Dhiresh Yadav is a wireless expert and working for the Cisco's High Touch Technical Support (HTTS) team, a team that provides reactive technical support to majority of Cisco’s premium customers. In this document Dhiresh has explained Understanding DHCP option 43 and Option 60.
Configuration of option 43 and option 60 on Cisco IOS/Windows/Linux based servers.
We use DHCP Option 43 to help the AP in obtaining controller ip address from the DHCP server while DHCP request to get an ip address is sent to the DHCP server by the LAP.In addition to offering it an ip address , DHCP server may return one or more controller ip address also to the LAP.
Option 60 is used to define VCI (Vendor class identifier) on the DHCP server and it is the same VCI which is included in the initial DHCP discover message that a DHCP client broadcasts in search of an IP address. Option 60 is used by DHCP clients (LAPs in this case) in order to identify itself to the DHCP server.
When we define an option 60 in our DHCP scope in combination with the option 43, We instruct the DHCP server to return the content of option 43 only to those clients that present the right option 60 i.e already configured VCI in the DHCP scope using option 60.When the DHCP server sees a already configured VCI in a DHCP discover from a DHCP client, it returns the mapped vendor specific information in its DHCP offer to the client as DHCP Option 43. On the DHCP server , option 43 is defined in each DHCP pool (Scope) that offers IP address to the LAPs.So the idea is that do not send the content of option 43 to clients that do not need it and we defined the clients using VCI in option 60.
Do we need option 60?
If you do not specify an option 60 for some scope, the content of option 43 is returned to any DHCP client asking for an IP address in that subnet. In general we should try to define it in the DHCP scope as it makes sure that option 43 is returned only to LAPs and not other clients but it also depends upon the type of the DHCP server. For example Cisco IOS based DHCP scopes allow only one option 60 string (VCI) per scope , So you may not want to use it if you have different series of APs in the same subnet and the VCI of all the APs is different and all of them have to be accomodated in the same scope.There is no such limitation on teh windows server and hence the correct procedure is to define option 60 first.
Inside option 43 , we can have encapsulated vendor-specific sub-option codes between 0 and 255. The sub-options are all included in the DHCP offer as type-length-value (TLV) blocks embedded within Option 43. Vendors can define these sub-options as per their wish. So for Cisco , we have following Option 43 sub-option code:
Option 102:This value is returned in ASCII. This Option 43 sub-option code is for the Cisco 1000 series access points.
For example on cisco IOS : option 43 ascii "192.168.10.5 ,192.168.10.15" Option 241 :This value is returned in hex.This Option 43 sub-option code is for Cisco Aironet LAPs other than 1000. For example on cisco IOS for specifying two controller ip address: option 43 hex f108c0a80a05c0a80a14
Detalied configuration steps for Windows/Cisco ios/Linux servers can be found at the below link
Is it possible to apply an East-West ACL on clients joining a specific WLAN? If so, what is the best way to go about that? We have a few public WLANs that we would like to implement peer-to-peer ACLs on for protection/inoculation from potentially infected...
So we were upgrading our RADIUS servers and when we did we noticed that the RADIUS failover did not happen as expected. I'm thinking my predecessor has the AAA Advanced settings set up incorrectly but I am not familiar with this model controller. Can some...
Hello, I am looking for a wireless solution to support remote user in a branch to access the internet and also be able to access HQ network via VPN tunnels. preferably access point to HQ via controller Any recommendation will be helpful &nb...
So something I've been noticing a lot when attempting to troubleshoot clients through Prime Infrastructure... a lot of wireless clients seem to disassociate fairly frequently and then immediate associate again... usually to a different AP. The association...
After power outage WLC AIR-CT5508-100-K9 is not correctly communicating with RADIUS server. IP communication between 2 devices is intact. Cisco APs are up but clients failing communication because of authentication. Aruba APs connected to same WLC ar...