Server response validation is an option you can specify when configuring Option 82 DHCP for
append, replace, or drop operation. See “Forwarding policies” (page 70). Enabling validation
on the routing switch can enhance protection against DHCP server responses that are either from
untrusted sources or are carrying invalid Option 82 information.
With validation enabled, the relay agent applies stricter rules to variations in the Option 82 fields
of incoming server responses to determine whether to forward the response to a downstream device
or to drop the response due to invalid (or missing) Option 82 information. Table 7 describes relay
agent management of DHCP server responses with optional validation enabled and disabled.
Table 7 Relay agent management of DHCP server response packets
Validation disabled (the
default)
Validation enabled on the
relay agent
Option 82 configurationResponse packet content
Forward server response
packet to a downstream
device.
Drop the server response
packet.
append, replace, or
drop
1
Valid DHCP server response
packet without an Option 82
field.
Forward server response
packet to a downstream
device.
Forward server response
packet to a downstream
device.
keep
2
Forward server response
packet to a downstream
device.
Drop the server response
packet.
appendThe server response packet
carries data indicating a
given routing switch is the
primary relay agent for the
Drop the server response
packet.
Drop the server response
packet.
replace or drop
1
original client request, but
the associated Option 82
field in the response contains
Forward server response
packet to a downstream
device.
Forward server response
packet to a downstream
device.
keep
2
a remote ID and circuit ID
combination that did not
originate with the given
relay agent.
Forward server response
packet to a downstream
device.
Drop the server response
packet.
appendThe server response packet
carries data indicating a
given routing switch is the
primary relay agent for the
Drop the server response
packet.
Drop the server response
packet.
replace or drop
1
original client request, but
the associated Option 82
field in the response contains
Forward server response
packet to a downstream
device.
Forward server response
packet to a downstream
device.
keep
2
a Remote ID that did not
originate with the relay
agent.
Forward server response
packet to a downstream
device.
Forward server response
packet to a downstream
device.
append, keep
2
, replace,
or drop
1
All other server response
packets
3
1
Drop is the recommended choice because it protects against an unauthorized client inserting its own Option 82 field
for an incoming request.
2
A routing switch with DHCP Option 82 enabled with the keep option forwards all DHCP server response packets except
those that are not valid for either Option 82 DHCP operation (compliant with RFC 3046) or DHCP operation without
Option 82 support (compliant with RFC 2131.)
3
A routing switch with DHCP Option 82 enabled drops an inbound server response packet if the packet does not have
any device identified as the primary relay agent (giaddr=null; see RFC 2131.)
Multinetted VLANs
On a multinetted VLAN, each interface can form an Option 82 policy boundary within that VLAN
if the routing switch is configured to use IP for the remote ID suboption. That is, if the routing switch
is configured with IP as the remote ID option and a DHCP client request packet is received on a
multinetted VLAN, the IP address used in the Option 82 field will identify the subnet on which the
packet was received instead of the IP address for the VLAN. This enables an Option 82 DHCP
72 IP Routing Features
To Next Page
Loading...
Need help?
General