3532 - Configuring DHCP option space and filter in NIOS

Scenario

The appliance you ordered, Luminous Online Temperature Regulator (LOTR), has finally arrived! You can’t wait to see its magic! However, it won’t boot up correctly on the network. Upon contacting the company, Tolkien’s Inc., they inform you that you will need to supply special DHCP options to make the appliance function properly. The special options are: option 10 Config Filename and option 15 Controller IP Address. These conflict with your existing DHCP options numbers. Additionally, you want to make sure special vendor DHCP options are only delivered to the LOTR appliances, not any others. Please make the necessary DHCP configurations on the Grid to bring the LOTR appliances online.

Hint: You may use DHCP options filter on the DHCP server to identify LOTR devices. Once identified, send special options to these devices only.

Estimate Completion Time

25-35 minutes

Credentials

Course Reference

• 3012: DHCP Troubleshooting Methodology

• 3018: Configuring NIOS DHCP Option Spaces and Filters

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Tasks

1. Capture DHCP information

2. Analyze the captured traffic

3. Create a new IPv4 option space

4. Add the DHCP options to the network

5. Create an IPv4 option filter

6. Verify the client behavior

Task 1: Capture DHCP information

You need to find out what the client is sending in its DHCPDISCOVER message and find something that you can use to identify the client. Enable DHCP on the VM testing-linux, while performing traffic capture on the DHCP member ibns1.

In this lab, we are using the VM testing-linux to emulate the LOTR appliance. The VM is sending special DHCP options, as would the LOTR appliances.

Task 2: Analyze the captured traffic

Download and examine the traffic capture to locate relevant DHCP option information.

Hint: Many devices use option 60 to list their make and model.

Task 3: Create a new IPv4 option space

Since the device requires DHCP option numbers (10 and 15) that conflict with existing ones, we must create a new IPv4 option space. Create a new space named Tolkien, and create the following 2 DHCP options according to the vendor’s documentation listed in Table 2532-1:

Table 3532-1

Task 4: Add the DHCP options to the network

The special appliances are located on the network 172.31.101.0/24. Please update the DHCP options setting on this network, so that it contains the new vendor options. Please use these values for this network:

• Option 10: bootfile.cfg

• Option 15: 10.100.52.52

Task 5: Create an IPv4 option filter

You want to make sure that no other devices receive these special vendor options. Please create a DHCP filter that would help the DHCP servers identify these LOTR devices. Although you are only placing these devices on the subnet 172.31.101.0/24 for now, you plan on adding more to other networks. Thus, you need to apply the filter as a global DHCP class, so this filtering behavior is applied on every network.

Task 6: Verify the client behavior

Test your shiny LOTR appliance to make sure it receives a DHCP lease with all the correct special options.

Solutions

Task 1 Solution: Capture DHCP information

You need to find out what the client is sending in its DHCPDISCOVER message and find something that you can use to identify the client. Enable DHCP on the VM testing-linux, while performing traffic capture on the DHCP member ibns1.

Starting the traffic capture in the GM

Switch to the VM jump-desktop.

1. In the GM web interface, navigate to Grid→Grid Manager→Members.

2. From the Toolbar on the right, scroll down and click Traffic Capture, this brings out the Traffic Capture dialog.

3. In the Traffic Capture dialog, click the Add (+) button and select ibns1.techblue.net from the Member Selector window.

4. Verify that the the Interface for this is set to ALL (drop-down list).

5. Click the Capture Control Start button to start the capture.

   

6. If prompted about overwriting existing capture files, answer Yes.

7. Leave the Traffic Capture dialog open and continue to the next step.

Enabling DHCP in the test client

Switch to the VM testing-linux.

1. Open a Terminal window on the VM testing-linux.

2. Use the command sudo set-network-disable (sudo password: infoblox) to disable DHCP.

3. Use the command sudo clear-dhcp-leases to clear any previous leases.

4. Use the command sudo set-network-dhcp to re-enable DHCP.

5. Use the command sudo show-dhcp-lease to see the lease details. Below is an example of the output of this command:

   CODE

   --- Raw DHCP Lease Information
   
   lease {
     interface "ens160";
     fixed-address 172.31.101.85;
     option subnet-mask 255.255.255.0;
     option dhcp-lease-time 43200;
     option routers 172.31.101.1;
     option dhcp-message-type 5;
     option dhcp-server-identifier 10.100.0.105;
     option domain-name-servers 8.8.8.8,9.9.9.9;
     option domain-name "techblue.net";
     renew 5 2023/08/11 01:33:38;
     rebind 5 2023/08/11 06:19:36;
     expire 5 2023/08/11 07:49:36;
   }

Stopping the traffic capture in the GM

Switch to the VM jump-desktop.

1. Back in the Grid Manager, click the Stop button to halt traffic capture.

2. Place a checkmark beside ibns1.techblue.net.

3. Click the Download button.

4. If prompted, save the file to the Downloads folder. The filename will contain the name of the member, the word tcpdump, and has the file extension tar.gz.

While you are in the GM, you can also verify that you can see the client’s lease file under Data Management → DHCP → Leases.

Task 2 Solution: Analyze the captured traffic

Download and examine the traffic capture to locate relevant DHCP option information.

1. On the jump-desktop, open the Downloads folder.

2. Right-click on the packet capture file downloaded in Task 1 and choose Extract Here. This action creates a new folder in the Downloads folder.

3. Open the newly created folder and double click on the entry traffic.cap to open it with Wireshark.

4. In the Display Filter text field near the top, enter dhcp, and press the enter key to apply the filter. This hides all other packets, leaving only DHCP packets.

5. Locate the DHCPDISCOVER packet from the client. It should show the source address 10.100.0.1 (the router interface), destination address 10.100.0.105 (DHCP server), and in the Info section shows DHCP Discover followed by the transaction ID.

6. With the packet selected, scroll down and expand the Dynamic Host Configuration Protocol (Discover) section.

7. Scroll down further to expand DHCP options to examine. Some common options that can be used to identify the client are: Option 12 (Host Name), Option 55 (Parameter Request List, or PRL), and Option 60 (Vendor class identifier).

8. Expand Option 60. You can see the string IBEDU.sauron-2022_10_21 (example shown below.)

   

9. Note this string down. You will use this to create an DHCP option filter later.

Task 3 Solution: Create a new IPv4 option space

Since the device requires DHCP option numbers (10 and 15) that conflict with existing ones, we must create a new IPv4 option space. Create a new space named Tolkien, and create the following 2 DHCP options according to the vendor’s documentation listed in Table 2532-1:

1. In GM web interface, navigate to Data Management→DHCP→Option Spaces.

2. Click the Add drop-down button and choose IPv4 Option Space. The Add IPv4 Option Space Wizard appears.

3. For Name, enter Tolkien.

4. Click the Add button to create a new option (Information taken from Table 2532-1):

   • Name: ConfigFile

   • Code: 10

   • Type: text

5. Click the Add button again to create another new option:

   • Name: ControllerIP

   • Code: 15

   • Type: array of ip-address

6. The end screen should look like this:

   

7. Click Save & Close.

Task 4: Add the DHCP options to the network

The special appliances are located on the network 172.31.101.0/24. Please update the DHCP options setting on this network, so that it contains the new vendor options. Please use these values for this network:

• Option 10: bootfile.cfg

• Option 15: 10.100.52.52

Edit the 172.31.101.0/24 network and configure values for the newly defined custom DHCP options.

1. Navigate to Data Management → DHCP → Networks → Networks.

2. Select 172.31.101.0/24, and click Edit.

3. Select the IPv4 DHCP Options tab on the left.

4. Scroll down to the bottom to the Custom DHCP Options section.

5. Scroll all the way to the bottom of the list to add a new Custom DHCP Option

6. Configure the first custom option (option 10):

   • Use the drop-down menu to select the DHCP option space Tolkien.

   • Use the drop-down menu to select ConfigFile (10) text.

   • In the text field, enter bootfile.cfg.

7. Click the plus (+) button to add another custom option (option 15):

   • Use the drop-down menu to select the DHCP option space Tolkien.

   • Use the drop-down menu to select ControllerIP (15) array of ip-address.

   • In the text field, enter 10.100.52.52.

8. The configuration should look like this:
   

   

9. Click Save & Close.

10. Don’t restart services yet, continue on to create an IPv4 option filter.

Task 5 Solution: Create an IPv4 option filter

You want to make sure that no other devices receive these special vendor options. Please create a DHCP filter that would help the DHCP servers identify these LOTR devices. Although you are only placing these devices on the subnet 172.31.101.0/24 for now, you plan on adding more to other networks. Thus, you need to apply the filter as a global DHCP class, so this filtering behavior is applied on every network.

Create an IPv4 Option Filter called Tolkien Filter. This filter will search for an Option 60 value from all clients. If a match is found, the DHCP server will return options in the standard DHCPv4 option space as well as the newly created Tolkien option space.

1. Navigate to Data Management→DHCP→Filters.

2. Click Add → IPv4 Option Filter. This brings out the Add IPv4 Option Filter Wizard.

3. In Step 1 of 5 of the Wizard, for the filter Name, enter Tolkien Filter.

4. Ensure Apply this filter as a global DHCP class is checked. This wil

   l apply the filter to every incoming DHCP message.

5. At Step 2 of 5 of the Wizard, create a rule that matches for any vendor-class-identifier string that begins with IBEDU:

   • In the drop-down menu Choose Filter, select vendor-class-identifier (60) string.

   • In the drop-down menu Choose Operator, select substring equals, set the offset to 0 and length to 5.

   • In the value field, enter IBEDU. Click Next.

     

6. At Step 3 of 5 of the Wizard, in the Option Space drop-down menu, select DHCP+Tolkien.

   

7. Click Save & Close.

8. Restart services when prompted.

In Step 2 of 5 of the Add IPv4 Option Filter Wizard, We are matching for just the first five letters of Option 60, IBEDU, rather than the entire string, IBEDU.sauron-2022_10_21. You can certainly match for the entire string, especially if you are looking to match for specific model numbers. In our example here, this closely resembles matching for the make or product family, rather than the specific model.

Task 6 Solution: Verify the client behavior

Test your shiny LOTR appliance to make sure it receives a DHCP lease with all the correct special options.

Switch to the VM testing-linux.

1. Open a Terminal window on the VM testing-linux.

2. Use the command sudo set-network-disable (sudo password: infoblox) to disable DHCP.

3. Use the command sudo clear-dhcp-leases to clear any previous leases.

4. Use the command sudo set-network-dhcp to re-enable DHCP.

5. Use the command sudo show-dhcp-lease to see the lease details. You should be able to see additional vendor encapsulated options (option 43) information near the bottom like this: