DHCP policies based on Relay Agent Information Option (option 82), DHCP Snooping and IP Source Guard


DHCP server in Windows Server 2012 provides support for provisioning customized IP address and network configurations to DHCP clients using DHCP policies. Policies can be created based on several criteria one of which is relay agent information option - commonly referred as option 82. To get a better understanding on DHCP server policies and how to configure a policy, please refer to this post. In this blog post, we will discuss how you can create and use DHCP policies based on relay agent information option. We will also talk abut how support for option 82 in DHCP server in Windows Server 2012 aids DHCP snooping and IP source guarding on the network switch.

Relay Agent Information Option - DHCP Option 82

A DHCP relay agent relays DHCP messages between DHCP clients and DHCP servers which are in different IP subnets. A DHCP relay agent allows an administrator to have one DHCP server serve several subnets by having a DHCP relay in each subnet, relay the client requests to the DHCP server and vice versa.

The relay agent can insert additional information about the client (like client's network ID, port of the switch to which the client is connected, subscriber identifier etc.) to DHCP requests before forwarding the message to DHCP server. The relay agent inserts this additional information using option 82 - relay agent information option. The DHCP server can configured with policies to provide customized configuration to clients based on these additional fields inserted by the relay agent in the DHCP client message. The customized configuration in the policy includes giving IP from a specific IP address range, lease duration and specific set of option values.

The relay agent information option (DHCP option 82) is an aggregation of sub options. Starting from Windows Server 2012, this option and associated sub-options are supported by  Windows DHCP server. The list of options and sub-options supported are :

  1. DHCP Relay Agent (RA) Information Option [Option 82] - RFC 3046
  2. Circuit ID, RA Sub-Option [Sub Option ID - 1] - RFC 3046
  3. Remote ID, RA Sub-Option [Remote Option ID - 2] - RFC 3046
  4. Subscriber ID, RA Sub-Option [Sub Option ID - 6] - RFC 3993
  5. Server Identifier Override Option, RA Sub-Option [Sub Option ID - 11] - RFC 5107

Using DHCP policies based on relay agent information option, you can use these fields (remote ID, circuit ID, subscriber id) to assign IP addresses and implement constraints such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID.

If your enterprise uses DHCP relay agent which supports option 82, this feature is for you!

Configuring Policies using Relay Agent Information and its sub-options

As mentioned earlier, DHCP server can give customized IP address and configuration options using option 82 and its sub-options. Policies are the way to achieve this in Windows Server 2012 DHCP server.

Figure 1: Configuring RA Option as Policy Condition

The policies can be created at DHCP server level (applicable server wide) and at DHCP scope level (applicable to the specific subnet). The IP address range and configuration options defined for these policies will now be applied to any client request containing option 82 (which is added by DHCP relay agent).

Figure 1 shows the DHCP MMC policy wizard page for configuring a policy condition based on relay agent information option. As seen in this figure, the DHCP server allows configuration of policies based on option 82 either as a single value or using its individual sub-options. In the former case, option 82 present in the DHCP request packets will be compared byte by byte with the policy condition value. In latter case, the contents of option 82 in the DHCP requests will be parsed for sub-options and each sub-option configured in policy condition value will be matched separately. DHCP server will send the response message to the client based on the IP address range and options of the matched policy. The values for policy condition should be provided in hexadecimal format.  Hence if the sub-options take alphanumeric values as input, they need be converted to equivalent hex value and should be given as policy condition value. Also by default, the DHCP server echoes back option 82 received in DHCP request in all DHCP responses.

If you hadn't already noticed, the server identifier override sub-option is not used in policy condition value. Relay agents use this sub-option to provide IP address which should be included by the DHCP server in Server Identifier option [DHCP Option 54] instead of DHCP Server's IP address in DHCP replies. By default, only the DHCP messages which are broadcast by the client pass via the relay agent. The DHCP renew messages which are unicast by the DHCP client to the IP address of the DHCP server do not pass via the relay agent.

By inserting the IP address of the relay agent in the server identifier field, the DHCP server ensures that all DHCP requests pass through the DHCP relay agent including DHCP renew messages which will now be unicast to the IP address of the DHCP relay agent. The relay agent can now add option 82 and its sub-options to all DHCP client messages before they are seen by the DHCP server. This ensures the policy is applied for both unicast and broadcast DHCP requests.

DHCP snooping, IP Source Guard and DHCP Server Policies

DHCP Snooping and IP Source Guard are features provided by most popular network switches that can be used to secure a network by controlling traffic from untrusted clients. DHCP snooping when enabled on the switch, the switch builds a binding database containing the IP address, MAC address VLAN and interface to which the client is connected by “snooping” on DHCP transactions.

The snooping database can then be used on the switch for enabling IP source guard and dynamic ARP inspection to prevent ARP spoofing. IP source guard references the snooping database when a packet is received on any of these interfaces and compares the source address to the assigned address listed in the database. If the source address differs from the "allowed" address, the packet is assumed to be spoofed and is discarded. ARP security checks the IP address in the Source Protocol Address field of ARP packets. If that IP address is not an address that DHCP snooping has recorded as being in use by a host connected to the ingress port of the ARP, then the ARP packet is dropped.

These scenarios are aided by the support for option 82 on the DHCP server. Even if no policies are configured for relay agent information option, DHCP server in Windows Server 2012 in it’s response to the client will echo the relay agent information option if the same was present in the DHCP request message and thus aid the switch in building the DHCP snooping database. DHCP server also logs the relay agent information option value in the server audit log which can be used by the administrator for physical tracking of each client device as the relay agent information contains the switch port information.


Relay agent information option and its sub-options can be used to specify conditions in policies on DHCP server. These policies can be used to provide customized IP address and options to clients based on circuit id, remote id etc. In general, this feature can be used in scenarios where the DHCP relay agent is capable of appending relay agent information option, including the networks where IP source guarding/DHCP snooping is deployed.

Any questions and feedback, we would be happy to hear and assist! Give it a try and we hope you find it useful.

Other Links

Team Dhcp

Comments (27)
  1. teamdhcp says:

    Huilong, Yes this should work. MMC snapin will need to store the configuration on the DHCP server machine in an separate file/store.

  2. teamdhcp says:

    Huilong, you can use the DHCP server callout API to write a callout dll. You can find the API reference here –

  3. teamdhcp says:

    Yes Huilong. That’s correct.

  4. teamdhcp says:

    Hi Huilong
    The DHCP Server does not support option 82 sub-option 5 (Link selection sub-option) or vss sub-options for either v4 or v6 address assignments. Similarly Windows server does not support multiple VRF’s too.

  5. teamdhcp says:

    Hi XiuFei, you can get IP address from a specific IP pool within a subnet by creating a DHCP policy with a condition based on Option 82 information.

  6. teamdhcp says:

    Hi Ulrik, yes – you can configure a DHCP policy with a condition based on the relay agent information and with an IP address range. The IP address range should have the number of IP addresses that can be leased to devices connected to that switch port.

  7. teamdhcp says:

    FC, Windows DHCP server supports server override option. There is no further configuration required on the DHCP server for this. You will need to configure the DHCP relay so that it includes a server override option when it forwards the DHCP client messages.
    You will need to get the details of how to do that on the DHCP relay from the vendor’s documentation.

  8. teamdhcp says:

    Hi Huilong, can you please confirm that you have built the dll for 64 bit platform.

  9. teamdhcp says:

    Hi Joseph
    To accomplish what you want you would need to have support for option 82 sub-option 5 in DHCP Server which is not supported in Windows DHCP Server.

  10. teamdhcp says:

    Hi Huilong
    Not sure whether there exists a precise solution to your problem but you can try creating a bigger scope and select an IP address range within that scope based on circuit ID based policy. But keep in mind that you shall be able to control the address range
    but not the subnet scope by doing that. Tell us if that works for you.

  11. teamdhcp says:

    Hi FC, server identifier is a field which is populated by the DHCP server in the DHCP OFFER message automatically with the IP address of the DHCP server. You do not need to set this.
    Can you elaborate on what scenario you are trying to accomplish.

  12. Ulrik Ivers says:

    Is there a way to configure a policy (or other method) to limit the number of IP addresses that will be handed out to clients with a specific value in Relay Agent Information?

    This to limit the number of addresses that can be leased to devices connected to a specific port of a switch.

  13. Xiufei says:

    If i want to get the IP address subnet from DHCP server by Option 82 informationm, such as port+VLAN+sysname, is that possible?

  14. Oldmate says:

    Hi guys, if possible, how would you define a policy to direct a DHCP request that was relayed by a foreign agent (ie the relay and giaddr is on network x but we want an address from subnet y) to a specific pool using the option 82 fields?

  15. joesph says:

    Can i use option82 as an alternative for vlan pooling. Means i have 1000 clients connecting through a wireless controller and i want each these users in specfic subnets

  16. Huilong says:


    I am working on a project that needs to support Windows DHCP server. I have a few questions:

    1) Does it support "link selection" suboption (RFC3527)?

    2) Can I specify policy at DHCP server level to select scope basing on a specific value in option 82?

    3) Does Windows DHCP server support multiple VRFs? considering that the same IP scope can appear on different VRFs?

    Would you let me know the answers? Thanks a lot.


  17. Huilong says:

    Hi, teamdhcp,

    Thanks a lot for your reply.

    Actually my use case is following: the DHCP server is on a subnet X, the clients are on a subnet Y. The DHCP server can not reach subnet Y. I have a relay agent accessing both subnet X and subnet Y. The relay agent forwards the client requests to the DHCP server.
    It puts its subnet X address as giaddr (so the server can send reply back) and puts its subnet Y address in the link selection sub-option. The relay agent also puts an identifier for subnet Y in the circuit ID in option 82.

    For other DHCP servers, such as dhcpd, we can either use the circuit ID or the link selection to select the right scope for subnet Y. But on windows DHCP server, I could not make it work.

    As you said, link selection is not supported by windows server. Is it possible to use the circuit ID to select scope then? How to make it work?

    Please provide suggestions/comments. Your help is high appreciated.

    Best regards,

  18. Huilong says:

    Some more details about how I make dhcpd works in my use case: I define a class C matching on the subnet Y identifier in the Circuit ID. I also define a "shared-network" containing both subnet X and subnet Y. For subnet Y, I specify a policy that it "allows
    member of class C". The dhcpd can correctly select the subnet Y basing on the class and the policy.

    I am wondering how can I do the same thing on windows server 2012? I do see that the dhcp policy can match on the circuit ID value. However I can not use the server level policy to select a subnet scope. I can only use the scope level policy to select an address
    range with the scope, but that is not what I want. What I want is to use the policy to select scope. How can I do that?

    Best regards,

  19. Huilong says:

    Hi, teamdhcp,

    Thanks a lot for your suggestion.

    However using one big scope is too much restrictive, while we have subnets with quite different prefixes. It also has the issue that the returning subnet masks are not correct for the subnets: it returns the mask for the scope, but not for the ip address range.
    I don't see how to override it in the policy.

    From another blog:
    http://blogs.technet.com/b/teamdhcp/archive/2009/06/12/option-based-ip-address-assignment-callout-dll.aspx , it seems windows DHCP server support callout DLL approach. Is it possible to write a callout DLL to resolve the problem? Any suggestions and comments
    on this approach? Where can I find the related document on how to write the callout DLL for windows DHCP server?

    Best regards,

  20. Huilong says:

    Hi, teamdhcp,

    Thanks a lot for your reply.

    I am thinking of following design:

    * User defines scopes, one for each subnets, on the DHCP server.
    * Write an MMC snap-in to allow user define a map between circuit IDs and the scopes.

    * The DHCP relay uses its subnet X address in GiAddr. It also puts an ID for subnet Y (client subnet) in circuit ID.

    * Write a callout DLL that intercept packets using DhcpNewPktHook() and DhcpPktSendHook().

    * In DhcpNewPktHook(), change the GiAddr to an address from subnet Y, so that the DHCP server will pick offer from scope Y.

    * In DhcpPktSendHook(), change the GiAddr back to the original address from subnet X, so that the DHCP server will sends the response back to the relay agent through subnet X.

    Do you think the design will work? Any comments/suggestions?

    Best regards,

  21. Huilong says:

    Thank you for all your responses. One last thing I want to double check before I go with the callout DLL approach: on Windows DHCP server, GIAddr is the ONLY way to select scope, there is no way to work abound it (except to write a DLL as I planned), is
    that correct? Would you confirm this? Thanks a lot.

  22. Huilong says:


    Thanks a lot for your confirmation.

    I am now working on the callout dll approach. However when I tried to load a testing DLL, I got following error in system log:

    The DHCP service has failed to load one or more callout DLLs. The following error occured:

    %1 is not a valid Win32 application.
    is not a valid Win32 application.
    is not a valid Win32 application.
    is not a valid Win32 application.

    The testing DLL was simply built from code in this blog:
    http://blogs.technet.com/b/teamdhcp/archive/2009/07/06/dhcp-server-callout-api-usage.aspx . What could be wrong?

    I am running a Windows server 2012 64-bit. I heard the callout DLL approach may not work on 64 bit OS. Is that true?

  23. FC says:

    Hi teamdhcp,

    I need to set Server Identifier option [DHCP Option 54] on a W2012 DHCP for several scopes. Is that even possible?

    I cannot find any documentation/examples how to do this.

    Best regards,

  24. FC says:

    Hello teamdhcp, I'm using a dhcp relay service which has one setting: the dhcp server. The clienst can't get to the dhcp server directly (no route). So I'd like to try overriding the Server Identifier so clients can renew their ip quicker. Also I want
    to "hide" the real dhcp server.

    Best regards,

  25. FC says:

    Hello teamdhcp, Thank you for your response.

  26. jan says:

    We are trying to use DHCP policies, but have an issue when clients are renewing their leases. So far we have not been able to make the relay agent insert sub-option 11, and as a result the renewal request does not include option 82, and the server delivers
    options without the additional policy options.
    While our network guy is trying to insert this server id override option, I am looking for alternatives.

    In RFC 3046 I am noticing this:
    Note that DHCP relay agents are not required to monitor unicast DHCP
    messages sent directly between the client and server (i.e., those
    that aren't sent via a relay agent). However, some relay agents MAY
    chose to do such monitoring and add relay agent options.
    Consequently, servers SHOULD be prepared to handle relay agent
    options in unicast messages, but MUST NOT expect them to always be

    That is, server must not expect option 82 to always be there. But to me it seems as if MS DHCP does exactly this.
    Is either of the following possible:
    – To make DHCP server remember and reuse option 82 value(s) when renewing?
    – To make DHCP server force Server override with relay agents IP, if sub-option 11 is not present?

  27. teamdhcp says:

    Hello Jan, If your policy based on DHCP option 82 (relay agent information option), it will require that the relay agent be involved in the renew request as well since the policies are applied based on what is present in the request message. The way to
    have the relay agent be in the path of the request message is inserting the server override option (id 11) specified in RFC 5107.
    Windows DHCP server does not remember/reuse option 82 values or force a server override even if sub-option 11 is not present.

Comments are closed.

Skip to main content