How to push static routes from the Palo Alto Networks DHCP Server

How to push static routes from the Palo Alto Networks DHCP Server

43818
Created On 09/25/18 17:15 PM - Last Modified 01/11/21 03:48 AM


Environment


  • Palo Alto Networks Firewall
  • PAN-OS >= 7.0

Resolution


DHCP Option 33 vs DHCP Option 121 vs DHCP Option 249

DHCP option 33 is a simplistic option to define a /32 destination to a next hop router.

In DHCP Option 121 or 249, the length and the data format for both options are the same.

The main difference is that Windows XP and Windows Server 2003 will only work with DHCP Option 249.

 

Compatibility

All other versions of Windows (except XP and Server 2003) use both DHCP Option 121 and Option 249. If both are configured, Windows will prefer routes defined by DHCP Option 121.

Linux will accept routes learned through DHCP Option 121 and Option 249. if it doesn not, set option classless_static_routes in /etc/dhcpcd.conf. If both options are configured, Linux will prefer routes defined by DHCP Option 121.

Since the release of Mac OSX 10.11 (El Capitan), DHCP Option 121 is supported. Option 249 is ignored in Mac OSX.

 

Syntax

DHCP Option 33, 121, and 249 use an hexadecimal representation of decimal values.

 

DHCP Option 33

In DHCP Option 33, the syntax defines a Destination IP and a Next hop. These are represented in concatenated hexadecimal values.

 

For example, if our Destination IP is 10.0.0.1/32 and the next hop is 192.168.20., the resulting value will be:

0A000001C0A81401, where 0A=10, 00=0, 00=0, 01=1 defines the Destination IP, and : C0=192, A8=168, 14=20, 01=1 defines the Next hop.

Multiple lines can be added defining destinations and next hops by adding them as Additional Option Values.

 

According to RFC 2132, destination 0.0.0.0 is not valid. To deploy a default route use Option 121/249.

 

DHCP Option 121/249

 

In DHCP Option 121 or 249, the syntax defines a. the Subnet mask in CIDR notation, b. a Destination descriptor, c. a Next hop. These are represented in concatenated hexadecimal values.

 

Destination descriptors are a way to ‘compact’ the Destination Subnet. Depending on the subnet mask length, it defines the number of octets expected to follow.

 

Width of subnet maskNumber of significant octets
00
1 to 81
9 to 162
17 to 243
25 to 324

 

Our destination subnet is 10.0.0.0/8 and the next hop is 192.168.20.1.

 

An interim value we can easily find is 080A000000C0A81401, where 08=/8 Subnet Mask, {0A=10}, [00=0, 00=0, 00=0] defines the Destination Subnet, and : C0=192, A8=168, 14=20, 01=1 defines the Next hop.

After applying the Destination Descriptor for 08, it tells us that only one octet should considered following it. From 10.0.0.0, only {0A=10} is relevant, and [00=0, 00=0, 00=0] is trimmed.

The final DHCP Option for the destination subnet is 10.0.0.0/8 and next hop 192.168.20.1 will then be:

 

080AC0A81401

 

Below are examples of the RFC1918 networks that have 192.168.20.1 as the next hop.

 

080AC0A81401   10/8  GW  192.168.20.1   Per Destination Descriptor, 08=8 yields 1 as the significant octet, only 0A is relevant to define Destination Subnet.

0CAC10C0A81401   172.16/12  GW  192.168.20.1  Per Destination Descriptor, 0C=12 yields 2 as the significant octet, only AC10 is relevant to define Destination Subnet.

10C0A8C0A81401   192.168/16   GW   192.168.20.1   Per Destination Descriptor, 10=16 yields 2 as the significant octet, only C0A8 is relevant to define Destination Subnet.

 

A default route to 192.168.20.1 would be represented as:

 

00C0A81401   0/0  GW 192.168.20.1   Per Destination Descriptor, 00=0 yields 0 as significant octet, 0.0.0.0 is defined as the Destination Subne.

 

Configuration

1. Go to Network > DHCP > DHCP Server tab. Select the interface where your DNS Server runs to Open.

 

redo2.png

 

2. On your DHCP Server configuration go to Options > Custom DHCP Options. Click on Add.

 

redo4.png

 

3. In the DHCP Option selection, give the Option a name. Enter the option code (33, 121, or 249) and select Option Type: Hexadecimal. Then select Add to enter your static routes in their hexadecimal notation.

 

redo1.png

 

4. Once you're done populating the DHCP Options your DHCP Server configuration will look like this:

 

Configuring DHCP Option 33, 121 and 249

 

5. Commit the changes. To verify if your workstation is receiving the routes, you will have to execute an "ipconfig /renew" command on the command window. You can then check with the "route PRINT" command the list of routes in your Windows workstation:

 

Here is the resulting output of “route PRINT” command in Windows 7:

redo3.png

 

References

http://tools.ietf.org/html/rfc3442

http://tools.ietf.org/html/rfc2132

https://msdn.microsoft.com/en-us/library/cc227282.aspx

Additional Information


  • RFC 2132 defines DHCP Option 33: Static Route Option
  • RFC 3442 defines DHCP Option 121: Classless Static Route Option for DHCPv4
  • Microsoft introduced DHCP Option 249: Microsoft Classless Static Route Option
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEICA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language