Wednesday, January 6, 2010

Do you need DHCP Option 60?

When configuring a DHCP scope for your LWAPP access points, you can return, along with an IP address, the controller Management IP address. This is called option 43, Vendor Specific Option. It is vendor specific in the sense that, in our case, only an access point would know what to do with Controller Management IP address information.
If you have read older papers, you may also have seen the option 60, Vendor Class Identifier. Do you need it, or not?
This is what it is about: when you AP boots, it sends a DHCP discover message. This message contains, among other things, a section that identifies what kind of device is requesting that IP address:

As you can see from this packet capture, in this case the AP says "I am a Cisco AP c1250. Can I get an IP address please?"
When you define an option 60 in your DHCP scope in combination with the option 43, you say "IF client is a Cisco AP c1250, then return the Vendor Specific Option defined in option 43". In other words, the content of option 43 is returned only to those clients that present the right option 60.

When using Windows DHCP server, you do not have much of a choice. The right process is to
- first define the Vendor Class Identifier
- then for this vendor class identifier define what kind of Vendor Specific Option you want to return. In our case, the option is always "option 241: controller Management IP Address" for Aironet APs and "option 102 (also controller Management IP address" for 1000 series Airespace APs
- Last, define the value of this option 241 or 102 (that is, the controller Management Interface IP address you want to send back).
So, with Windows DHCP server, you use option 60 without any real good way to avoid it.

When using an IOS DHCP scope, you do not need to specify an option 60. You can specify only the option 43, which will be option 102 if returned in ASCII and option 241 if returned in Hex.
If you specify an option 60 for that scope, the content of option 43 is returned only to those clients that present the right option 60. If you do not specify an option 60 for that scope, the content of option 43 is returned to any DHCP client asking for an IP address in that subnet.

What is the recommended practice? Or: why do some papers describing option 43 for the IOS mention the option 60, while some (many) others don't?

Well, the answer is quite simple: in the lab, I would try to put my option 60 whenever I can...
In real life, well, option 60 is cleaner: you do not send the content of option 43 to clients that do not need it. On the other hand, you should have a infrastructure addressing space, and a client addressing space. This means that your APs should be in one subnet/VLAN (the AP VLAN on that switch), and clients should be in other subnets. This makes that only APs should be in the subnet for which you provide this option 43. So there should NOT be any client NOT needing this option 43 and still getting an IP address in that scope: all clients of that scope are supposed to be APs! This is why you find many papers without this option... not to mention the fact that this option may be cumbersome to use when you have different APs of different models in the same subnet... but the lab is of course not about what is nice and simple, but what can technically be done, right?


  1. Okay, I understand, but what if you got different types of accesspoint like a mix of 1242 and 1252.
    Do you have to create different DHCP pools for the AP's ?
    It's not possible to have multiple option 60 at the ip dhcp pool of a Cisco router.

    Keep up the good work. ;)

    Kind regards,

  2. Hey Sjostke,
    Yes, you are right, this is one of the limitations of option 60 in the IOS, only one option 60 string is accepted per scope, and this option must match exactly the vendor class (did I say that on Juniper IOS, the option 60 can be only part of the string, like "Cisco AP c12xx", allowing 1250 and 1240? Well, not on Cisco IOS... yet).
    Creating 2 pools (for the same subnet!) may not be very comfortable either, this is one of the cases where you drop the option 60, or find another way to provide the controller IP address to your APs (e.g. DHCP sends DNS server address, and you let the AP resolve CISCO-LWAPP-CONTROLLER).
    Take care


  4. And to complicate things furthermore (in the field), there's a bug in IOS 12.2(46)SE for 3750s (possibly others but I didn't try) that doesn't let you enter an option 60 containing space characters. 12.2(44) and 12.2(50) don't have this issue.

  5. Is there any DHCP options that can restrict the lease only to apply for certain devices.
    That is like:

    DHCP request - Hello I am LAP1142, can I get an IP address?
    DHCP ack - Are you a Cisco AP?... hmm, yes you are, then use this IP.
    DHCP request - Hello I am HP computer, can I get an IP address?
    DHCP ack - Are you a Cisco AP?... hmm, no you are not, then you wont get any IP, Bye!


    Any solution to this?

  6. Hi Jimi,
    On IOS DHCP server, what you want is called option 82. Unfortunately, this option is not available yet on a Windows DHCP server...

  7. Is this the reason why my upgraded aps do not get an ip address, regardless of whether i specify option 43 or not? i.e. It is because i am not specifying option 60. When i say upgraded, i mean aps running recovery image, upgrading to lwapp - very very slow to get an ip address.would anyone mind commenting to help out?

  8. which packets at client side should have vendor option 60. Shall we add option 60 at the stage of sending first discovery packets or at later stages?

  9. Hello Jerome,
    i saw you lap set up on youtube, it is simple but i liked it. Can i please, have some basic configs to create a small wireless lab ? I have 2 wlc , 2 layer 3 switches , some AP. Just needed some basic configs ( switch and wlc ) , so that my APs can associate with wlcs

  10. I got what you mean , thanks for posting .Woh I am happy to find this website through google.
