BeginnerNetwork Troubleshooting 7 min read

How to Troubleshoot DHCP Assignment and Relay Issues

Master DHCP troubleshooting with real Cisco CLI commands and proven diagnostic steps.

Dynamic Host Configuration Protocol (DHCP) is critical for automatic IP address assignment in modern networks. When clients fail to obtain an address, connectivity breaks and troubleshooting becomes urgent. This guide walks you through a systematic approach to diagnosing DHCP issues, from verifying client-side configuration to inspecting DHCP server logs and relay agent settings. You will use real Cisco IOS commands like 'debug ip dhcp server packet', 'show ip dhcp binding', and 'show ip dhcp conflict' to isolate problems. Whether you are preparing for the CCNA or Network+ exam, or just need a practical reference, these steps will help you resolve the most common DHCP failures quickly.

1

Verify Client-Side DHCP Configuration

Start by checking if the client is configured to obtain an IP address automatically. On Windows, run 'ipconfig /all' and look for 'DHCP Enabled: Yes'. On Linux or macOS, use 'ifconfig' or 'ip addr' to confirm the interface is set to DHCP. If the client shows a 169.254.x.x address (APIPA), it means no DHCP server responded. Ensure the network cable is connected and the interface is not disabled. On Cisco switches, verify the port is in the correct VLAN and not err-disabled with 'show interfaces status'.

Windows / Linux / Cisco IOS
ipconfig /all
ifconfig eth0 | grep inet
show interfaces status | include Fa0/1

APIPA addresses (169.254.x.x) are a clear indicator of DHCP failure — always start here.

Do not manually assign a static IP during troubleshooting unless you know the subnet; it can cause conflicts.

2

Check DHCP Server Status and Pool Exhaustion

On a Cisco router acting as DHCP server, use 'show ip dhcp binding' to see active leases. If the pool is exhausted, no new clients can get addresses. Check 'show ip dhcp pool [pool-name]' to view utilization. On Windows Server, open the DHCP console and look at the 'Address Leases' folder. If the pool is full, increase the range or reduce lease time. Also verify the server is operational with 'show ip dhcp server statistics' to see total offers and declines.

Cisco IOS
show ip dhcp binding
show ip dhcp pool MYPOOL
show ip dhcp server statistics

A sudden spike in DHCP declines often indicates duplicate IPs — check for static assignments overlapping the pool.

Never delete a DHCP binding unless you are certain the client is offline; it can cause duplicate IP conflicts.

3

Inspect DHCP Relay Agent Configuration

If the DHCP server is on a different subnet, the relay agent (usually a router or Layer 3 switch) must forward DHCP broadcasts. On Cisco IOS, verify with 'show ip interface [interface] | include helper-address'. The 'ip helper-address' command must point to the DHCP server IP. Also check that 'ip forward-protocol udp 67' is enabled globally. On a Layer 3 switch, ensure the VLAN interface has the helper address configured. Without proper relay, clients in remote subnets will never reach the server.

Cisco IOS
show running-config | include helper-address
show ip interface Vlan10 | include helper
ip helper-address 192.168.1.10

Always verify the relay agent is on the same subnet as the clients — a common misconfiguration is placing it on the server side.

Do not use 'ip helper-address' on interfaces facing the DHCP server; it can cause broadcast loops.

4

Enable DHCP Debugging on the Router

For real-time insight, enable DHCP debugging on the Cisco router. Use 'debug ip dhcp server packet' to see every DHCP discover, offer, request, and ack. This shows exactly where the process fails — e.g., if the server sends an offer but the client never sends a request, the issue is likely on the client or network path. Use 'debug ip dhcp server events' for a less verbose view. Always limit debug output to a short time to avoid CPU overload. Disable with 'undebug all'.

Cisco IOS
debug ip dhcp server packet
debug ip dhcp server events
undebug all

Pipe debug output to a log file using 'terminal monitor' and 'logging buffered' to capture evidence for later analysis.

Debug commands are CPU-intensive — never run them on a production router during peak hours.

5

Check for DHCP Snooping and Port Security Issues

On switched networks, DHCP snooping can block DHCP messages from untrusted ports. Use 'show ip dhcp snooping binding' to see valid leases and 'show ip dhcp snooping statistics' for dropped packets. If a client port is untrusted, it will drop DHCP offers. Configure the port connecting to the DHCP server as trusted with 'ip dhcp snooping trust'. Also check port security — if the MAC address limit is exceeded, the port may shut down, preventing DHCP.

Cisco IOS
show ip dhcp snooping binding
show ip dhcp snooping statistics
interface GigabitEthernet0/1
 ip dhcp snooping trust

DHCP starvation attacks can exhaust the pool — enable DHCP snooping rate limiting with 'ip dhcp snooping limit rate 10'.

Never trust a port that connects to end users — only trust uplinks to DHCP servers or other switches.

6

Verify VLAN and Subnet Consistency

Ensure the client's VLAN matches the subnet defined in the DHCP pool. On a Cisco switch, use 'show vlan brief' to confirm the port is in the correct VLAN. Then check the DHCP pool configuration with 'show run | section ip dhcp pool'. The network statement must match the VLAN's subnet. For example, if VLAN 10 uses 192.168.10.0/24, the pool must also use that network. Mismatched subnets cause clients to receive IPs from the wrong range or no response at all.

Cisco IOS
show vlan brief
show running-config | section ip dhcp pool
ip dhcp pool VLAN10_POOL
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1

Use 'show ip interface brief' to quickly verify which VLANs have IP addresses assigned — a missing SVI means no gateway.

Changing a DHCP pool network while leases are active will orphan existing clients — clear leases first.

7

Test with a Static IP and Capture Traffic

As a final step, assign a static IP to the client within the same subnet to rule out Layer 2 issues. If the client can ping the gateway and DHCP server, the problem is DHCP-specific. Use Wireshark or tcpdump to capture DHCP traffic on the client: 'tcpdump -i eth0 port 67 or port 68 -vv'. Look for DHCP discover packets leaving the client and offers returning. If offers are seen but no request, the client may be ignoring the offer due to a firewall or misconfiguration.

Linux / Bash
tcpdump -i eth0 port 67 or port 68 -vv
ping 192.168.10.1
ping 192.168.1.10

On Windows, use 'netsh trace start capture=yes' and filter for DHCP traffic — it's built-in and requires no extra tools.

Static IP testing should be temporary — revert to DHCP immediately after testing to avoid address conflicts.

Key tips

  • Always start troubleshooting from the client side — APIPA addresses are the fastest indicator of DHCP failure.

  • Use 'show ip dhcp conflict' on Cisco routers to find IPs that were offered but declined due to duplicate detection.

  • On networks with multiple DHCP servers, ensure they do not overlap pools — use 'ip dhcp excluded-address' to reserve static ranges.

  • DHCP relay requires 'ip forward-protocol udp 67' globally — without it, helper addresses will not forward broadcasts.

  • Enable DHCP logging on Windows Server via the DHCP audit log (C:\Windows\System32\dhcp) to track all transactions.

  • When using DHCP snooping, always verify the trusted port configuration — a common mistake is forgetting to trust the server port.

Frequently asked questions

What does an APIPA address (169.254.x.x) indicate?

An APIPA address means the client sent DHCP discover packets but received no response. This typically indicates the DHCP server is unreachable, the relay agent is misconfigured, or the server pool is exhausted. The client self-assigns an address in the 169.254.0.0/16 range as a fallback.

How do I fix a DHCP pool exhaustion issue?

First, check active leases with 'show ip dhcp binding' and identify unused ones. You can clear stale leases with 'clear ip dhcp binding *'. Then either increase the pool size by expanding the network range or reduce the lease time to recycle addresses faster. Also consider adding a second DHCP server for load balancing.

Why is my DHCP relay not working?

Common causes include: the 'ip helper-address' is missing on the correct VLAN interface, 'ip forward-protocol udp 67' is not enabled globally, or the relay agent is on the wrong subnet. Verify the helper address points to the DHCP server and that the relay interface is in the client's VLAN.

What is DHCP snooping and how does it affect troubleshooting?

DHCP snooping is a security feature that filters DHCP messages based on port trust levels. If a client port is untrusted, it will drop DHCP offers from the server. During troubleshooting, check 'show ip dhcp snooping statistics' for dropped packets and ensure the server-facing port is configured as trusted.

Can a firewall block DHCP traffic?

Yes, firewalls between the client and server can block UDP ports 67 and 68. Ensure these ports are allowed in both directions. On Windows Firewall, DHCP traffic is usually allowed by default, but third-party firewalls or network ACLs may need explicit rules. Use tcpdump or Wireshark to confirm packets are reaching the server.

Related glossary terms

Browse full glossary →

Practice with real exam questions

Apply what you just learned with exam-style practice questions.

Related guides