In many enterprise networks, DHCP servers are centralized for manageability, but client subnets are distributed across many VLANs. Without a DHCP relay agent, each VLAN would need its own DHCP server or a router configured as a DHCP server — an administrative nightmare. The Cisco CCNA 200-301 exam (Objective 4.3) tests your ability to configure and troubleshoot DHCP relay, ensuring that clients in remote subnets can obtain IP addresses from a central server. Understanding this feature is critical for real-world network engineering, as it directly impacts IP address allocation and network scalability.
Jump to a section
Imagine a large university campus with multiple buildings (subnets). Each building has its own mailroom (a DHCP relay agent, typically the router interface facing that building). The central post office (DHCP server) is located in the administration building and handles all mail (IP address assignments). When a student in the Science building wants to send a letter to request a new mailbox (DHCPDISCOVER), they drop it in their local mailroom. The mailroom clerk (relay agent) knows that the Science building's return address (giaddr field) is, say, 10.1.1.0/24. The clerk cannot deliver the letter directly to the central post office because the post office is on a different street (different subnet). So the clerk writes the Science building's return address on the envelope (sets giaddr to the router's IP address on that subnet) and forwards the letter to the central post office via the campus internal mail system (unicast to the DHCP server). The central post office receives the letter, sees the return address, and knows which building the student is in. It prepares a new mailbox assignment (DHCPOFFER) and sends it back to the Science building's mailroom (unicast to the relay agent). The mailroom clerk then broadcasts the offer within the Science building so the student can claim it. This process repeats for the DHCPREQUEST and DHCPACK. The key mechanism is that the relay agent inserts its own IP address (the gateway of the client's subnet) into the DHCP packet so the server can reply appropriately, and it also forwards replies back as unicast or broadcast as needed. Without the relay agent, the student's broadcast would never leave the Science building, and the central post office would never know about the request.
What is DHCP Relay and Why Does It Exist?
DHCP (Dynamic Host Configuration Protocol) is the standard method for assigning IP addresses, subnet masks, default gateways, and other network parameters to clients. The protocol operates using four messages: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, and DHCPACK. By default, these messages are broadcast (except DHCPOFFER/ACK can be unicast). Broadcasts are typically confined to a single subnet (Layer 2 broadcast domain). This presents a problem: if you have multiple VLANs/subnets, you would either need a DHCP server in each VLAN or configure the router to act as a DHCP server for each subnet. Neither is scalable.
DHCP relay (defined in RFC 1542, updated by RFC 2131) solves this. A relay agent is a network device (usually a router or Layer 3 switch) that listens for DHCP broadcast messages on a subnet and forwards them as unicast to a configured DHCP server located on a different subnet. The relay agent also forwards the server's replies back to the client. This allows a single DHCP server to serve multiple subnets.
How DHCP Relay Works: Step-by-Step Packet Flow
1. Client sends DHCPDISCOVER (broadcast) - Source MAC: client MAC - Destination MAC: FF:FF:FF:FF:FF:FF - Source IP: 0.0.0.0 (client has no IP yet) - Destination IP: 255.255.255.255 (broadcast) - The packet is broadcast on the local subnet.
2. Relay agent receives the broadcast on its interface
- The router (or L3 switch) has an IP address on that subnet (e.g., 192.168.1.1/24).
- The router's interface is configured with the ip helper-address <server-ip> command.
- The router intercepts the DHCP broadcast (it does NOT forward the broadcast as-is; it transforms it).
3. Relay agent creates a unicast DHCP message - The router changes the destination IP to the DHCP server's IP (e.g., 10.10.10.5). - The source IP becomes the router's IP address on the client's subnet (192.168.1.1). - The router sets the giaddr (Gateway IP Address) field in the DHCP packet to 192.168.1.1 (the router's IP on that subnet). This is critical: the server uses giaddr to determine which subnet the client is in. - The router forwards the packet as unicast to the server.
4. DHCP server receives the unicast DHCPDISCOVER - The server sees giaddr = 192.168.1.1. It selects an IP address from the pool configured for subnet 192.168.1.0/24. - The server creates a DHCPOFFER with:
- Destination IP: 192.168.1.1 (the relay agent) - Source IP: server's IP (10.10.10.5) - giaddr: 192.168.1.1 (unchanged) - Offered IP: e.g., 192.168.1.100 - Client MAC: client's MAC (from the original request) - The server sends the unicast DHCPOFFER to the relay agent.
5. Relay agent receives the DHCPOFFER - The router checks the giaddr to confirm it is for a subnet it serves. - The router must deliver the offer to the client. Since the client has no IP yet, the router broadcasts the DHCPOFFER on the client's subnet (or unicasts it if the client already has an IP, but typically it broadcasts). - The router sets destination MAC to broadcast (FF:FF:FF:FF:FF:FF) and destination IP to 255.255.255.255. - The client receives the offer.
6. Client sends DHCPREQUEST (broadcast) - The client broadcasts a DHCPREQUEST to accept the offer. - The relay agent again intercepts, sets giaddr, and unicasts to the server.
7. Server sends DHCPACK (unicast to relay) - The server acknowledges with a unicast to the relay agent. - The relay agent broadcasts the DHCPACK on the client's subnet. - The client configures its IP address.
Key Fields and Timers
giaddr: The relay agent's IP address on the client's subnet. The server uses this to select the correct IP pool. If giaddr is 0.0.0.0, the server assumes the client is on the same subnet.
hops: A counter incremented by each relay agent. Default is 0; relay sets to 1. If hops exceeds a threshold (default 4 on Cisco routers), the packet is dropped to prevent loops.
secs: Elapsed time since client started DHCP process. Not used by relay but passed through.
BootP flags: The broadcast flag (bit 0) indicates whether the client can accept unicast replies. If set to 1, the client expects broadcast replies. The relay agent must respect this flag.
IOS CLI Configuration and Verification
Configuration is simple: on the interface facing the clients, add the ip helper-address command.
interface GigabitEthernet0/1
description Link to VLAN 10 clients
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.10.10.5
no shutdownYou can configure multiple helper addresses if you have multiple DHCP servers for redundancy.
interface GigabitEthernet0/1
ip helper-address 10.10.10.5
ip helper-address 10.10.10.6To verify that relay is working:
show ip interface GigabitEthernet0/1Look for "Helper address is 10.10.10.5" in the output.
show ip dhcp relay information trust-allTo see real-time relay activity, use:
debug ip dhcp server packet
debug ip dhcp relay packetImportant: ip helper-address forwards not only DHCP but also other UDP broadcasts like TFTP, DNS, NetBIOS, and Time services by default. If you want to restrict which UDP ports are forwarded, use ip forward-protocol commands. For CCNA, focus on DHCP only.
Interaction with Related Protocols
DHCP Snooping: A security feature that prevents rogue DHCP servers. It works on switches and can be configured to trust relay agent packets. The relay agent's giaddr is used by DHCP snooping to validate the source.
Option 82 (Relay Agent Information Option): Adds the switch port and VLAN ID to the DHCP packet. Cisco switches can insert Option 82 when acting as relay (or as a DHCP snooping feature). This helps the server assign IPs based on port location. CCNA may touch on this, but the core relay mechanism is giaddr-based.
VLANs: The relay agent is typically the router-on-a-stick or Layer 3 switch interface configured with ip helper-address per VLAN interface (SVI).
Common Pitfalls
Forgetting to configure ip helper-address on the correct interface (the one facing clients).
The relay agent must have an IP address on the client's subnet; otherwise, giaddr will be incorrect.
If the DHCP server is on a different VLAN, ensure routing between the relay agent and server is working.
The relay agent's interface must be up/up; if the interface is down, relay won't work.
If the server receives requests but no giaddr, it will assign an IP from the wrong pool or fail.
Identify the client-facing interface
Determine which router or Layer 3 switch interface is directly connected to the subnet where DHCP clients reside. This is typically a VLAN interface (SVI) on a multilayer switch or a physical interface on a router. For example, if clients are in VLAN 10 with subnet 192.168.10.0/24, the interface is VLAN 10 (SVI) with IP 192.168.10.1. Ensure the interface is configured with an IP address and is in 'up/up' state using `show ip interface brief`.
Configure ip helper-address
Enter interface configuration mode and add the `ip helper-address <dhcp-server-ip>` command. For example: `interface Vlan10` then `ip helper-address 10.10.10.5`. This command tells the router to intercept DHCP broadcasts on this interface and forward them as unicast to the specified server. You can add multiple helper addresses for redundancy. Verify with `show ip interface Vlan10` and look for 'Helper address is 10.10.10.5'.
Ensure routing to the DHCP server
The relay agent must be able to reach the DHCP server's IP address. Check the routing table with `show ip route` to confirm there is a route (directly connected or static/dynamic) to the server's subnet. If the server is on a different network, you may need to configure a default route or a specific route. Without proper routing, the unicast DHCP messages from the relay agent will never reach the server.
Configure the DHCP server with appropriate pools
On the DHCP server (could be a Cisco router or a dedicated server), create IP pools for each subnet that will use relay. For the example, create a pool for 192.168.10.0/24. The server will use the giaddr field (192.168.10.1) to select the correct pool. On a Cisco router acting as server: `ip dhcp pool VLAN10_POOL` then `network 192.168.10.0 255.255.255.0` and `default-router 192.168.10.1`. Ensure the server's interface has an IP that the relay can reach.
Test and verify DHCP relay operation
Connect a DHCP client to the client subnet (e.g., plug a PC into a switch port in VLAN 10). The client should obtain an IP address from the configured pool. Use `show ip dhcp binding` on the server to see active leases. On the relay agent, use `debug ip dhcp relay packet` to see relayed packets. Ensure the client receives an IP within the correct subnet. If not, check giaddr by enabling `debug ip dhcp server packet` on the server to see the giaddr value.
Troubleshoot common issues
If clients are not getting IPs: (1) Verify `ip helper-address` is present on the correct interface. (2) Check that the relay agent's interface IP is in the same subnet as clients. (3) Ensure the DHCP server is reachable via ping. (4) Check that the server has a pool for the subnet matching giaddr. (5) Verify that the relay agent's interface is not configured with `no ip forward-protocol udp bootps` which would disable DHCP relay. (6) If using DHCP snooping, ensure the relay agent port is trusted.
In a typical enterprise campus network, you might have a collapsed core design with a pair of multilayer switches acting as the distribution layer, each serving dozens of VLANs for different departments. For example, a company with 5000 employees might have VLANs for Engineering (10.1.1.0/24), Sales (10.1.2.0/24), and HR (10.1.3.0/24). Instead of deploying a DHCP server in each VLAN, the network engineer configures ip helper-address on each VLAN interface (SVI) on the distribution switch, pointing to a central DHCP server cluster (e.g., 10.10.10.5 and 10.10.10.6). This setup allows all clients to obtain IPs from a single management point, simplifying IP address management and reducing administrative overhead.
A common scale consideration is the number of relay agents. If you have hundreds of VLANs, each with a helper address, the DHCP server must handle the load. Using DHCP failover or server clustering ensures availability. Also, the relay agent's CPU may be impacted if there are many DHCP requests per second, but modern switches handle this easily.
Another real-world scenario is in a remote branch office. A branch router connects to the corporate WAN, and clients in the branch are on a local subnet (e.g., 192.168.100.0/24). The branch router is configured with ip helper-address pointing to the corporate DHCP server at headquarters. This avoids needing a separate DHCP server at each branch. However, if the WAN link goes down, clients cannot get IPs (unless a local DHCP server is configured as backup).
Misconfiguration can cause subtle issues. For example, if the relay agent's interface IP changes (e.g., after renumbering), the giaddr will be wrong, and the server will assign IPs from the wrong pool. Also, if the ip helper-address is accidentally removed during maintenance, clients on that VLAN will stop receiving IPs. In one real case, an engineer configured ip helper-address on the wrong VLAN interface, causing clients in VLAN 10 to get IPs from VLAN 20's pool, leading to duplicate IPs and routing issues. Always verify with show ip interface and DHCP bindings.
The CCNA 200-301 exam tests DHCP relay under Objective 4.3 (Configure and verify DHCP client and relay). The exam expects you to know:
The ip helper-address command syntax and where it is applied (interface configuration mode, on the interface facing clients).
The role of the giaddr field and why it is set to the relay agent's IP address.
That the relay agent forwards DHCP broadcasts as unicast to the server.
That the server uses giaddr to select the correct IP pool.
That you can configure multiple helper addresses for redundancy.
Common wrong answers and why candidates choose them: 1. "The relay agent forwards DHCP broadcasts as broadcasts to the server." This is wrong because the relay agent converts the broadcast to a unicast. Candidates often think the server must also receive a broadcast. 2. "The relay agent sets giaddr to the client's IP address." This is wrong because the client has no IP yet. Candidates confuse the client's current IP (0.0.0.0) with the gateway. 3. "The relay agent must be configured on the server-facing interface." This is wrong; it goes on the client-facing interface. Candidates think the server needs to be told about the relay. 4. "DHCP relay is only needed if the server is on a different VLAN." While true, the exam may present a scenario where the server is on the same VLAN but different subnet (still requires relay because broadcasts don't cross subnets).
Specific values and commands:
- The command is ip helper-address <server-ip> (no default).
- The default forwarded UDP ports are 67 (DHCP), 69 (TFTP), 53 (DNS), 137 (NetBIOS name), 138 (NetBIOS datagram), and 445 (NetBIOS session).
- To see helper addresses: show ip interface [interface].
- To debug: debug ip dhcp relay packet.
Decision rule for scenario questions:
If a question describes DHCP clients in one subnet and a DHCP server in another, and asks how to enable IP address assignment, the answer is to configure ip helper-address on the router interface facing the clients. If the question mentions that clients are getting IPs from the wrong subnet, suspect that the giaddr is incorrect (e.g., the relay agent's IP is not in the client's subnet). If the question asks about forwarding only DHCP (not other UDP), the answer is to use ip forward-protocol to disable other ports.
Calculation traps: None directly, but be aware of the broadcast flag: if the flag is 0, the relay can unicast the reply; if 1, it must broadcast. The exam may test this in the context of client capabilities.
DHCP relay allows a single DHCP server to serve multiple subnets by forwarding broadcast DHCP messages as unicast.
The 'ip helper-address' command is configured on the router interface facing DHCP clients.
The relay agent sets the giaddr field to its own IP address on the client's subnet, which the server uses to select the correct IP pool.
By default, 'ip helper-address' forwards DHCP, DNS, TFTP, and NetBIOS broadcasts.
Verification uses 'show ip interface' to confirm helper address configuration.
Debugging uses 'debug ip dhcp relay packet' on the relay agent.
Multiple helper addresses can be configured for redundancy.
The relay agent must have routing reachability to the DHCP server.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Relay Agent
Requires no DHCP server configuration on the router; only 'ip helper-address'.
Forwards broadcasts as unicast to a remote server.
The server must be reachable via routing.
Scalable: one server can serve many subnets.
Adds a single point of failure if the server is unreachable.
DHCP Server (on the same subnet)
Requires 'ip dhcp pool' configuration on the router.
The router directly responds to broadcasts on the subnet.
No routing dependency; server is local.
Not scalable: each subnet needs its own server or pool, but can be on same device.
No external dependency; fully local.
Mistake
The relay agent forwards DHCP broadcasts as broadcasts to the server.
Correct
The relay agent receives the broadcast, then creates a new unicast packet with destination IP set to the DHCP server's IP. The server never sees the original broadcast.
Candidates think that because the original is a broadcast, the relay must also broadcast it, but the relay's job is to convert to unicast.
Mistake
The giaddr field contains the client's IP address.
Correct
The giaddr contains the relay agent's IP address on the client's subnet. The client has no IP yet (0.0.0.0).
Candidates confuse 'gateway' with 'client' and think giaddr identifies the client.
Mistake
The 'ip helper-address' command is configured on the server-facing interface.
Correct
It is configured on the client-facing interface, the one that receives the DHCP broadcasts from clients.
Candidates think the helper helps the server, so it should be on the server side, but it actually helps the client by forwarding its request.
Mistake
DHCP relay is only needed when the server is on a different VLAN.
Correct
DHCP relay is needed whenever the server is on a different subnet, regardless of VLAN. Broadcasts do not cross subnet boundaries, even if on the same VLAN.
Candidates associate VLANs with subnets but forget that routers block broadcasts between subnets.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
DHCP relay (ip helper-address) forwards DHCP broadcasts from clients to a remote DHCP server. The router does not assign IPs itself; it just forwards messages. A DHCP server on a router (configured with 'ip dhcp pool') actually assigns IP addresses from local pools. Relay is used when the server is elsewhere; server is used when the router itself is the server. For CCNA, know that relay is simpler and more scalable for multiple subnets.
Yes, you can configure up to 8 helper addresses on a single interface. The router will forward the DHCP request to each helper address. This provides redundancy if one server fails. The server that responds first will be used by the client. This is useful in production for high availability.
Yes, but you must ensure that the firewall allows unicast UDP traffic on port 67 (from relay to server) and port 68 (from server to relay). The relay agent's IP must be reachable. Some firewalls may inspect DHCP and drop relayed packets if they appear malformed. In practice, you may need to configure an ACL to permit DHCP traffic between the relay and server.
The giaddr (Gateway IP Address) field is a 4-byte field in the DHCP packet that the relay agent sets to its own IP address on the client's subnet. The DHCP server uses this field to determine which subnet the client belongs to, so it can assign an appropriate IP address from the correct pool. Without giaddr, the server would not know which pool to use. If giaddr is 0.0.0.0, the server assumes the client is on the same subnet.
Use 'show ip interface [interface]' to confirm the helper address is listed. Use 'debug ip dhcp relay packet' to see relayed packets in real time. On the server, use 'debug ip dhcp server packet' to see incoming requests with giaddr. Also, check that clients receive IP addresses from the correct pool using 'show ip dhcp binding' on the server.
Without the helper address, the router will not forward DHCP broadcasts. The client's DHCPDISCOVER will remain on the local subnet and never reach the server. The client will eventually time out and fail to obtain an IP address. This is a common misconfiguration on new VLAN interfaces.
No, DHCP relay as described (ip helper-address) is for IPv4 DHCP only. For IPv6, DHCPv6 uses different mechanisms, and the relay agent is configured with 'ipv6 dhcp relay destination' command. The concepts are similar, but the implementation and packet format differ. CCNA 200-301 focuses on IPv4 DHCP relay.
You've just covered DHCP Relay Agent Configuration — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?