1 / 32

DHCP relay agent / Option 82

DHCP relay agent / Option 82. Leo Sun WX CSO Department ZyXEL Communications Corp. Date: Dec 11, 2006. Agenda. DHCP Relay Agent Relay Agent information Option 82 DHCP snooping Application & Case study Q&A. DHCP client broadcasts a DHCPDISCOVER packet. 1.

alisa
Download Presentation

DHCP relay agent / Option 82

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DHCP relay agent / Option 82 Leo Sun WX CSO Department ZyXEL Communications Corp. Date: Dec 11, 2006

  2. Agenda • DHCP Relay Agent • Relay Agent information Option 82 • DHCP snooping • Application & Case study • Q&A

  3. DHCP client broadcasts a DHCPDISCOVER packet 1 DHCP servers broadcast a DHCPOFFER packet 2 DHCP client broadcasts a DHCPREQUEST packet 3 DHCP Server1 broadcasts a DHCPACK packet 4 How a DHCP lease is produced? DHCP Server2 DHCP Server1 DHCP Client

  4. DHCP relay agent

  5. DCHPRelay Agent • Why need Relay Agent? • Clients need DHCP server’s configuration info; • Commonly Clients don’t reside in the subnet of Server; • Router don’t forward broadcast packet by default; • Solutions: • Put DHCP servers in every subnet; • Configure the Router to forward DHCP broadcast packet; • Configure a DHCP relay agent in the network;

  6. Why we need DHCP relay agent? DHCP Relay Agent DHCP Server Unicast Broadcast Broadcast Subnet A Subnet B Routers Non-RFC 1542 Compliant Client Client Client Client

  7. Client1 broadcasts a DHCPDISCOVER packet 1 Relay agent forwards the DHCPDISCOVER message to the DHCP server 2 Server sends a DHCPOFFER message to the DHCP relay agent 3 Relay agent broadcasts the DHCPOFFER packet 4 Client1 broadcasts a DHCPREQUEST packet 5 Relay agent forwards the DHCPREQUEST message to the DHCP server 6 Server sends a DHCPACK message to the DHCP relay agent 7 Relay agent broadcasts the DHCPACK packet 8 DHCPRelay Agent working steps DHCP Relay Agent DHCP Server Client2 Router Non-RFC 1542 Compliant Client3 Client1

  8. DHCP Packet Format (cont.) • Seconds – Time in seconds since the client began the DHCP process • Flags – Leftmost bit indicates that client requires broadcast responses, all others are MBZ • Client IP address – Used by the client to specify the address that it has been assigned (if it has an address) • Assigned IP address – Used by the server to specify the IP address which assigned to the client • Next server IP address – Used by the server to specify a configuration server (if there is one)

  9. DHCP Relay Option 82

  10. DHCP Relay Agent Information (Option 82) • DHCP Relay Agent is used for passing messages between DHCP client and server. • Relay Agent Information Option (Option 82) is an option inserted and removed by DHCP relay agent. • The option is used for DHCP server to provide different services to DHCP clients. • Not all of the DHCP server software supports this feature. (IP Commander / Incognito can support.) • RFC #: 3046

  11. DHCP Request DHCP Reply Option Option DHCP Reply Option Option 82 Process DHCP Server DHCP Relay Agent DHCP Clients Internet Router DHCP Request DHCP Request Option DHCP Reply DHCP Reply

  12. i4 • iN • 82 • N • i1 • i2 • i3 • c4 • cN • 1 • N • c1 • c2 • c3 • r4 • rN • 2 • N • r1 • r2 • r3 Option 82 packet format Code Len Agent Information Field SubOpt Len Sub-option Value • Two sub-option codes had been assigned • Sub-option 1 stands for "Agent Circuit ID Sub-option" • Sub-option 2 stands for "Agent Remote ID Sub-option" • Sub-option 1 is more public for IP DSLAM environment

  13. SubOpt Len 1 Byte 1 Byte 2 Bytes 0 - 24 Bytes • Slot ID • Port No. • VLAN ID • Extra Info • 1 • N ZyXEL Packet Format implement of DHCP Opt 82 • The first four bytes are the default values that IES will add into the Option 82 field automatically • Extra Info : an optional extra information

  14. Application & Case Study

  15. Before getting started:Introduce to the IP commander

  16. Relay Agent (1) GS-4012F DHCP Server DHCP Client 192.168.4.1 192.168.2.1 192.168.4.2 IP Pools: 192.168.4.100~200 192.168.2.100~200 No Option 82

  17. Relay Agent (2) Relay off Relay on Sniffed at Client-side Sniffed at Server-side

  18. Relay Agent Information Option 82 (ES) GS-3012 DHCP Server DHCP Client DHCP Relay on / Option 82 info enabled 192.168.4.2 IP Pools: 192.168.4.50~100 192.168.4.150~200 With Option 82 for each IP Pools

  19. Relay Agent Information Option 82 (ES) ES Port 4 ES Port 6

  20. Relay Agent Information Option 82 • We have to enable Relay Agent firstly, Relay Agent info Option (Opt-82) on our Switches will take effect then. • But in our DSLAM the situation is a little different, we have three modes for Option 82: • 1. Relay enabled, Option 82 enabled; • 2. Relay disabled, Option 82 enabled; • 3. All disabled;

  21. Relay Agent Information Option 82 (DSLAM) IES-5k P660R-T1 DHCP Server DHCP Client Bridge mode 192.168.4.3 192.168.4.2 IP Pool: 192.168.4.50~100 192.168.4.150~200 With Option 82 Port 6 Port 7

  22. Relay Agent Information Option 82 (DSLAM) Mode 1: • Empty temporarily. Mode 2: • ADSL Port 6 • ADSL Port 7

  23. DHCP Snooping

  24. DHCP Snooping • If a DSLAM enabled DHCP Snooping, it will monitor the DHCP conversation between Server and Clients. • It records the IP & MAC info by the DHCP-request & ACK packet transmitted through it. • DSLAM maintains an DHCP-snooping table regarding with the ADSL port. • Traffic from a PC with statically configured IP, which does not exist in the Snooping table, will not be allowed to pass. • You can manually add some static IP addresses, which are trusted.

  25. CLI commands of DHCP snooping • Enable/Disable DHCP-snoop: • “acl dhcpsnoop enable/Disable <slot | slot-port>” • Show DHCP snooping-table • “show dhcp snoop <slot | slot-port>” • Statically add trusted IP address • “acl dhcpsnoop pool set <slot-port> <ip>”

  26. DHCP Snooping Case Study

  27. DHCP snooping Case - topology IES-5k P660R-T1 DHCP Server DHCP Client Bridge mode 192.168.4.3 192.168.4.2 Client got an IP: 192.168.4.50 DHCP-snoop Enabled On port 6

  28. DHCP snooping Case – IP exists in table DHCP-snoop table Ping from client to server

  29. DHCP snooping Case – IP trusted Trusted IP table Ping from client to server Statically set the client’s IP: 192.168.4.33

  30. DHCP snooping Case – IP not secured Set Client’s IP to 192.168.4.200 Neither in snooping table & nor in trusted table

  31. Q & A

More Related