Appendix: DHCP management
This chapter provides information about using DHCP, including theory, supported features and configuration process overview.
DHCP principles
- RFC 2131, Dynamic Host Configuration Protocol
- RFC 3046, DHCP Relay Agent Information Option
The DHCP operation is shown in the following figure.
-
During boot-up, the client device sends a DHCP discover message to get an IP address from the DHCP Server. The message contains:
-
destination MAC address - broadcast
-
source MAC address - MAC of client device
-
client hardware address - MAC of client device
If this message passes through a DSLAM or other access node (possibly a 7210 SAS device), typically the Relay information option (Option 82) field is added, indicating shelf, slot, port, VPI, VCI and other fields, to identify the subscriber.
DHCP relay is enabled on the first IP interface in the upstream direction. Depending on the scenario, the DSLAM, BSA or the BSR will relay the discover message as a unicast packet toward the configured DHCP server. DHCP relay is configured to insert the giaddr to indicate to the DHCP server in which subnet an address should be allocated.
-
-
The DHCP server will lookup the client MAC address and Option 82 information in its database. If the client is recognized and authorized to access the network, an IP address will be assigned and a DHCP offer message returned. The BSA or BSR will relay this back to the client device.
-
It is possible that the discover reached more than one DHCP server, and therefore that more than one offer was returned. The client selects one of the offered IP addresses and confirms it needs to use this in a DHCP request message, sent as unicast to the DHCP server that offered it.
-
The DHCP server confirms that the IP address is still available, updates its database to indicate it is now in use, and replies with a DHCP ACK message back to the client. The ACK also contains the Lease Time of the IP address.
DHCP features
Using Option 82 field
Option 82, or the relay information option is specified in RFC 3046, DHCP Relay Agent Information Option, allows the router to append some information to the DHCP request that identifies where the original DHCP request arrives from.
There are two sub-options under Option 82:
-
Agent Circuit ID Sub-option (RFC 3046, section 3.1): This sub-option specifies data which must be unique to the box that is relaying the circuit.
-
Remote ID Sub-option (RFC 3046 section 3.2): This sub-option identifies the host at the other end of the circuit. This value must be globally unique.
Both sub-options are supported by the 7210 SAS and can be used separately or together.
Inserting Option 82 information is supported independently of DHCP relay.
When the circuit ID sub-option field is inserted by the 7210 SAS, it can take following values:
-
sap-id - the SAP index (only under a IES or VPRN service)
-
ifindex - the index of the IP interface (only under a IES or VPRN service)
-
ascii-tuple - an ASCII-encoded concatenated tuple, consisting of [system-name | service-id | interface-name] (for VPRN or IES) or [system-name | service-id | sap-id] (for VPLS)
-
vlan-ascii-tuple - an ASCII-encoded concatenated tuple, consisting of the ascii-tuple followed by Dot1p bits and Dot1q tags
Note that for VPRN the ifindex is unique only within a VRF. The DHCP relay function automatically prepends the VRF ID to the ifindex before relaying a DHCP Request.
When a DHCP packet is received with Option 82 information already present, the system can do one of three things. The available actions are:
-
Replace
On ingress the existing information-option is replaced with the information-option parameter configured on the 7210 SAS. On egress (toward the customer) the information-option is stripped (per the RFC).
-
Drop
The DHCP packet is dropped and a counter is incremented.
-
Keep
The existing information is kept on the packet and the router does not add any more information. On egress the information option is not stripped and is sent on to the downstream node.
In accordance with the RFC, the default behavior is to keep the existing information; except if the giaddr of the packet received is identical to a local IP address on the router, then the packet is dropped and an error incremented regardless of the configured action.
The maximum packet size for a DHCP relay packet is 1500 bytes. If adding the Option 82 information would cause the packet to exceed this size, the DHCP relay request will be forwarded without the Option 82 information. This packet size limitation exists to ensure that there will be no fragmentation on the end Ethernet segment where the DHCP server attaches.
In the downstream direction, the inserted Option 82 information should not be passed back toward the client (as per RFC 3046, DHCP Relay Agent Information Option). To enable downstream stripping of the option 82 field, DHCP snooping should be enabled on the SDP or SAP connected to the DHCP server.
Trusted and untrusted
There is a case where the relay agent could receive a request where the downstream node added Option 82 information without also adding a giaddr (giaddr of 0). In this case the default behavior is for the router to drop the DHCP request. This behavior is in line with the RFC.
The 7210 SAS supports a command trusted, which allows the router to forward the DHCP request even if it receives one with a giaddr of 0 and Option 82 information attached. This could occur with older access equipment. In this case the relay agent would modify the request's giaddr to be equal to the ingress interface. This only makes sense when the action in the information option is keep, and the service is IES or VPRN. In the case where the Option 82 information gets replaced by the relay agent, either through explicit configuration or the VPLS DHCP Relay case, the original Option 82 information is lost, and the reason for enabling the trusted option is lost.
Common configuration guidelines
Configuration guidelines for DHCP relay and snooping
The following configuration guidelines must be followed to configure DHCP relay and snooping.
-
7210 SAS devices does not support the ARP populate based on the DHCP lease, assigned to the DHCP client
-
7210 SAS devices does not maintain the DHCP lease assigned to the client
-
7210 SAS devices do not perform IP spoofing checks and MAC spoofing checks based on the DHCP parameters assigned to the client
-
MAC learning must be enabled in the VPLS service, for DHCP snooping.
-
DHCP snooping is not supported for B-SAPs in B-VPLS services and I-SAPs in I-VPLS services.
-
Ingress ACLs cannot be used to drop DHCP control packet.
-
DHCP packets received over a SDP cannot be identified and option-82 inserted by the node cannot be removed by the node, in the downstream direction. If this behavior is not needed user should not enable DHCP snooping in the VPLS service, if the DHCP server is reachable over the SDP (either spoke-SDP or mesh SDP).
Configuring Option 82 handling
Option 82, or ‟Relay Information Option” is a field in DHCP messages used to identify the subscriber. The Option 82 field can already be filled in when a DHCP message is received at the router, or it can be empty. MAC learning must be enabled in the VPLS service, for DHCP snooping. If the field is empty, the router should add identifying information (circuit ID, remote ID or both). If the field is not empty, the router can decide to replace it.
Partial BSA configuration — adding Option 82 to a VPLS
The following is a sample partial BSA configuration output with Option 82 adding on a VPLS service. Note that snooping must be enabled explicitly on a SAP.
*A:7210SAS>config>service#
----------------------------------------------
vpls 2 customer 1 create
shutdown
stp
shutdown
exit
sap 1/1/12:100 create
dhcp //Configuration example to add option 82
option
action replace
circuit-id
no remote-id
exit
no shutdown
exit
exit
no shutdown
exit
----------------------------------------------
*A:7210SAS>config>service#
Partial BSA configuration — removing Option 82 from a VPLS
The following is a sample partial BSA configuration output to remove the Option 82 on a VPLS service.
vpls 2 customer 1 create
stp
shutdown
exit
sap 1/1/14:100 create //Configuration example to remove option 82
dhcp
snoop
no shutdown
exit
exit