Alright - Still banging my head over this one...
First of all, I ran the debug like WL asked. I did not get any "packet dropped for self but not interested" responses, but to be safe I went ahead and restructured the trusted network so it has an interface of it's own (no VLAN tagging). The other networks are still on an aggregated link, seperated into multiple VLAN tagged subinterfaces.
I also doublechecked the configuration of the scopes on the DHCP server to make sure I had not fat-fingered anything. Everything there appears to be correct.
On the VLAN subinterface DHCP page, I have tried both with the 'Use DMZ Zone Interface as Source for VPN' box checked, and unchecked. I am using no VPN tunnels in this config, so which way is the correct way to set this box?
The client (in VLAN 3) is now getting an IP address from the server, but it is an address from the Trusted network! The funny thing is that when that box is checked, the packet captures on the server side have no relay agent IP's in the forwarded DHCP packets. However, when the box is unchecked, the relay agent seems to pass both a version with the relay agent IP and one without it, which seems to cause all kinds of confusion and NACK responses. Both eventually give an IP address to the client from the trusted network's scope.
I have compiled 'debug dhcp all', 'debug flow basic', and packet captures from both the client and dhcp server sides for both the checked and unchecked options. I will post them here so you can have a look, each in it's own post (checked and unchecked) to keep things clear. To me, it looks like the ISG is improperly forwarding the DHCP packets with regard to stamping the packet with it's relay agent IP, and therefore the DHCP server can't figure out what scope to use in it's offer.
Message Edited by Vorcht on 01-14-2009 09:35 AM