Principles of dhcp option 82

We have made a basic introduction to dhcp option 82. Including its basic concepts and related functions and functions. Here, let's take a look at the working principle of Option 82. When DHCP relay proxy switch supports dhcp option 82, the DHCP Client obtains IP addresses from the DHCP server through DHCP relay, which also involves four stages: discovery, provision, selection, and confirmation. The DHCP protocol is implemented as follows:

1) The DHCP Client broadcasts and sends request packets during initialization. The request packets do not contain option 82.

2) The DHCP relay agent adds option 82 to the end of the received request message and forwards it to the DHCP server. Dhcp option 82 OPTION sub-OPTION 1 proxy circuit ID) the default is the interface information of the switch connected by the DHCP Client VLan name and physical port name), you can also configure the proxy circuit ID by yourself, option 82 sub-option 2 proxy remote ID) is the MAC address of the DHCP relay device.

3) After receiving the DHCP Request Packet forwarded by the DHCP relay device, the DHCP server allocates IP addresses and other information to the client based on the information carried by the option in the message and the predefined policy, then, the response packet containing the DHCP configuration information and option 82 information is sent to the DHCP relay agent.

4) After receiving the response packet from the DHCP server, the DHCP relay agent disconnects option 82 from the packet and forwards the packet with DHCP configuration information to the DHCP client.

802.1X Authentication Based on Option82

DOT1X Authentication Based on dhcp option 82 is generally used in an environment where users obtain addresses through DHCP. dhcp server based on OPTION82 Address Allocation Policy must be supported. The user is in control status before obtaining the IP address, and can only access the dhcp server. The user is in security status after obtaining the IP address, and the access switch forwards the user's IP address and ARP packet; users can obtain different addresses before and after authentication. By configuring the ACL on the aggregation switch that is connected to the access switch, users with different source addresses can access resources and control the access permissions of users before and after authentication.

To enable DHCP users to obtain IP addresses of different network segments before and after authentication, the DCN switch uses DHCP OPTION82 and DHCP Snooping technologies. The 82 option in the DHCP packet is usually attached to the DHCP packet by the DHCP relay proxy. This function is extended on the DCN switch, allowing dhcp snooping to append OPTION82 information when listening to the DHCP packet, the content of OPTION82 is added with a default value by dhcp snooping before DHCP user authentication. If the user passes the authentication after obtaining the address successfully, then, the backend of the digital 802.1X authentication server will send the user's OPTION82 information to the switch, and the DOT1X client will apply for an address again. dhcp snooping will append the user's authenticated OPTION82 information when listening to DHCP packets, the dhcp server assigns another address to the user based on the OPTION82 information. Because the user's address is different before and after authentication, you can configure the source IP address-based ACL on the aggregation switch connected to the access switch to control the user's access permissions.