Re: DHCP Option 82

Hi Antonio,

I have summarized Configuring DHCP Features and IP Source Guard

Anyone who finds a mistake in any of concepts below please let me know.

1)Option 82 to operate, DHCP snooping must be activated!
2)DHCP snooping goal is to validate the integrity of the DHCP messages
(Defining:Server trusted, Clients:Untrusted), and building the DHCP snooping
databas(MAC Address/
IP address/binding type/VLAN number/interfaceinformation..etc).
3)Option 82: Goal is to add information that may be useful for the DHCP
server to implement certain policies!
Remote-id (Global):default Switch MAC address
Command:ip dhcp snooping information option format remote-id [string
ASCII-string | hostname]

Circuit-id: Per interface to diferentiate where the request to the relay
agent came ON.
Command:ip dhcp snooping vlan vlan information option format-type circuit-id
[override] string ASCII-string

IPSG:is a per port ACL that depends on the DHCP snooping datababase. Packets
that arrive with source addresses conforming the the DHCP binding database
are allowed to pass through. Packets that do not conform will be dropped.
You can extend IPSG by allowing it to depend on the source IP address as
well as the MAC address (port-security) for instance stating that hosts
which have an ip address conforming with the DHCP snooping database on one
hand, and only 5 hosts are allowed to communicate (port-security maximum 5)
on a certain port.
Recently,the interdependency between IPSG and a DHCP environment is broken,
by allowing the IPSG to build a device tracking table(using ARP) thus
validating the source addresses(hosts) allowed to communicate on the
segment, and limiting them to a certain value(port-security maximum)

Switch(config)# ip device tracking
Switch(config)# interface gigabitethernet 0/3
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 1
Switch(config-if)# ip device tracking maximum 5
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# ip verify source tracking port-security
Switch(config-if)# end

In this example, device tracking is enabled with a maximum of 5 hosts that
can communicate(to be validated with the device tracking table). No more
than 5 hosts can communicate on the switchport.
Any help,comments, explanations are appreciated!

Best Regards,
On Wed, Oct 28, 2009 at 12:42 PM, Antonio Saez <
antonio.saez.jimenez_at_gmail.com> wrote:

> Hi Karim,
>
>
>
> In the configuration guide of 3560, in the source guard section
>
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12
.2_52_se/configuration/guide/swdhcp82.html#wp1328446
>
>
>
> I can not see the relation between source guard with mac address filtering
> (ip verify source port-security).
>
>
>
> Thankyou again
>
>
>
> *De:* karim jamali [mailto:karim.jamali_at_gmail.com]
> *Enviado el:* miircoles, 28 de octubre de 2009 10:36
>
> *Para:* Antonio Saez; Cisco certification
> *Asunto:* Re: DHCP Option 82
>
>
>
> Hi Antonio,
>
>
> I am not sure about this. Can you just give me the context in which you
> read the relationship between option 82 and the port-security feature?
>
>
>
> Thanks
>
>
>
> Best Regards
>
> On Wed, Oct 28, 2009 at 12:30 PM, Antonio Saez <
> antonio.saez.jimenez_at_gmail.com> wrote:
>
> Thanks Karim,
>
>
>
> Ok I understand this, but why is needed for source guard port-security
> feature?
>
>
>
> Regards
>
>
>
> *De:* karim jamali [mailto:karim.jamali_at_gmail.com]
> *Enviado el:* miircoles, 28 de octubre de 2009 8:55
> *Para:* Antonio Saez; Cisco certification
> *Asunto:* Re: DHCP Option 82
>
>
>
> Hi,
>
>
>
> DHCP option 82 is an optional feature that allows the relay agent to insert
> circuit specific information into a request being forwarded to a DHCP
> server. This option 82 information can be used by the DHCP server to
> implement policies (allocation of addresses based on the requesting subnet
> (giaddress) as well as the circuit-id information (e.g: Port on the switch
> on which the client resides). For instance, you can have 12 clients on a
> common VLAN, and you would like to give 6 of them from a certain range
> within the pool, and the other 6 clients from another range in the pool
> based on the circuit-id (tied to the switch interface).
>
>
>
> For instance:
>
> You can create a pool for a subnet (172.16.12.0/24), within the pool you
> can create classes. Each class will have a range of option 82 values, which
> will match a range of circuit-ids of the client ports. Thus a client
> connected to a certain port, the circuit-id of that port will determine to
> which class the client belongs to and thus will issue the client an ip
> address from a certain range within that pool. (172.16.12.1 -
172.16.12.20).
>
>
>
> So the circuit-id matches option 82 hex value corresponding to the class
> which in turn corresponds to a range of ip addresses within the
> subnet(pool).
>
>
>
> Sample Configuration(Cisco's Website):
>
>
>
> Defines the DHCP classes and relay information patterns
>
> ip dhcp class CLASS1
>
> relay agent information
>
> relay-information hex 01030a0b0c02050000000123
>
> relay-information hex 01030a0b0c02*
>
> relay-information hex 01030a0b0c02050000000000 bitmask
0000000000000000000000FF
>
>
>
> ip dhcp class CLASS2
>
> relay agent information
>
> relay-information hex 01040102030402020102
>
> relay-information hex 01040101030402020102
>
>
>
> ip dhcp class CLASS3
>
> relay agent information
>
>
>
> ! Associates the DHCP pool with DHCP classes
>
> ip dhcp pool ABC
>
> network 10.0.20.0 255.255.255.0
>
> class CLASS1
>
> address range 10.0.20.1 10.0.20.100
>
> class CLASS2
>
> address range 10.0.20.101 10.0.20.200
>
> class CLASS3
>
> address range 10.0.20.201 10.0.20.254
>
>
>
>
>
> For more information on this topic check:
>
>
>
> http://blog.internetworkexpert.com/2009/07/22/understanding-dhcp-option-82/
>
>
>
> http://www.faqs.org/rfcs/rfc3046.html
>
>
>
> Best Regards,
>
> On Wed, Oct 28, 2009 at 10:30 AM, Antonio Saez <
> antonio.saez.jimenez_at_gmail.com> wrote:
>
> Hi all,
>
>
>
> I am Reading the doc about dhcp option 82 and not sure I understand it
> completely. What is it used for? Is needed for dhcp snoop feature?
>
> Sorry for these basic questions but do not have switches to test it.
>
>
>
> Thanks all
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> --
> KJ
>
>
>
>
> --
> KJ
>

--
KJ
Blogs and organic groups at http://www.ccie.net