IP Routing Features
Configuring DHCP Relay
Server response validation is an option you can specify when configuring Option 82 DHCP for append, replace, or drop operation. (Refer to “Forwarding Policies” on page
With validation enabled, the relay agent applies stricter rules to variations in the Option 82 field(s) of incoming server responses to determine whether to forward the response to a downstream device or to drop the response due to invalid (or missing) Option 82 information. Table
Response Packet Content | Option 82 | Validation Enabled on the Relay | Validation Disabled (The | |
| Configuration | Agent | Default) | |
|
|
|
| |
Valid DHCP server response | append, replace, | Drop the server response | Forward server response | |
packet without an Option 82 | or drop1 | packet. | packet to a downstream device. | |
field. |
|
|
| |
keep2 | Forward server response | Forward server response | ||
| ||||
|
| packet to a downstream device. | packet to a downstream device. | |
|
|
|
| |
The server response packet | append | Drop the server response | Forward server response | |
carries data indicating a given |
| packet. | packet to a downstream device. | |
routing switch is the primary relay |
|
|
| |
replace or drop1 | Drop the server response | Drop the server response | ||
agent for the original client |
| packet. | packet. | |
request, but the associated |
| |||
|
|
| ||
Option 82 field in the response | keep2 | Forward server response | Forward server response | |
contains a Remote ID and Circuit |
| packet to a downstream device. packet to a downstream device. | ||
ID combination that did not origi |
|
|
| |
nate with the given relay agent. |
|
|
| |
|
|
|
| |
The server response packet | append | Drop the server response | Forward server response | |
carries data indicating a given |
| packet. | packet to a downstream device. | |
routing switch is the primary relay |
|
|
| |
replace or drop1 | Drop the server response | Drop the server response | ||
agent for the original client |
| packet. | packet. | |
request, but the associated |
| |||
|
|
| ||
Option 82 field in the response | keep2 | Forward server response | Forward server response | |
contains a Remote ID that did not |
| packet to a downstream device. packet to a downstream device. | ||
originate with the relay agent. |
|
|
| |
|
|
|
| |
All other server response | append, keep2, | Forward server response | Forward server response | |
packets3 | replace, or drop1 | packet to a downstream device. | packet to a downstream device. | |
1Drop is the recommended choice because it protects against an unauthorized client inserting its own Option 82 field for an incoming request.
2A routing switch with DHCP Option 82 enabled with the keep option forwards all DHCP server response packets except those that are not valid for either Option 82 DHCP operation (compliant with RFC 3046) or DHCP operation without Option 82 support (compliant with RFC 2131).
3A routing switch with DHCP Option 82 enabled drops an inbound server response packet if the packet does not have any device identified as the primary relay agent (giaddr = null; refer to RFC 2131).