include the host-name option, the DHCP relay agent uses the hostname of the device configured with the host-name statement at the [edit system] hierarchy level.

  • If you include the logical-system-name option, the DHCP relay agent uses the logical system name configured with the logical-system statement at the [edit logical-system] hierarchy level.

  • If you include the routing-instance-name option, the DHCP relay agent uses the routing instance name configured with the routing-instance statement at the [edit routing-instances] hierarchy level or at the [edit logical-system logical-system-name routing-instances] hierarchy level.

If you include the hostname and either or both of the logical system name and the routing instance name in the prefix, the hostname is followed by a forward slash (/). If you include both the logical system name and the routing instance name in the prefix, these values are separated by a semicolon (;).

The following examples show several possible formats for the DHCP option information when you specify the prefix statement for Fast Ethernet (fe) or Gigabit Ethernet (ge) interfaces with S-VLANs.

  • If you include only the hostname in the prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:

  • If you include only the logical system name in the prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:

  • If you include only the routing instance name in the prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:

  • If you include both the hostname and the logical system name in the prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:

  • If you include both the logical system name and the routing instance name in the prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:

  • If you include the hostname, logical system name, and routing instance name in the prefix for Fast Ethernet or Gigabit Ethernet interfaces with S-VLANs:

For Fast Ethernet or Gigabit Ethernet interfaces that use VLANs but not S-VLANs, only the vlan-id value appears in the DHCP option format.

(DHCPv4) To configure a prefix with the option 82 information:

  1. Specify that you want to configure option 82 support.
  2. Configure DHCP relay agent to insert the Agent Circuit ID, the Agent Remote ID, or both.
    • To configure the Agent Circuit ID:

    • To configure the Agent Remote ID:

  3. Specify that the prefix be included in the option 82 information. In this example, the prefix includes the hostname and logical system name.
    • To include the prefix with the Agent Circuit ID:

    • To include the prefix with the Agent Remote ID:

(DHCPv6) To use a prefix with the DHCPv6 option 18 or option 37 information:

  1. Specify that you want to configure DHCPv6 relay agent support.
  2. Configure DHCPv6 relay agent to insert option 18 (Relay Agent Interface-ID), option 37 (Relay Agent Remote-ID), or both.
    • To configure option 18:

    • To configure option 37:

  3. Specify that the prefix is included in the option information. In this example, the prefix includes the hostname and logical system name
    • To include the prefix with option 18:

    • To include the prefix with option 37:

Including a Textual Description in DHCP Options

By default, when DHCP relay agent inserts option information in the packets sent to a DHCP server, the options include the interface identifier. However, you can configure the DHCP relay agent to include the textual description that is configured for the interface instead of the interface identifier. You can use the textual description for either the logical interface or the device interface.

You can include the textual interface description in the following DHCP options:

  • DHCPv4 option 82 Agent Circuit ID (suboption 1)

  • DHCPv4 option 82 Agent Remote ID (suboption 2)

  • DHCPv6 option 18 Relay Agent Interface-ID

  • DHCPv6 option 37 Relay Agent Remote-ID

The textual description is configured separately, using the description statement at the [edit interfaces interface-name] hierarchy level. If you specify that the textual description is used and no description is configured for the interface, DHCP relay defaults to using the Layer 2 interface name.

In the case of integrated routing and bridging (IRB) interfaces, the textual description of the Layer 2 interface is used instead of the textual description of the IRB interface. If there is no description configured, the Layer 2 logical interface name is used.

Note

For IRB interfaces, the option 82 field must be able to uniquely identify the incoming interface based on either the Agent Circuit ID or Agent Remote ID . You can modify the information in the textual interface description to match the raw IFD (physical interface without a subunit) name and configure the option 82 field to use the interface description.

You can use the textual description with the following DHCP options:

  • DHCPv4 Option 82 Agent Circuit ID (suboption 1)

  • DHCPv4 Option 82 Agent Remote ID (suboption 2)

  • DHCPv6 Relay Agent Interface-ID (option 18)

  • DHCPv6 Relay Agent Remote-ID (option 37)

(DHCPv4) To configure the DHCP relay option 82 suboption to include the textual interface description:

  1. Specify that you want to configure option 82 support.
  2. Configure DHCP relay agent to insert the Agent Circuit ID, Agent Remote ID, or both.
  3. Specify that the textual description is included in the option 82 information. In this example, the option 82 information includes the description used for the device interface.

(DHCPv6) To configure the DHCPv6 option 18 or option 37 to include the textual interface description:

  1. Specify that you want to configure DHCPv6 relay agent support.
  2. Configure DHCPv6 relay agent to insert option 18 (Relay Agent Interface-ID), option 37 (Relay Agent Remote-ID), or both.
    • To configure option 18:

    • To configure option 37:

  3. Specify that the textual description is included in the option information. In the following example, the option information includes the description used for the device interface.
    • To include the textual description in option 18:

    • To include the textual description in option 37:

How DHCP Relay Agent Uses Option 82 for Auto Logout

Table 1 indicates how the DHCP relay agent determines the option 82 value used for the client auto logout feature. Depending on the configuration settings, DHCP relay agent takes the action indicated in the right column.

Table 1: DHCP Relay Agent Option 82 Value for Auto Logout

DHCP Relay Agent Configuration Settings

  

DHCP Relay Configured with Option 82

Discover Packet Contains Option 82

Override “trust-option- 82”

Override “always-write- option-82”

giaddr in non-snooped packet

Action Taken

No

No

No secondary search performed

No

Yes

Yes

Use option 82 from packet

No

Yes

No

Zero

Drop packet

No

Yes

No

Non-zero

Use option 82 from packet

Yes

No

Use configured option 82

Yes

Yes

No

Zero

Drop packet

Yes

Yes

No

No

Non-zero

Use option 82 from packet

Yes

Yes

No

Yes

Non-zero

Overwrite the configured option 82

Yes

Yes

Yes

No

Use option 82 from packet

Yes

Yes

Yes

Yes

Overwrite the configured option 82

Enable Processing of Untrusted Packets So Option 82 Information Can Be Used

By default, the DHCP relay agent treats client packets with a giaddr of 0 (zero) and option 82 information as if the packets originated at an untrusted source, and drops them without further processing. You can override this behavior and specify that the DHCP relay agent process DHCP client packets that have a giaddr of 0 (zero) and contain option 82 information.

To configure DHCP relay agent to trust option 82 information:

  1. Specify that you want to configure override options.
  2. Specify that the DHCP relay agent process DHCP client packets with a giaddr of 0 and that contain option 82 information.

DHCP Auto Logout Overview

This topic provides an introduction to the DHCP auto logout feature and includes the following sections:

Auto Logout Overview

Auto logout is supported for DHCP local server and DHCP relay agent. It improves the efficiency of DHCP IP address assignment by allowing IP addresses to be immediately released and returned to the address pool when DHCP clients are no longer using the addresses. DHCP can then assign the addresses to other clients. Without auto logout, an IP address is blocked for the entire lease period, and DHCP must wait until the address lease time expires before reusing the address.

Auto logout is particularly useful when DHCP uses long lease times for IP address assignments and to help avoid allocating duplicate IP addresses for a single client.

For example, you might have an environment that includes set-top boxes (STB) that are often upgraded or replaced. Each time a STB is changed, the new STB repeats the DHCP discover process to obtain client configuration information and an IP address. DHCP views the new STB as a completely new client and assigns a new IP address— the previous IP address assigned to the client (the old STB) remains blocked and unavailable until the lease expires. If auto logout is configured in this situation, DHCP recognizes that the new STB is actually the same client and then immediately releases the original IP address. DHCP relay agent acts as a proxy client for auto logout and sends a DHCP release message to the DHCP server.

How DHCP Identifies and Releases Clients

The auto logout feature requires that DHCP explicitly identify clients. By default, DHCP local server and DHCP relay agent identify clients based on MAC address or Client Identifier, and subnet. However, in some cases this type of identification might not be sufficient. For example, in the previous STB example, each STB has a different MAC address, so DHCP incorrectly assumes that an upgraded or replacement STB is a new client.

In order to explicitly identify clients, auto logout uses a secondary identification method when the primary identification method is unsuccessful— the primary method is considered unsuccessful if the MAC address or Client Identifier does not match that of an existing client. Subscriber management supports two secondary identification methods that you can configure.

  • Incoming interface method— DHCP views a new client connection on the interface as if it comes from the same client. DHCP deletes the existing client binding before creating a binding for the newly connected device. This method allows only one client device to connect on the interface.

    Note

    The incoming interface method differs from the overrides interface-client-limit 1 statement, which retains the existing binding and rejects the newly connected client.

  • Option 60 and option 82 method— DHCP considers two clients as different if they have the same option 60 and option 82 information, but different subnets.

DHCP local server and DHCP relay agent perform the following operations when auto logout is enabled and the secondary identification method identifies a duplicate client (that is, the Discover packet is from an existing client).

  • DHCP local server immediately releases the existing address.

  • DHCP relay agent immediately releases the existing client and then sends a DHCP release packet to the DHCP server. Sending the release packet ensures that DHCP relay and the DHCP server are synchronized.

    If the DHCP relay receives a Discover message from an existing client, the DHCP relay forwards the Discover message to the DHCP server. The DHCP relay preserves the binding if the client' s existing IP address is returned by the DHCP server. This behavior is not applicable if the proxy-mode override or client-discover-match functionality are enabled.

    Note

    If the DHCP relay agent is in snoop mode, DHCP relay releases the client but does not send a release packet to the DHCP server if the discover packet is for a passive client (a client added as a result of snooped packets) or if the discover packet is a snooped packet.

Option 60 and Option 82 Requirements

DHCP local server requires that the received discover packet include both DHCP option 60 and option 82. If either option is missing, DHCP local server cannot perform the secondary identification method and auto logout is not used.

DHCP relay agent requires that the received discover packet contain DHCP option 60. DHCP relay determines the option 82 value based on the guidelines provided in DHCP Relay Agent Option 82 Value for Auto Logout.

Automatically Logging Out DHCP Clients

You can configure the extended DHCP local server and extended DHCP relay to automatically log out DHCP clients. Auto logout immediately releases an existing client when DHCP receives a discover packet from a client whose identity matches an existing client. DHCP then releases the existing client IP address without waiting for the normal lease expiration.

Note

When the existing client is released, the new client undergoes the normal authentication process. The new client might not receive the same IP address as the original client.

To configure DHCP client auto logout:

  1. Specify that you want to configure override options.
    • For DHCP local server:

    • For DHCP relay agent:

  2. Enable auto logout and specify the secondary identification method you want to use when the primary identification method is unsuccessful.
    • For example, to configure DHCP local server to use the incoming interface method:

    • For example, to configure DHCP relay agent to use the option 60 and option 82 method:

Note

If you change the auto logout configuration, existing clients continue to use the auto logout setting that was configured when they logged in. New clients use the new setting.

Related Documentation