KB.15.15

Table 29 Relay agent management of DHCP server response packets. (continued)

Validation

disabled

(the

default)

Validation

enabled

on the

relay

agent

Option 82 configurationResponse packet content

packet to

downstream

device.

downstream

device.

Drop is the recommended choice because it protects against an unauthorized client inserting its own Option 82 field

for an incoming request.

A routing switch with DHCP Option 82 enabled with the keep option forwards all DHCP server response packets except

those that are not valid for either Option 82 DHCP operation (compliant with RFC 3046) or DHCP operation without

Option 82 support (compliant with RFC 2131.)

A routing switch with DHCP Option 82 enabled drops an inbound server response packet if the packet does not have

any device identified as the primary relay agent (giaddr=null; see RFC 2131.)

Multinetted VLANs

On a multinetted VLAN, each interface can form an Option 82 policy boundary within that VLAN

if the routing switch is configured to use IP for the remote ID suboption. That is, if the routing switch

is configured with IP as the remote ID option and a DHCP client request packet is received on a

multinetted VLAN, the IP address used in the Option 82 field will identify the subnet on which the

packet was received instead of the IP address for the VLAN. This enables an Option 82 DHCP

server to support more narrowly defined DHCP policy boundaries instead of defining the boundaries

at the VLAN or whole routing switch levels. If the MAC address option (the default) is configured

instead, the routing switch MAC address will be used regardless of which subnet was the source

of the client request. (The MAC address is the same for all VLANs configured on the routing switch.)

All request packets from DHCP clients in the different subnets in the VLAN must be able to reach

any DHCP server identified by the IP helper addresses configured on that VLAN.

DHCP Option 82 245