Configuring DHCP relay

Overview

The Dynamic Host Configuration Protocol (DHCP) is used for configuring hosts with IP address and other configuration parameters without user intervention. The protocol is composed of three components:

DHCP client
DHCP server
DHCP relay agent

The DHCP client sends broadcast request packets to the network; the DHCP servers respond with broadcast packets that offer IP parameters, such as an IP address for the client. After the client chooses the IP parameters, communication between the client and server is by unicast packets.

HP routing switches provide the DHCP relay agent to enable communication from a DHCP server to DHCP clients on subnets other than the one the server resides on. The DHCP relay agent transfers DHCP messages from DHCP clients located on a subnet without a DHCP server to other subnets. It also relays answers from DHCP servers to DHCP clients.

The DHCP relay agent is transparent to both the client and the server. Neither side is aware of the communications that pass through the DHCP relay agent. As DHCP clients broadcast requests, the DHCP relay agent receives the packets and forwards them to the DHCP server. During this process, the DHCP relay agent increases the hop count by one before forwarding the DHCP message to the server. A DHCP server includes the hop count from the DHCP request that it receives in the response that it returns to the client.

DHCP packet forwarding

The DHCP relay agent on the routing switch forwards DHCP client packets to all DHCP servers that are configured in the table administrated for each VLAN.

Unicast forwarding

The packets are forwarded using unicast forwarding if the IP address of the DHCP server is a specific host address. The DHCP relay agent sets the destination IP address of the packet to the IP address of the DHCP server and forwards the message.

Broadcast forwarding

The packets are forwarded using broadcast forwarding if the IP address of the DHCP server is a subnet address or IP broadcast address (255.255.255.255.) The DHCP relay agent sets the DHCP server IP address to broadcast IP address and is forwarded to all VLANs with configured IP interfaces (except the source VLAN.)

Prerequisites for DHCP relay operation

For the DHCP relay agent to work on the switch, you must complete the following steps:

Enable DHCP relay on the routing switch (the default setting.)
Ensure that a DHCP server is servicing the routing switch.
Enable IP routing on the routing switch.
Ensure that there is a route from the DHCP server to the routing switch and back.
Configure one or more IP helper addresses for specified VLANs to forward DHCP requests to DHCP servers on other subnets.

Enabling DHCP relay

The DHCP relay function is enabled by default on an HP routing switch. However, if DHCP has been disabled, you can re-enable it by entering the following command at the global configuration level:

HP Switch(config)# dhcp-relay

To disable the DHCP relay function, enter the no form of the command:

HP Switch(config)# no dhcp-relay

DCHP Option 12

Option 12 allows you to include the hostname in the DHCP packet sent to the DHCP server. This is disabled by default. The command must be executed from the global configuration level.

Syntax:

[no] dhcp host-name-option

Sends the hostname option with DHCP packets. Use the no form of the command to not include the hostname in the packet.

The maximum size of the hostname is 32 characters.

Default: disabled

DHCP Option 12 command

HP Switch(config)# dhcp host-name-option

SNMP support

A MIB object supports enabling and disabling the DHCP Option 12 feature. It is added in the hpicfDhcpclient.mib. The hostname is retrieved from the MIB variable SYSNAME. Validity checks on the name include:

The name starts with a letter, ends with a letter or a digit, and can have letters, hyphens, or digits in between the first and last characters.
The maximum size supported for a hostname is 30 characters. If SYSNAME is more than 30 characters, then DHCP Option 12 will not be included in the packet.
The minimum number of characters supported for a hostname is one character. If the SYSNAME in the MIB is null, then DHCP Option 12 will not be included in the packet.

SNMP MIB definition

hpicfDhcpClientHostNameOption OBJECT-TYPE

SYNTAX        INTEGER {enabled (1), disabled (2)}

MAX-ACCESS    read-write

STATUS        current

DESCRIPTION “This object enables/disables DHCP option 12 
that allows for sending of the system hostname in DHCP
packets. By default, this object is set to be disabled”.

Setting this flag to ‘enabled’ results in the inclusion 
of system hostname in DHCP packets.

DEFVAL       {disabled}

::= {hpicfDhcpClientOptions 2}

Configuring an IP helper address

To add the IP address of a DHCP server for a specified VLAN on a routing switch, enter the ip helper-address command at the VLAN configuration level as in the following example:

HP Switch(config)# vlan 1

HP Switch(vlan-1)# ip helper-address <

ip-addr>

To remove the DHCP server helper address, enter the no form of the command:

HP Switch(vlan-1)# no ip helper-address <

ip-addr>

Operating notes

You can configure up to 4000 IP helper addresses on a routing switch. The helper addresses are shared between the DHCP relay agent and UDP forwarder feature.
A maximum of sixteen IP helper addresses is supported in each VLAN.

Verifying the DHCP relay configuration

Viewing the DHCP relay setting

Use the show config command (or show running for the running-config file) to display the current DHCP relay setting.


	NOTE: The DHCP relay and hop count increment settings appear in the `show config` command output only if the non-default values are configured.

Displaying startup configuration with DHCP relay disabled

HP Switch# show config
Startup configuration:
; J9726A Configuration Editor; Created on release #xx.15.xx
hostname “HP Switch”
cdp run
module 1 type J9726A
ip default-gateway 18.30.240.1
snmp-server community “public” Unrestricted
vlan 1
  name “DEFAULT_VLAN”
  untagged A1
  ip address 18.30.240.180 255.255.248.0
  no untagged A2-A24
  exit
no dhcp-relay

Non-Default DHCP Relay setting

Viewing DHCP helper addresses

To display the list of currently configured IP Helper addresses for a specified VLAN on the switch, enter the show ip helper-address vlan command.

Syntax:

show ip helper-address [vlan <vlan-id>]

Displays the IP helper addresses of DHCP servers configured for all static VLANS in the switch or on a specified VLAN, regardless of whether the DHCP relay feature is enabled. The vlan <vlan-id> parameter specifies a VLAN ID number.

The following command lists the currently configured IP Helper addresses for VLAN 1.

Displaying IP helper addresses

HP Switch(config)# show ip helper-address vlan 1

 IP Helper Addresses

  IP Helper Address
  -----------------
  10.28.227.97
  10.29.227.53

DHCP Option 82

Option 82 is called the relay agent information option and is inserted by the DHCP relay agent when forwarding client-originated DHCP packets to a DHCP server. Servers recognizing the relay agent information option may use the information to implement IP address or other parameter assignment policies. The DHCP server echoes the option back verbatim to the relay agent in server-to-client replies, and the relay agent strips the option before forwarding the reply to the client.

The relay agent information option is organized as a single DHCP option that contains one or more suboptions that convey information known by the relay agent. The initial suboptions are defined for a relay agent that is co-located in a public circuit access unit. These include a circuit ID for the incoming circuit and a remote ID that provides a trusted identifier for the remote high-speed modem.

The routing switch can operate as a DHCP relay agent to enable communication between a client and a DHCP server on a different subnet. Without Option 82, DHCP operation modifies client IP address request packets to the extent needed to forward the packets to a DHCP server. Option 82 enhances this operation by enabling the routing switch to append an Option 82 field to such client requests. This field includes two suboptions for identifying the routing switch (by MAC address or IP address) and the routing switch port the client is using to access the network. A DHCP server with Option 82 capability can read the appended field and use this data as criteria for selecting the IP addressing it will return to the client through the usual DHCP server response packet. This operation provides several advantages over DHCP without Option 82:

An Option 82 DHCP server can use a relay agent's identity and client source port information to administer IP addressing policies based on client and relay agent location within the network, regardless of whether the relay agent is the client's primary relay agent or a secondary agent.
A routing switch operating as a primary Option 82 relay agent for DHCP clients requesting an IP address can enhance network access protection by blocking attempts to use an invalid Option 82 field to imitate an authorized client, or by blocking attempts to use response packets with missing or invalid Option 82 suboptions to imitate valid response packets from an authorized DHCP server.
An Option 82 relay agent can also eliminate unnecessary broadcast traffic by forwarding an Option 82 DHCP server response only to the port on which the requesting client is connected, instead of broadcasting the DHCP response to all ports on the VLAN.

NOTE: The routing switch's DHCP relay information (Option 82) feature can be used in networks where the DHCP servers are compliant with RFC 3046 Option 82 operation. DHCP servers that are not compliant with Option 82 operation ignore Option 82 fields. For information on configuring an Option 82 DHCP server, see the documentation provided with the server application.

Some client applications can append an Option 82 field to their DHCP requests; see the documentation provided for your client application.

It is not necessary for all relay agents on the path between a DHCP client and the server to support Option 82, and a relay agent without Option 82 should forward DHCP packets regardless of whether they include Option 82 fields. However, Option 82 relay agents should be positioned at the DHCP policy boundaries in a network to provide maximum support and security for the IP addressing policies configured in the server.

Option 82 server support

To apply DHCP Option 82, the routing switch must operate in conjunction with a server that supports Option 82. (DHCP servers that do not support Option 82 typically ignore Option 82 fields.) Also, the routing switch applies Option 82 functionality only to client request packets being routed to a DHCP server. DHCP relay with Option 82 does not apply to switched (non-routed) client requests.

For information on configuring policies on a server running DHCP Option 82, see the documentation provided for that application.

Example of a DHCP Option 82 application

General DHCP Option 82 requirements and operation

Requirements

DHCP Option 82 operation is configured at the global config level and requires the following:

IP routing enabled on the switch
DHCP-relay option 82 enabled (global command level)
Routing switch access to an Option 82 DHCP server on a different subnet than the clients requesting DHCP Option 82 support
One IP helper address configured on each VLAN supporting DHCP clients

General DHCP-relay operation with Option 82

Typically, the first (primary) Option 82 relay agent to receive a client's DHCP request packet appends an Option 82 field to the packet and forwards it toward the DHCP server identified by the IP helper address configured on the VLAN in which the client packet was received. Other, upstream relay agents used to forward the packet may append their own Option 82 fields, replace the Option 82 fields they find in the packet, forward the packet without adding another field, or drop the packet. (Intermediate next-hop routing switches without Option 82 capability can be used to forward—route—client request packets with Option 82 fields.) Response packets from an Option 82 server are routed back to the primary relay agent (routing switch) and include an IP addressing assignment for the requesting client and an exact copy of the Option 82 data the server received with the client request. The relay agent strips off the Option 82 data and forwards the response packet out the port indicated in the response as the Circuit ID (client access port.) Under certain validation conditions described later in this section, a relay agent detecting invalid Option 82 data in a response packet may drop the packet.

Example of DHCP Option 82 operation in a network with a non-compliant relay agent

Option 82 field content

The remote ID and circuit ID subfields comprise the Option 82 field a relay agent appends to client requests. A DHCP server configured to apply a different IP addressing policy to different areas of a network uses the values in these subfields to determine which DHCP policy to apply to a given client request.

Remote ID

Remote ID is a configurable subfield that identifies a policy area that comprises either the routing switch as a whole (by using the routing switch MAC address) or an individual VLAN configured on the routing switch (by using the IP address of the VLAN receiving the client request.)

Use the IP address option if the server will apply different IP addressing policies to DHCP client requests from ports in different VLANs on the same routing switch.
Use the Management VLAN option if a management VLAN is configured and you want all DHCP clients on the routing switch to use the same IP address. (This is useful if you are applying the same IP addressing policy to DHCP client requests from ports in different VLANs on the same routing switch.) Configuring this option means the management VLAN's IP address appears in the remote ID subfield of all DHCP requests originating with clients connected to the routing switch, regardless of the VLAN on which the requests originate.
Use the MAC address option if, on a given routing switch, it does not matter to the DHCP server which VLAN is the source of a client request (that is, use the MAC address option if the IP addressing policies supported by the target DHCP server do not distinguish between client requests from ports in different VLANs in the same routing switch.)

To view the MAC address for a given routing switch, execute the show system-information command in the CLI.

Using the CLI to view the switch MAC address

HP Switch(config)# show system information

Status and Counters - General System Information

System Name        : HP Switch
System Contact     :
System Location    :

MAC Age Time (sec) : 300

Time Zone          : 0
Daylight Time Rule : None


Software revision : xx.15.xx     Base MAC Addr     : 0026f1-152e10
ROM Version       : xx.15.xx     Serial Number     : CN9458Q011
Allow V1 Modules  : Yes

Up Time           : 68 mins       Memory  - Total  : 58,720,256
CPU Util (%)      : 5                       Free   : 39,500,456

IP Mgmt - Pkts Rx : 28,959        Packet  - Total  : 3022
          Pkts Tx : 1340          Buffers   Free   : 2902
                                            Lowest : 2742
                                            Missed : 0

Circuit ID

Circuit ID is a nonconfigurable subfield that identifies the port number of the physical port through which the routing switch received a given DHCP client request and is necessary to identify if you want to configure an Option 82 DHCP server to use the Circuit ID to select a DHCP policy to assign to clients connected to the port. This number is the identity of the inbound port. On HP fixed-port switches, the port number used for the circuit ID is always the same as the physical port number shown on the front of the switch. On HP chassis switches, where a dedicated, sequential block of internal port numbers are reserved for each slot, regardless of whether a slot is occupied, the circuit ID for a given port is the sequential index number for that port position in the slot. (To view the index number assignments for ports in the routing switch, use the walkmib ifname command.)

For example, the Circuit ID for port 11 on an HP switch is “11”.

Using walkmib to determine the Circuit ID for a port on an HP chassis

HP Switch(config)# walkmib ifname
ifName.1 = 1
ifName.2 = 2
ifName.3 = 3
ifName.4 = 4
ifName.5 = 5
ifName.6 = 6
ifName.7 = 7
ifName.8 = 8
ifName.9 = 9
ifName.10 = 10


ifName.11 = 11
ifName.12 = 12

For example, suppose you want port 10 on a given relay agent to support no more than five DHCP clients simultaneously. You can configure the server to allow only five IP addressing assignments at any one time for the circuit ID (port) and remote ID (MAC address) corresponding to port 10 on the selected relay agent.

Similarly, if you want to define specific ranges of addresses for clients on different ports in the same VLAN, you can configure the server with the range of IP addresses allowed for each circuit ID (port) associated with the remote ID (IP address) for the selected VLAN.

Forwarding policies

DHCP Option 82 on HP switches offers four forwarding policies, with an optional validation of server responses for three of the policy types (append, replace, or drop.)

Configuration options for managing DHCP client request packets

Option 82 configuration	DHCP client request packet inbound to the routing switch
Option 82 configuration	Packet has no Option 82 field	Packet includes an Option 82 field
`Keep`	Append an Option 82 field	If the relay agent receives a client request that already has one or more Option 82 fields, `keep` causes the relay agent to retain such fields and forward the request without adding another Option 82 field. But if the incoming client request does not already have any Option 82 fields, the relay agent appends an Option 82 field before forwarding the request. Some applications for `keep` include: The DHCP server does not support multiple Option 82 packets in a client request, and there are multiple Option 82 relay agents in the path to the server. The unusual case where DHCP clients in the network add their own Option 82 fields to their request packets, and you do not want any additional fields added by relay agents. This policy does not include the `validate` option (described in the next section) and allows forwarding of all server response packets arriving inbound on the routing switch (except those without a primary relay agent identifier.)
`Replace`	Append an Option 82 field	`Replace` replaces any existing Option 82 fields from downstream relay agents (and/or the originating client) with an Option 82 field for the current relay agent. Some applications for `replace` include: The relay agent is located at a point in the network that is a DHCP policy boundary, and you want to replace any Option 82 fields appended by down-stream devices with an Option 82 field from the relay agent at the boundary. (This eliminates downstream Option 82 fields you do not want the server to use when determining which IP addressing policy to apply to a client request.) In applications where the routing switch is the primary relay agent for clients that may append their own Option 82 field, you can use `replace` to delete these fields if you do not want them included in client requests reaching the server.
`Drop`	Append an Option 82 field	`Drop` causes the routing switch to drop an inbound client request with an Option 82 field already appended. If no Option 82 fields are present, `drop` causes the routing switch to add an Option 82 field and forward the request. As a general guideline, configure `drop` on relay agents at the edge of a network, where an inbound client request with an appended Option 82 field may be unauthorized, a security risk, or for some other reason, should not be allowed.

Multiple Option 82 relay agents in a client request path

Where the client is one router hop away from the DHCP server, only the Option 82 field from the first (and only) relay agent is used to determine the policy boundary for the server response. Where there are multiple Option 82 router hops between the client and the server, you can use different configuration options on different relay agents to achieve the results you want. This includes configuring the relay agents so that the client request arrives at the server with either one Option 82 field or multiple fields. (Using multiple Option 82 fields assumes that the server supports multiple fields and is configured to assign IP addressing policies based on the content of multiple fields.)

Example configured to allow only the primary relay agent to contribute an Option 82 field

The above combination allows for detection and dropping of client requests with spurious Option 82 fields. If none are found, the drop policy on the first relay agent adds an Option 82 field, which is then kept unchanged over the next two relay agent hops ("B" and "C".) The server can then enforce an IP addressing policy based on the Option 82 field generated by the edge relay agent ("A".) In this example, the DHCP policy boundary is at relay agent 1.

Example configured to allow multiple relay agents to contribute an Option 82 field

This is an enhancement of the previous example. In this case, each hop for an accepted client request adds a new Option 82 field to the request. A DHCP server capable of using multiple Option 82 fields can be configured to use this approach to keep a more detailed control over leased IP addresses. In this example, the primary DHCP policy boundary is at relay agent "A," but more global policy boundaries can exist at relay agents "B" and "C."

Example allowing only an upstream relay agent to contribute an Option 82 field

Like the first example, above, this configuration drops client requests with spurious Option 82 fields from clients on the edge relay agent. However, in this case, only the Option 82 field from the last relay agent is retained for use by the DHCP server. In this case the DHCP policy boundary is at relay agent "C." In the previous two examples the boundary was with relay "A."

Validation of server response packets

A valid Option 82 server response to a client request packet includes a copy of the Option 82 fields the server received with the request. With validation disabled, most variations of Option 82 information are allowed, and the corresponding server response packets are forwarded.

Server response validation is an option you can specify when configuring Option 82 DHCP for append, replace, or drop operation. See Forwarding policies. Enabling validation on the routing switch can enhance protection against DHCP server responses that are either from untrusted sources or are carrying invalid Option 82 information.

With validation enabled, the relay agent applies stricter rules to variations in the Option 82 fields of incoming server responses to determine whether to forward the response to a downstream device or to drop the response due to invalid (or missing) Option 82 information. Relay agent management of DHCP server response packets describes relay agent management of DHCP server responses with optional validation enabled and disabled.

Relay agent management of DHCP server response packets

Response packet content	Option 82 configuration	Validation enabled on the relay agent	Validation disabled (the default)
Valid DHCP server response packet without an Option 82 field.	`replace` or `drop`^[a]	Drop the server response packet.	Forward server response packet to a downstream device.
	`keep`^[b]	Forward server response packet to a downstream device.	Forward server response packet to a downstream device.
The server response packet carries data indicating a given routing switch is the primary relay agent for the original client request, but the associated Option 82 field in the response contains a remote ID and circuit ID combination that did not originate with the given relay agent.	`replace` or `drop`^[a]	Drop the server response packet.	Drop the server response packet.
	`keep`^[b]	Forward server response packet to a downstream device.	Forward server response packet to a downstream device.
The server response packet carries data indicating a given routing switch is the primary relay agent for the original client request, but the associated Option 82 field in the response contains a Remote ID that did not originate with the relay agent.	`replace` or `drop`^[a]	Drop the server response packet.	Drop the server response packet.
	`keep`^[b]	Forward server response packet to a downstream device.	Forward server response packet to a downstream device.
All other server response packets^[c]	`keep`^[b], `replace`, or `drop`^[a]	Forward server response packet to a downstream device.	Forward server response packet to a downstream device.
^[a] `Drop` is the recommended choice because it protects against an unauthorized client inserting its own Option 82 field for an incoming request. ^[b] A routing switch with DHCP Option 82 enabled with the `keep` option forwards all DHCP server response packets except those that are not valid for either Option 82 DHCP operation (compliant with RFC 3046) or DHCP operation without Option 82 support (compliant with RFC 2131.) ^[c] A routing switch with DHCP Option 82 enabled drops an inbound server response packet if the packet does not have any device identified as the primary relay agent (giaddr=null; see RFC 2131.)

Multinetted VLANs

On a multinetted VLAN, each interface can form an Option 82 policy boundary within that VLAN if the routing switch is configured to use IP for the remote ID suboption. That is, if the routing switch is configured with IP as the remote ID option and a DHCP client request packet is received on a multinetted VLAN, the IP address used in the Option 82 field will identify the subnet on which the packet was received instead of the IP address for the VLAN. This enables an Option 82 DHCP server to support more narrowly defined DHCP policy boundaries instead of defining the boundaries at the VLAN or whole routing switch levels. If the MAC address option (the default) is configured instead, the routing switch MAC address will be used regardless of which subnet was the source of the client request. (The MAC address is the same for all VLANs configured on the routing switch.)

All request packets from DHCP clients in the different subnets in the VLAN must be able to reach any DHCP server identified by the IP helper addresses configured on that VLAN.

Configuring Option 82

For information on Option 82, see the sections beginning with DHCP Option 82.

To configure DHCP Option 82 on a routing switch, enter the dhcp-relay option 82 command.

Syntax:

dhcp-relay option 82 <replace[validate]|drop[validate]|keep> [ip|mac|mgmt-vlan]

replace
Configures the switch to replace existing Option 82 fields in an inbound client DHCP packet with an Option 82 field for the switch.

The replacement Option 82 field includes the switch circuit ID (inbound port number*) associated with the client DHCP packet and the switch remote ID. The default switch remote ID is the MAC address of the switch on which the packet was received from the client.

To use the incoming VLAN's IP address or the Management VLAN IP address (if configured) for the remote ID instead of the switch MAC address, use the ip or mgmt-vlan option (below).

drop
Configures the routing switch to unconditionally drop any client DHCP packet received with existing Option 82 fields. This means that such packets will not be forwarded. Use this option where access to the routing switch by untrusted clients is possible.

If the routing switch receives a client DHCP packet without an Option 82 field, it adds an Option 82 field to the client and forwards the packet. The added Option 82 field includes the switch circuit ID (inbound port number*) associated with the client DHCP packet and the switch remote ID. The default switch remote ID is the MAC address of the switch on which the packet was received from the client.

To use the incoming VLAN's IP address or the Management VLAN IP address (if configured) for the remote ID instead of the switch MAC address, use the ip or mgmt-vlan option (below).

keep
For any client DHCP packet received with existing Option 82 fields, configures the routing switch to forward the packet as-is, without replacing or adding to the existing Option 82 fields.

validate
Operates when the routing switch is configured with append, replace, or drop as a forwarding policy. With validate enabled, the routing switch applies stricter rules to an incoming Option 82 server response to determine whether to forward or drop the response. For more information, see Validation of server response packets.

[ip|mac|mgmt-vlan]
Specifies the remote ID suboption that the switch uses in Option 82 fields added or appended to DHCP client packets. The type of remote ID defines DHCP policy areas in the client requests sent to the DHCP server. If a remote ID suboption is not configured, the routing switch defaults to the mac option. See Option 82 field content.

ip: Specifies the IP address of the VLAN on which the client DHCP packet enters the switch.

mac: Specifies the routing switch's MAC address. (The MAC address used is the same MAC address that is assigned to all VLANs configured on the routing switch.) This is the default setting.

mgmt-vlan:Specifies the IP address of the (optional) management VLAN configured on the routing switch. Requires that a management VLAN is already configured on the switch. If the management VLAN is multinetted, the primary IP address configured for the management VLAN is used for the remote ID.

If you enter the dhcp-relay option 82 command without specifying either ip or mac, the MAC address of the switch on which the packet was received from the client is configured as the remote ID. For information about the remote ID values used in the Option 82 field appended to client requests, see Option 82 field content.

Example of Option 82 configuration

In the routing switch shown below, option 82 has been configured with mgmt-vlan for the remote ID.

HP Switch(config)# dhcp-relay option 82 append mgmt-vlan

The resulting effect on DHCP operation for clients X, Y, and Z is shown in DHCP operation for the topology in Figure 13.

DHCP Option 82 when using the management VLAN as the remote ID sub-option

DHCP operation for the topology in DHCP Option 82 when using the management VLAN as the remote ID sub-option

Client	Remote ID	giaddr^[*]	DHCP server
X	10.38.10.1	10.39.10.1	A only	If a DHCP client is in the management VLAN, its DHCP requests can go only to a DHCP server that is also in the management VLAN. Routing to other VLANs is not allowed.
Y	10.38.10.1	10.29.10.1	B or C	Clients outside of the management VLAN can send DHCP requests only to DHCP servers outside of the management VLAN. Routing to the management VLAN is not allowed.
Z	10.38.10.1	10.15.10.1	B or C
^[*] The IP address of the primary DHCP relay agent receiving a client request packet is automatically added to the packet, and is identified as the giaddr (gateway interface address.) This is the IP address of the VLAN on which the request packet was received from the client. For more information, see RFC 2131 and RFC 3046.

Operating notes

This implementation of DHCP relay with Option 82 complies with the following RFCs:
- RFC 2131
- RFC 3046
Moving a client to a different port allows the client to continue operating as long as the port is a member of the same VLAN as the port through which the client received its IP address. However, rebooting the client after it moves to a different port can alter the IP addressing policy the client receives if the DHCP server is configured to provide different policies to clients accessing the network through different ports.
The IP address of the primary DHCP relay agent receiving a client request packet is automatically added to the packet, and is identified as the giaddr (gateway interface address.) (That is, the giaddr is the IP address of the VLAN on which the request packet was received from the client.) For more information, see RFC 2131 and RFC 3046.
DHCP request packets from multiple DHCP clients on the same relay agent port will be routed to the same DHCP servers. When using 802.1X on a switch, a port's VLAN membership may be changed by a RADIUS server responding to a client authentication request. In this case the DHCP servers accessible from the port may change if the VLAN assigned by the RADIUS server has different DHCP helper addresses than the VLAN used by unauthenticated clients.
Where multiple DHCP servers are assigned to a VLAN, a DHCP client request cannot be directed to a specific server. Thus, where a given VLAN is configured for multiple DHCP servers, all of these servers should be configured with the same IP addressing policy.
Where routing switch "A" is configured to insert its MAC address as the remote ID in the Option 82 fields appended to DHCP client requests, and upstream DHCP servers use that MAC address as a policy boundary for assigning an IP addressing policy, then replacing switch "A" makes it necessary to reconfigure the upstream DHCP servers to recognize the MAC address of the replacement switch. This does not apply in the case where an upstream relay agent "A" is configured with option 82 replace, which removes the Option 82 field originally inserted by switch "A."
Relay agents without Option 82 can exist in the path between Option 82 relay agents and an Option 82 server. The agents without Option 82 forward client requests and server responses without any effect on Option 82 fields in the packets.
If the routing switch cannot add an Option 82 field to a client's DHCP request because the message size exceeds the MTU size, the request is forwarded to the DHCP server without Option 82 data and an error message is logged in the switch's Event Log.
Because routing is not allowed between the Management VLAN and other VLANs, a DHCP server must be available in the management VLAN if clients in the management VLAN require a DHCP server.
If the Management VLAN IP address configuration changes after mgmt-vlan has been configured as the remote ID suboption, the routing switch dynamically adjusts to the new IP addressing for all future DHCP requests.
The Management VLAN and all other VLANs on the routing switch use the same MAC address.

`replace`	Configures the switch to replace existing Option 82 fields in an inbound client DHCP packet with an Option 82 field for the switch. The replacement Option 82 field includes the switch circuit ID (inbound port number*) associated with the client DHCP packet and the switch remote ID. The default switch remote ID is the MAC address of the switch on which the packet was received from the client. To use the incoming VLAN's IP address or the Management VLAN IP address (if configured) for the remote ID instead of the switch MAC address, use the `ip` or `mgmt-vlan` option (below).
`drop`	Configures the routing switch to unconditionally drop any client DHCP packet received with existing Option 82 fields. This means that such packets will not be forwarded. Use this option where access to the routing switch by untrusted clients is possible. If the routing switch receives a client DHCP packet without an Option 82 field, it adds an Option 82 field to the client and forwards the packet. The added Option 82 field includes the switch circuit ID (inbound port number*) associated with the client DHCP packet and the switch remote ID. The default switch remote ID is the MAC address of the switch on which the packet was received from the client. To use the incoming VLAN's IP address or the Management VLAN IP address (if configured) for the remote ID instead of the switch MAC address, use the `ip` or `mgmt-vlan` option (below).
`keep`	For any client DHCP packet received with existing Option 82 fields, configures the routing switch to forward the packet as-is, without replacing or adding to the existing Option 82 fields.
`validate`	Operates when the routing switch is configured with append, replace, or drop as a forwarding policy. With `validate` enabled, the routing switch applies stricter rules to an incoming Option 82 server response to determine whether to forward or drop the response. For more information, see Validation of server response packets.
`[ip\|mac\|mgmt-vlan]`	Specifies the remote ID suboption that the switch uses in Option 82 fields added or appended to DHCP client packets. The type of remote ID defines DHCP policy areas in the client requests sent to the DHCP server. If a remote ID suboption is not configured, the routing switch defaults to the `mac` option. See Option 82 field content. `ip:` Specifies the IP address of the VLAN on which the client DHCP packet enters the switch. `mac:` Specifies the routing switch's MAC address. (The MAC address used is the same MAC address that is assigned to all VLANs configured on the routing switch.) This is the default setting. `mgmt-vlan:`Specifies the IP address of the (optional) management VLAN configured on the routing switch. Requires that a management VLAN is already configured on the switch. If the management VLAN is multinetted, the primary IP address configured for the management VLAN is used for the remote ID. If you enter the `dhcp-relay option 82` command without specifying either `ip` or `mac`, the MAC address of the switch on which the packet was received from the client is configured as the remote ID. For information about the remote ID values used in the Option 82 field appended to client requests, see Option 82 field content.

prev	up	next
Configuring IRDP	home	UDP broadcast forwarding