DHCPv4 Relay Agent Option 82

DHCP option 82 is a security feature that enables the relay agent to prevent DHCP client requests from untrusted sources. You can configure the relay agent to add option 82 information to DHCP requests from clients before forwarding the requests to the DHCP server.

Option 82 overview

Option 82 allows the DHCP server to select a sub-range in the DHCP server address pool. The DHCP server echos the option 82 in the DHCP reply packet. The DHCP relay agent validates and removes the option 82 information, and then sends the response to the DHCP client.

Adding option 82 to the DHCP client helps address the following security issues:
  • Allows the relay agent to identify the circuit to which to forward replies.
  • Prevents DHCP IP address exhaustion attacks. IP address exhaustion occurs when an attacker requests all available IP addresses from a DHCP server by sending requests with fake client MAC addresses.
  • Prevents permanently assigning an IP address to a particular user or modem.
  • Prevents spoofing of client identifier fields used to assign IP addresses.
  • Prevents denial of service (DoS) attacks.

Relay agent operation with Option 82 enabled

When Option 82 is enabled, the relay agent performs the following actions:

Configuration considerations

Consider the following when you configure option 82:

Option 82 sub-options

The DHCP Relay Agent Information Option is a container option for specific agent-supplied sub-options. The relay agent information option has the following format.

Code Len Agent Information Field
82 N i1 i2 i3 i4 ... iN
Note

Note

The length N represents the total number of octets in the Agent Information Field. The Agent Information field consists of a sequence of SubOpt/Length/Value tuples for each sub-option.
Table 1. Agent remote ID sub-option

Sub-option type

(1 byte)

Length

(1 byte)

VLAN ID

(2 bytes)

MAC address

(6 bytes)

2 8
Table 2. Relay agent circuit ID sub-option
Sub-option type

(1 byte)

Length

(1 byte)

VLAN ID <string>

(4 bytes)

IF-description string

(4 bytes)

2 68
Note

Note

The circuit ID is a combination of the VLAN-ID and the interface description string. If the interface description is not configured, the default string “ Extremenetworks" is used in the circuit ID.