DHCP policies based on Relay Agent Information Option (option 82), DHCP Snooping and IP Source Guard
DHCP server in Windows Server 2012 provides support for provisioning customized IP address and network configurations to DHCP clients using DHCP policies. Policies can be created based on several criteria one of which is relay agent information option - commonly referred as option 82. To get a better understanding on DHCP server policies and how to configure a policy, please refer to this post. In this blog post, we will discuss how you can create and use DHCP policies based on relay agent information option. We will also talk abut how support for option 82 in DHCP server in Windows Server 2012 aids DHCP snooping and IP source guarding on the network switch.
Relay Agent Information Option - DHCP Option 82
A DHCP relay agent relays DHCP messages between DHCP clients and DHCP servers which are in different IP subnets. A DHCP relay agent allows an administrator to have one DHCP server serve several subnets by having a DHCP relay in each subnet, relay the client requests to the DHCP server and vice versa.
The relay agent can insert additional information about the client (like client's network ID, port of the switch to which the client is connected, subscriber identifier etc.) to DHCP requests before forwarding the message to DHCP server. The relay agent inserts this additional information using option 82 - relay agent information option. The DHCP server can configured with policies to provide customized configuration to clients based on these additional fields inserted by the relay agent in the DHCP client message. The customized configuration in the policy includes giving IP from a specific IP address range, lease duration and specific set of option values.
The relay agent information option (DHCP option 82) is an aggregation of sub options. Starting from Windows Server 2012, this option and associated sub-options are supported by Windows DHCP server. The list of options and sub-options supported are :
- DHCP Relay Agent (RA) Information Option [Option 82] - RFC 3046
- Circuit ID, RA Sub-Option [Sub Option ID - 1] - RFC 3046
- Remote ID, RA Sub-Option [Remote Option ID - 2] - RFC 3046
- Subscriber ID, RA Sub-Option [Sub Option ID - 6] - RFC 3993
- Server Identifier Override Option, RA Sub-Option [Sub Option ID - 11] - RFC 5107
Using DHCP policies based on relay agent information option, you can use these fields (remote ID, circuit ID, subscriber id) to assign IP addresses and implement constraints such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID.
If your enterprise uses DHCP relay agent which supports option 82, this feature is for you!
Configuring Policies using Relay Agent Information and its sub-options
As mentioned earlier, DHCP server can give customized IP address and configuration options using option 82 and its sub-options. Policies are the way to achieve this in Windows Server 2012 DHCP server.
The policies can be created at DHCP server level (applicable server wide) and at DHCP scope level (applicable to the specific subnet). The IP address range and configuration options defined for these policies will now be applied to any client request containing option 82 (which is added by DHCP relay agent).
Figure 1 shows the DHCP MMC policy wizard page for configuring a policy condition based on relay agent information option. As seen in this figure, the DHCP server allows configuration of policies based on option 82 either as a single value or using its individual sub-options. In the former case, option 82 present in the DHCP request packets will be compared byte by byte with the policy condition value. In latter case, the contents of option 82 in the DHCP requests will be parsed for sub-options and each sub-option configured in policy condition value will be matched separately. DHCP server will send the response message to the client based on the IP address range and options of the matched policy. The values for policy condition should be provided in hexadecimal format. Hence if the sub-options take alphanumeric values as input, they need be converted to equivalent hex value and should be given as policy condition value. Also by default, the DHCP server echoes back option 82 received in DHCP request in all DHCP responses.
If you hadn't already noticed, the server identifier override sub-option is not used in policy condition value. Relay agents use this sub-option to provide IP address which should be included by the DHCP server in Server Identifier option [DHCP Option 54] instead of DHCP Server's IP address in DHCP replies. By default, only the DHCP messages which are broadcast by the client pass via the relay agent. The DHCP renew messages which are unicast by the DHCP client to the IP address of the DHCP server do not pass via the relay agent.
By inserting the IP address of the relay agent in the server identifier field, the DHCP server ensures that all DHCP requests pass through the DHCP relay agent including DHCP renew messages which will now be unicast to the IP address of the DHCP relay agent. The relay agent can now add option 82 and its sub-options to all DHCP client messages before they are seen by the DHCP server. This ensures the policy is applied for both unicast and broadcast DHCP requests.
DHCP snooping, IP Source Guard and DHCP Server Policies
DHCP Snooping and IP Source Guard are features provided by most popular network switches that can be used to secure a network by controlling traffic from untrusted clients. DHCP snooping when enabled on the switch, the switch builds a binding database containing the IP address, MAC address VLAN and interface to which the client is connected by “snooping” on DHCP transactions.
The snooping database can then be used on the switch for enabling IP source guard and dynamic ARP inspection to prevent ARP spoofing. IP source guard references the snooping database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to be spoofed and is discarded. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.
These scenarios are aided by the support for option 82 on the DHCP server. Even if no policies are configured for relay agent information option, DHCP server in Windows Server 2012 in it’s response to the client will echo the relay agent information option if the same was present in the DHCP request message and thus aid the switch in building the DHCP snooping database. DHCP server also logs the relay agent information option value in the server audit log which can be used by the administrator for physical tracking of each client device as the relay agent information contains the switch port information.
Relay agent information option and its sub-options can be used to specify conditions in policies on DHCP server. These policies can be used to provide customized IP address and options to clients based on circuit id, remote id etc. In general, this feature can be used in scenarios where the DHCP relay agent is capable of appending relay agent information option, including the networks where IP source guarding/DHCP snooping is deployed.
Any questions and feedback, we would be happy to hear and assist! Give it a try and we hope you find it useful.
- About DHCP policies
- Step-by-step to configure DHCP policies
- Scope-level Link Layer filtering using DHCP policies
- Setting up DHCP Policies for Virtual Machines
- Set different lease durations for different device types