Sunday 20 July 2014

How to enable DHCP RELAY option 82 on Cisco DHCP Server ?


Option 82 is defined in RFC : 3046 (https://tools.ietf.org/rfc/rfc3046.txt) . It is DHCP Relay Agent Information Option, which includes sub-options "Agent Circuit ID Sub-option" and "Agent Remote ID Sub-option" .

How DHCP Relay works


DHCP Server -----DHCP Relay -------DHCP Client

1) DHCP Client send DHCPOFFER as broadcast packet to DHCP Relay.

2) DHCP Relay knows DHCP Server Ip address, it increments HOP=1, and add DHCP Relay agent address ( its own LAN side IP) and send Unicast packet to DHCP Server

3) DHCP Server understands that its a packet from Relay , sends DHCPOFFER back to Relay agent as unicast packet.

4) DHCP OFFER is forwarded to DHCP Client by Relay.

5) DHCPREQUEST from Client and DHCP-ACK from Server follows the same path as above.

6) DHCP Client is not aware of any DHCP-RELAY in between and the relay acts as if it is DHCP Server.

7) DHCP-Relay is in routing mode , so the interfaces ip address are different.


Option 82

Option 82 is required if there are multiple DHCP Relay in between and each relay is to be assigned from a different pool of IP address. The IP address will be assigned based on Agent id and Circuit id which is to be defined properly in Server.

How to enable option 82 in Cisco DHCP Server

192.168.7.1 192.168.7.2 10.0.0.1
Cisco DHCP Server -----Fedora 11 Linux DHCP Relay -----Windows XP DHCP Client

In this setup we will see how we can enable option 82 in both Linux DHCP Relay agent and CISCO DHCP Server.

Linux DHCP Relay Configuration

1) Download and install latest dhcrelay rpm, I have used isc-dhcrelay-4.2.2rc1

2) Start dhcrelay be giving below command

dhcrelay -a -d -i eth1 -i eth2 192.168.7.1

The -a option enable option 82 in Linux DHCPRelay, open Wireshark and note down the value of Option 82.

Cisco DHCP Server Configuration for option 82

configure t
ip dhcp use class

ip dhcp class relay1
  relay agent information
     relay-information hex 01060240234*

ip dhcp pool pool1
  network 10.0.0.0 255.0.0.0
  default-gateway 10.0.0.1
  class relay1

     address range 10.0.0.10 10.0.0.20

ip route 10.0.0.0 255.0.0.0 192.168.7.2


The hex "01060240234*" information is the Value seen in option 82 of Client DHCPDISCOVER , bootp options. if you have multiple dhcp-relay in network you can add the  class, pool and static route to reach the specific relay and the DHCP server will assign the IP address range as per the RELAY agent configured range.

DHCP Client

ipconfig /release

ipconfig /renew

Client should get IP address 10.0.0.10


In Windows 2012 Server the option 82 can be matched against the option 82 value or with sub-options 
Agent id or Remote Circuit id.

Keep Learning , Keep Sharing!

Tuesday 1 July 2014

Which parameter defines wireless client max idle timeout ?

Question : Once the wireless client is connected (authenticated and associated) to Access Point, if no data is passed between Client and AP, after how much time the connection will break or which parameter defines it?

Answer : This parameter is known as BSS Max Idle Period and is defined in 802.11 standard, 802.11-2012.pdf as:

The BSS Max Idle Period element contains the time period a non-AP STA can refrain from transmitting frames to the AP before the AP disassociates the STA due to inactivity.


The Max Idle Period field indicates the time period during which a STA can refrain from transmitting frames to its associated AP without being disassociated. The Max Idle Period field is a 16-bit unsigned integer. The time period is specified in units of 1000 TUs. The value of 0 is reserved. A non-AP STA is considered inactive if the AP has not received a data frame or management frame of a frame exchange sequence initiated by the STA for a time period equal to or greater than the time specified by the Max Idle Period field value.

The Idle Options field indicates the options associated with the BSS Idle capability.


The Protected Keep-Alive Required bit set to 1 indicates that the STA sends an RSN protected frame to the AP to reset the Idle Timer at the AP for the STA, as defined in 10.23.12. If the Protected Keep-Alive  Required bit is 0, the STA sends either an unprotected or a protected frame to the AP to reset the Idle Timer  at the AP.


The BSS Max Idle Period element is included in Association Response frames and  Re-association Response frames.


For hostapd we can define it using parameter  ap_max_inactivity=300


# Station inactivity limit

#
# If a station does not send anything in ap_max_inactivity seconds, an
# empty data frame is sent to it in order to verify whether it is
# still in range. If this frame is not ACKed, the station will be
# disassociated and then deauthenticated. This feature is used to
# clear station table of old entries when the STAs move out of the
# range.
#
# The station can associate again with the AP if it is still in range;
# this inactivity poll is just used as a nicer way of verifying
# inactivity; i.e., client will not report broken connection because
# disassociation frame is not sent immediately without first polling
# the STA with a data frame.
# default: 300 (i.e., 5 minutes)
#ap_max_inactivity=300


In Cisco Wireless LAN controller , this field is "User idle Timeout"

The User Idle Timeout: When a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is de-authenticated by the WLC. The client has to reauthenticate and  reassociate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.