Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

Option 43 is configured but not included in DHCP Offer/Ack packets

Techie
Posts: 9
13807     1

Hi All,

 

I am trying to migrate from ISC DHCP to Infoblox, and trying to replicate the configuration that issues vendor-specific Option 43 attributes to DHCP clients.

 

The relevant parts of the Infoblox DHCP config file looks like this:

 

option transact-zero code 180 = ip-address; 
option transact-one code 181 = ip-address; 
option transact-two code 182 = string; 
option space Polycom;
option Polycom.UCIdentifier code 1 = string;
option Polycom.URLScheme code 2 = string;
option Polycom.WebServerFqdn code 3 = string;
option Polycom.WebServerPort code 4 = string;
option Polycom.CertProvRelPath code 5 = string;

option space PXEClient;
option PXEClient.pxediscovctl code 6 = unsigned integer 8;
option PXEClient.pxebootserver code 8 = string;
option PXEClient.pxebootmenu code 9 = string;
option PXEClient.pxemenuprompt code 10 = string;
# MAC filter "Legacy BIOS"
subnet 192.168.0.0 netmask 255.255.255.0 {
	option ntp-servers 192.168.0.100;
	default-lease-time 300;
	min-lease-time 300;
	max-lease-time 300;
	pool {
		option dhcp-parameter-request-list = null;
		infoblox-range 192.168.0.240 192.168.0.244;
		range 192.168.0.240 192.168.0.244;
		option bootfile-name "efi/x86_64/nvlnbpx64.efi";
		option tftp-server-name "10.239.32.134";
		option vendor-class-identifier 50:58:45:43:6c:69:65:6e:74;
		default-lease-time 300;
		min-lease-time 300;
		max-lease-time 300;
		# INFOBLOXMACFILTERDEBUGINFO: deny members of "Legacy BIOS";
		# INFOBLOXFINGERPRINTFILTERDEBUGINFO: 		allow 		fingerprints for "pxe test";
	}
	pool {
		option dhcp-parameter-request-list = null;
		infoblox-range 192.168.0.245 192.168.0.248;
		range 192.168.0.245 192.168.0.248;
		option dhcp-parameter-request-list 1,42,43,51,53,54,60,180,181,182,255;
		option PXEClient.pxebootserver a6:cc:01:0a:ef:20:58;
		option transact-zero 10.239.32.88;
		option PXEClient.pxediscovctl 3;
		option vendor-class-identifier 50:58:45:43:6c:69:65:6e:74;
		option transact-two 00:00:00:00;
		option PXEClient.pxemenuprompt 02:5b:46:38:5d:20:66:6f:72:20:4d:65:6e:75:20:2d:20:5a:43:4d;
		option PXEClient.pxebootmenu a6:cc:06:53:65:72:76:65:72:00:00:0a:4c:6f:63:61:6c:20:42:6f:6f:74;
		option transact-one 10.239.32.88;
		default-lease-time 300;
		min-lease-time 300;
		max-lease-time 300;
		# INFOBLOXFINGERPRINTFILTERDEBUGINFO: 		allow 		fingerprints for "pxe test";
	}
}

 

I enabled "ignore parameter request list" because otherwise some of the options were not sent to the client, as they had not been requested. I added the dhcp-parameter-request-list to try and force Infoblox to send option 43.

However neither of these has fixed the issue, option 43 is absent from the packets when they are captured and viewed in packet capturing software.

 

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

Techie
Posts: 9
13807     1

I should probably add that the client I'm using for testing is not requesting options 43, 180, 181 or 182 at the moment, but I am trying to force them regardless because I know they are required.

(I am working at home with limited testing capabilities!)

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

Techie
Posts: 9
13807     1

To rule out a problem with the range/pool syntax, I created a fixed address entry for my test client. Option 43 is still not being offered by Infoblox, but all of the other options are included in the Offer and Ack packets.

 

host 192.168.0.235 {
		ib-revision 1605281799;
		dynamic;
		hardware ethernet a8:5e:45:32:6e:24;
		fixed-address 192.168.0.235;
		option PXEClient.pxediscovctl 3;
		option PXEClient.pxemenuprompt 02:5b:46:38:5d:20:66:6f:72:20:4d:65:6e:75:20:2d:20:5a:43:4d;
		option transact-zero 10.239.32.88;
		option PXEClient.pxebootmenu a6:cc:06:53:65:72:76:65:72:00:00:0a:4c:6f:63:61:6c:20:42:6f:6f:74;
		option transact-two 00:00:00:00;
		option transact-one 10.239.32.88;
		option PXEClient.pxebootserver a6:cc:01:0a:ef:20:58;
		option vendor-class-identifier 50:58:45:43:6c:69:65:6e:74;
		option host-name "windows10";
	}

(This message was rejected due to invalid HTML, I can't see what the filter has removed as invalid)

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

Expert
Posts: 185
13807     1

Infoblox isn't sending option 43 because you haven't configured a client class.

You've got your option spaces set up for Polycom and PXEclient, but Infoblox doesn't know which option set to use for which clients.

Go to your DHCP grid properties, go to IPv4 DHCP options, toggle the advanced mode slider, then click on advanced. In there you need to specify what vendor class string to match on, link it to an option space, you'll probably need to specify the substring offset and length too. Here's an example:

 

ib vendor classing.jpg

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

Expert
Posts: 185
13808     1

Also, don't directly specify any hardcoded option 43 hex strings, that will conflict with the client classing and will override any values the classing might provide. I learnt this the hard way.

It's actually pretty flexible, you can do more complex filtering by defining IP filters. We did one that analysed the option 93 value (architecture) in the DHCP request and flipped the PXE bootfile name depending on whether the client was legacy or UEFI BIOS.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

New Member
Posts: 1
13808     1

Infoblox isn't sending option 43 because you haven't configured a client class.

You've got your option spaces set up for Polycom and PXEclient

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

Techie
Posts: 9
13808     1

Thanks guys, I will try and test this to confirm.

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

Techie
Posts: 9
13808     1

Thanks very much, guys.
Adding the Option 60 Vendor Class Identifier match has indeed enabled Option 43 to be included in the DHCP Offer packets.

Re: Option 43 is configured but not included in DHCP Offer/Ack packets

New Member
Posts: 1
13808     1

Can you please share your configuration of the option space and then for the option 60 settings?

we have Cisco APs that have the same issue of not getting the option 43 settings...

Showing results for 
Search instead for 
Did you mean: 

Recommended for You