Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding DHCP Option 82 for Port Security on EX Series Switches

DHCP Option 82 Processing

If DHCP option 82 is enabled on a VLAN, then when a network device—a DHCP client—that is connected to the VLAN on an untrusted interface sends a DHCP request, the switch inserts information about the client's network location into the packet header of that request. The switch then sends the request to the DHCP server. The DHCP server reads the option 82 information in the packet header and uses it to implement the IP address or another parameter for the client. See Suboption Components of Option 82 for details about option 82 information.

Note: On EX4300 switches, DHCP option 82 information is added to DHCP packets received on trusted interfaces as well as untrusted interfaces.

1. The switch receives the request and inserts the option 82 information in the packet header.
2. The switch forwards (or relays) the request to the DHCP server.
3. The server uses the DHCP option 82 information to formulate its reply and sends a response to the switch. It does not alter the option 82 information.
4. The switch strips the option 82 information from the response packet.
5. The switch forwards the response packet to the client.

To use the DHCP option 82 feature, you must ensure that the DHCP server is configured to accept option 82. If it is not configured to accept option 82, then when it receives requests containing option 82 information, it does not use the information in setting parameters and it does not echo the information in its response message.

Note: If your switch uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style, you can enable DHCP option 82 only for a specific VLAN. See Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure). If your switch is not using Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style, you can enable DHCP option 82 either for a specific VLAN or for all VLANs. See Setting Up DHCP Option 82 on the Switch with No Relay Agent Between Clients and DHCP Server (CLI Procedure).

Suboption Components of Option 82

• circuit ID—Identifies the circuit (interface or VLAN) on the switch on which the request was received. The circuit ID contains the interface name or VLAN name, with the two elements separated by a colon—for example, ge-0/0/10:vlan1, where ge-0/0/10 is the interface name and vlan1 is the VLAN name. If the request packet is received on a Layer 3 interface, the circuit ID is just the interface name—for example, ge-0/0/10.

  Use the prefix option to add an optional prefix to the circuit ID. If you enable the prefix option, the hostname for the switch is used as the prefix; for example, switch1:ge-0/0/10:vlan1, where switch1 is the hostname.

  You can also specify that the interface description be used rather than the interface name or that the VLAN ID be used rather than the VLAN name.

• remote ID—Identifies the host. See remote-id for details.
• vendor ID—Identifies the vendor of the host. If you specify the vendor-id option but do not enter a value, the default value Juniper is used. To specify a value, you type a character string.

Configurations of the EX Series Switch That Support Option 82

Configurations of the EX Series switch that support option 82 are:

• Switch, Clients and DHCP Server Are on Same VLAN
• Switch Acts as a Relay Agent

Switch, Clients and DHCP Server Are on Same VLAN

If the switch, the DHCP clients, and the DHCP server are all on the same VLAN, the switch forwards the requests from the clients on untrusted access interfaces to the server on a trusted interface. See Figure 1.

Figure 1: DHCP Clients, Switch, and DHCP Server Are All on Same VLAN

Switch Acts as a Relay Agent

The switch functions as a relay agent (extended relay server) when the DHCP clients or the DHCP server is connected to the switch through a Layer 3 interface. On the switch, these interfaces are configured as RVIs. Figure 2 illustrates a scenario for the switch acting as an extended relay server; in this instance, the switch relays requests to the server.

Figure 2: Switch Acting as an Extended Relay Server

DHCPv6 Option 37

Option 37 is the DHCPv6 equivalent of DHCP option 82 and is used by relay agents to identify themselves to the server. The switch appends information about the network location of the client to DHCPv6 packets sent from the client towards the server. The option 37 value consists of an enterprise ID, VLAN ID, and the MAC address of the interface on which the switch received the request message from the client. These fields in the header are fixed, unlike option 82 suboptions, which can be configured.

DHCPv6 option 37 is enabled automatically when DHCPv6 snooping is enabled on a VLAN. This option can be disabled for a defined set of access interfaces within the VLAN by using the set vlans vlan-name forwarding-options dhcp-security group group-name overrides no-option37 command.