Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Setting Up DHCP Option 82

 

You can use DHCP option 82, also known as the DHCP relay agent information option, to help protect the switch against attacks such as spoofing (forging) of IP addresses and MAC addresses, and DHCP IP address starvation. Option 82 provides information about the network location of a DHCP client, and the DHCP server uses this information to implement IP addresses or other parameters for the client.

You can configure the DHCP option 82 feature in various topologies:

  • The switch functions as a relay agent when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as routed VLAN interfaces, or RVIs. The switch relays the clients' requests to the server and then forwards the server's replies to the clients.

    • For EX Series switches, the configuration for this topology is the same for both Enhanced Layer 2 Software (ELS) and non-ELS.

  • The switch, DHCP clients, and DHCP server are all on the same VLAN. The switch forwards the clients' requests to the server and forwards the server's replies to the clients.

  • The switching device, DHCP clients, and DHCP server are all on the same bridge domain. The switching device forwards the clients' requests to the server and forwards the server's responses to the clients. This topic describes this configuration.

Before you configure DHCP option 82 on the switch, make sure the DHCP server is configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

Example: Setting Up DHCP Option 82 on a VLAN

Requirements

This example describes how to configure DHCP option 82 on a switch that acts as a relay agent and is on the same VLAN as the DHCP clients, but is on a different VLAN from the DHCP server. The example includes the following hardware and software components:

  • One EX4200-24P switch or one QFX3500 switch

  • Junos OS Release 9.3 or later for EX Series switches or Junos OS Release 12.1 or later for the QFX Series

  • A DHCP server to provide IP addresses to network devices on the switch

Overview and Topology

In this example, you configure option 82 on the switch. The switch is configured as a BOOTP relay agent (See DHCP/BOOTP Relay for Switches Overview for more information). The switch connects to the DHCP server through the routed VLAN interface (RVI), as described for QFX in Configuring IRB Interfaces on Switches and for EX Series switches in Configuring Routed VLAN Interfaces on Switches (CLI Procedure). The switch and clients are members of the employee VLAN (for details, see Configuring VLANs on Switches for the EX and QFX Series). The DHCP server is a member of the corporate VLAN.

If DHCP option 82 is enabled on the switch, then when a network device—a DHCP client—that is connected to the switch on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request (in this setting, it relays the request) to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or other parameter for the client.

When option 82 is enabled on the switch, then this sequence of events occurs when a DHCP client sends a DHCP request:

  1. The switch receives the request and inserts the option 82 information in the packet header.
  2. The switch relays the request to the DHCP server.
  3. The server uses the DHCP option 82 information to formulate its reply and sends a response back to the switch. It does not alter the option 82 information.
  4. The switch strips the option 82 information from the response packet.
  5. The switch forwards the response packet to the client.

Configuration

To configure DHCP option 82:

CLI Quick Configuration

To quickly configure DHCP option 82, copy the following commands and paste them into the switch terminal window:

set forwarding-options helpers bootp dhcp-option82

set forwarding-options helpers bootp dhcp-option82 circuit-id prefix hostname

set forwarding-options helpers bootp dhcp-option82 circuit-id use-vlan-id

set forwarding-options helpers bootp dhcp-option82 remote-id

set forwarding-options helpers bootp dhcp-option82 remote-id prefix mac

set forwarding-options helpers bootp dhcp-option82 remote-id use-string employee-switch1

set forwarding-options helpers bootp dhcp-option82 vendor-id

Step-by-Step Procedure

To configure DHCP option 82 (replace values in italics with values for your own network):

  1. Specify DHCP option 82 for the employee VLAN on the BOOTP server.
    • On all interfaces that connect to the server:

      [edit forwarding-options helpers bootp]

      user@switch# set dhcp-option82
    • On a specific interface that connects to the server:

      [edit forwarding-options helpers bootp]

      user@switch# set interface ge-0/0/10 dhcp-option82




      The remaining steps are optional. They show configurations for all interfaces; include the specific interface designation to configure any of the following options on a specific interface:

  2. Configure a prefix for the circuit ID suboption (the prefix is always the hostname of the switch):
    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 circuit-id prefix hostname


  3. To specify that the circuit ID suboption value should contain the interface description rather than the interface name (the default):Note

    When you use the interface description rather than the interface name, the interface description has to be specified under interface unit ("set interfaces ge-0/0/0 unit 0 description "client"). If you do not do this, then the interface name is used.



    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 circuit-id use-interface-description
  4. Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 circuit-id use-vlan-id


  5. Specify that the remote ID suboption be included in the DHCP option 82 information:
    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 remote-id


  6. Configure a prefix for the remote ID suboption (here, the prefix is the MAC address of the switch):
    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 remote-id prefix mac


    • Or, to specify that the prefix for the remote ID suboption be the hostname of the switch rather than the MAC address of the switch (the default):

      [edit forwarding-options helpers bootp]

      user@switch# set dhcp-option82 remote-id prefix hostname


      To specify that the remote ID suboption value should contain the interface description:

      [edit forwarding-options helpers bootp]

      user@switch# set dhcp-option82 remote-id use-interface-description


  7. Specify that the remote ID suboption value contains a character string (here, the string is employee-switch1):
    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 remote-id use-string employee-switch1


  8. Configure a vendor ID suboption value, and use the default value. To use the default value, (which is Juniper), do not type a character string after the vendor-id option keyword. Otherwise, specify a value such as show here:
    [edit forwarding-options helpers bootp]

    user@switch# set dhcp-option82 vendor-id mystring


Results

To view results of the configuration steps before committing the configuration, type the show command at the user prompt.

To commit these changes to the active configuration, type the commit command at the user prompt.

Check the results of the configuration:

Configuring DHCP Option 82 on a Router with Bridge Domain

Before you configure DHCP option 82 on the switching device, perform these tasks:

  • Connect and configure the DHCP server.

    Note

    Your DHCP server must be configured to accept DHCP option 82. If the server is not configured for DHCP option 82, the server does not use the DHCP option 82 information in the requests sent to it when it formulates its reply messages.

  • Configure a bridge domain on the switching device and associate the interfaces on which the clients and the server connect, to the switch with that bridge domain.

To configure DHCP option 82:

  1. Specify DHCP option 82 for the bridge domain that you configured:
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security]

    user@device# set option-82
    Note

    If you want to enable DHCP option 82 on all bridge domains, you must configure it separately for each specific bridge domain.

    The remaining steps are optional.

  2. Configure the prefix for the circuit ID suboption to include the hostname or the routing instance name for the bridge domain:
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set circuit-id prefix (host-name | routing-instance-name)



  3. Specify that the circuit ID suboption value contains the interface description rather than the interface name (the default):
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set circuit-id use-interface-description



  4. Specify that the circuit ID suboption value contains the VLAN ID rather than the VLAN name (the default):
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set circuit-id use-vlan-id



  5. Specify that the remote ID suboption is included in the DHCP option 82 information:
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set remote-id



    Note

    If you do not specify a keyword after remote-id, the default value for the remote-id suboption is the interface name.

  6. Specify that the remote ID suboption is the hostname of the switch:
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set remote-id host-name



  7. Specify that the remote ID suboption value contains the interface description:
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set remote-id use-interface-description



  8. Specify that the remote ID suboption value contains a character string:
    [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

    user@device# set remote-id use-string mystring



  9. Configure a vendor ID suboption:
    • To use the default value (the default value is Juniper), do not type a character string after the vendor-id option keyword:

      [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

      user@device# set vendor-id


    • To configure it so that the vendor ID suboption value contains a character string value that you specify rather than Juniper (the default):

      [edit bridge-domains bridge-domain-name forwarding-options dhcp-security option-82]

      user@device# set vendor-id use-string mystring