Solved: DHCPDISCOVER packets are

Phil Bradley · ‎11-13-2015

I use ip-helper to forward DHCP broadcasts from all of my vlans to a Microsoft 2012 dhcp server. In my CCNP switch training, i recently came across option 82 and would like to clarify its intended purpose. Is option 82 and ip-helper the same thing? I understand that 82 is inserting extra information in the DHCP broadcast frame which is what ip-helper does as well. I am implementing DHCP snooping and cisco best practice says to couple this with option 82.

Ganesh Hariharan · ‎11-13-2015

Hello Phil,

One of the main point of option 82 is to pass additional info to DHCP server telling the latter where exactly the DHCP client is, i.e. what port of what switch it is connected to.

With option 82, particular ip address can be binded to particular switch port.Also it has lots additional fileds like mac address, port identifier but most important is giaddr(gateway aandle ddress),

it is the filed given by device acting as dhcp relay(with helper address).

Hope it Helps..

-GI

Rate if it Helps

View solution in original post

Ganesh Hariharan · ‎11-13-2015

Hello Phil,

One of the main point of option 82 is to pass additional info to DHCP server telling the latter where exactly the DHCP client is, i.e. what port of what switch it is connected to.

With option 82, particular ip address can be binded to particular switch port.Also it has lots additional fileds like mac address, port identifier but most important is giaddr(gateway aandle ddress),

it is the filed given by device acting as dhcp relay(with helper address).

Hope it Helps..

-GI

Rate if it Helps

Phil Bradley · ‎11-13-2015

Hello Ganesh,

Thanks for the information. I'm using a 3750G MS as my switch/router. With ip helper does the switch actually broadcast the DHCP discover out all ports or does it filter the DORA and then create the unicast to the ip helper address? I am trying to see the point of using DHCP snooping if the multilayer switch filters the flood with ip helper. If it does then a rogue DHCP server would never see the Discover message since it would be unicast to the real DHCP server by the switch.

Thanks.

Phil Bradley · ‎11-13-2015

Ganesh,

I just used wireshark and caught a DHCP discover message getting flooded to my switchport. This tells me that IP helper does not filter the initial discover and it does go out all ports.

Thanks,

Phil

Ganesh Hariharan · ‎11-13-2015

Hello Phil,

IP Helper address is command which works by broadcasting to locate servers like TFTP servers or DHCP servers.

When you configure ip helper command that forwards several UDP protocols, like DNS and BOOTP and by default it support 8 UDP services.

Hope it Helps..

-GI

Rate if it Helps..

Phil Bradley · ‎11-14-2015

Hello Ganesh,

I do understand what ip helper-address does, but I didn't know if it actually kept the switch from forwarding the discover frame out all ports. I did see the discover frame being sent out all ports even with ip helper defined. This just confirms that a rogue dhcp server can still be inserted with ip helper when dhcp snooping is not used.

Rolf Fischer · ‎11-15-2015

Hi Phil,

my understanding is that Option 82 does not change the way a client communicates with a DHCP server and vice versa. But it changes the way how access-switches handle DHCP packets comming form a DHCP server: Even if those packets are broadcasts, the access-switch examines the Option 82 information and sends them only to the client port.

I have to admit that I never tested it myself (we disable Option 82 by company policy) but here is a great post by Peter Palúch on this subject:

Discussion 11081266 dhcp-snooping

HTH

Rolf

Peter Koltl · ‎11-15-2015

DHCPDISCOVER packets are always flooded out on all ports in the client's VLAN regardless of ip helper. IP helper address (DHCP relaying)relays the request to a server in another VLAN.

Option 82 and ip-helper