When clients in a remote subnet can't get an IP address from a DHCP server located in another subnet, the problem often isn't the server or the client — it's the DHCP relay agent. For the CCNA 200-301 exam (objective 4.3), you must be able to systematically troubleshoot a DHCP relay that isn't working. This skill is critical in real networks where centralized DHCP servers serve many VLANs, and a misconfigured relay can bring down an entire site's connectivity.
Jump to a section
Imagine a large hotel where guests (DHCP clients) need to call room service (the DHCP server) to order breakfast. Each guest's room phone can only call internal extensions within the same floor (subnet). However, room service is located on a different floor and has an external phone number. To connect, guests must dial the hotel operator (the DHCP relay agent), who then forwards the call to room service. The operator listens for calls that are meant for external numbers, takes the guest's request, and re-dials the room service number, adding the guest's room number (GIADDR) so room service knows where to deliver the food. If the operator is not configured to forward calls to the correct room service number (ip helper-address missing or wrong), or if the operator's phone line is down (routing issue), guests will never get their breakfast. Also, if the operator's phone system doesn't allow calls from certain floors (access-list blocking UDP 67/68), the call is dropped. The operator must be able to hear the guest's request (broadcast forwarding enabled) and must know how to reach room service (route to DHCP server). If any step fails, guests remain hungry — and in networking terms, clients remain without an IP address.
What is DHCP Relay and Why Does It Exist?
DHCP (Dynamic Host Configuration Protocol) uses broadcasts for client-server communication. When a client boots up, it sends a DHCPDISCOVER broadcast to 255.255.255.255 (UDP port 67). By default, routers do not forward broadcasts across subnets. This means a DHCP server on a different subnet would never receive the client's request. DHCP relay (defined in RFC 1542) solves this by having a router or Layer 3 switch act as an intermediary: it receives the broadcast, converts it into a unicast, and forwards it to the configured DHCP server. The relay agent also inserts its own IP address (from the interface that received the broadcast) into the GIADDR (Gateway IP Address) field of the DHCP packet. This tells the server which subnet the client is on, so the server can allocate an IP address from the correct pool.
How DHCP Relay Works at the Packet Level
Client sends DHCPDISCOVER broadcast – The client (e.g., a PC) has no IP address yet. It sends a broadcast Ethernet frame with destination MAC ff:ff:ff:ff:ff:ff and IP destination 255.255.255.255. The source IP is 0.0.0.0. The UDP source port is 68, destination port 67.
Relay agent receives the broadcast – The router's interface in the client's VLAN receives the broadcast. Because the interface is configured with the ip helper-address command, the router knows to forward DHCP broadcasts to the specified server.
Relay agent modifies and unicasts the packet – The router changes the destination IP to the DHCP server's IP address. It sets the source IP to its own interface IP (the one that received the broadcast). It also inserts that interface IP into the GIADDR field of the DHCP packet. The UDP ports remain 67 (destination) and 68 (source). The packet is now a unicast and is routed normally to the server.
Server responds with DHCPOFFER unicast – The server sees the GIADDR and allocates an IP from the corresponding subnet pool. It sends a unicast DHCPOFFER back to the relay agent's IP (the source IP of the relayed packet). The destination UDP port is 68.
Relay agent forwards the offer to the client – The relay agent receives the unicast DHCPOFFER. It must now convert it back to a broadcast on the client's subnet. It sets the destination MAC to ff:ff:ff:ff:ff:ff and destination IP to 255.255.255.255. It also removes or adjusts the GIADDR (it may be zeroed or kept, but the client ignores it). The client receives the offer and proceeds with DHCPREQUEST/DHCPACK similarly.
Key States, Timers, and Defaults
ip helper-address: The command is applied on the interface facing the clients. You can configure multiple helper addresses on the same interface to forward to multiple servers.
Global forwarding: By default, the ip helper-address forwards UDP broadcasts for the following eight services: TFTP (69), DNS (53), Time (37), NetBIOS Name Service (137), NetBIOS Datagram Service (138), BootP/DHCP (67), TACACS (49), and IEN-116 (116). To forward only DHCP, you must disable the others using no ip forward-protocol udp <port>.
GIADDR: Must be the IP of the relay agent's interface that received the client broadcast. If the relay agent has multiple IPs on that interface (secondary IPs), the GIADDR should be the primary IP. The DHCP server uses GIADDR to select the correct scope.
Broadcast flag: The client sets a flag in the DHCP packet indicating whether it can receive unicast responses. If the flag is 0 (broadcast), the relay agent must forward the server's response as a broadcast. Most modern clients set this to 0.
IOS CLI Verification Commands
show ip interface [interface]: Check if ip helper-address is configured and if the interface is up/up.
show ip dhcp relay information: Shows relay agent information option (Option 82) status, but not commonly used in basic scenarios.
debug ip dhcp server packet: On the DHCP server, view packets being received. On the relay, use debug ip packet with care (can be CPU-intensive). Better: debug ip udp.
show ip route: Verify that the relay agent has a route to the DHCP server.
ping from relay to DHCP server: Test basic IP connectivity.
Example output for show ip interface:
Router# show ip interface GigabitEthernet0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
...
Helper addresses are 10.10.10.5
...Interaction with Related Protocols
DHCP Snooping: If DHCP snooping is enabled on a switch, it may interfere with relay. The relay agent must be a trusted port. Otherwise, DHCP packets from the relay may be dropped.
ARP: The relay agent needs to know the client's MAC address to forward unicast responses? Actually, for broadcast responses, no ARP is needed. For unicast responses (if broadcast flag is 1), the relay would need the client's MAC. The relay learns the client MAC from the original DHCPDISCOVER.
IP Routing: The relay agent must have a route to the DHCP server. If the server is on a directly connected network, that's fine. Otherwise, a default route or static route is needed.
Common Failure Points
Missing or incorrect ip helper-address: The command is not applied on the correct interface, or the server IP is wrong.
No route to DHCP server: The relay cannot reach the server.
DHCP server not configured for the client's subnet: The server doesn't have a scope for the subnet indicated by GIADDR.
Access-list blocking UDP 67/68: An ACL on the relay or an intermediate router drops DHCP packets.
DHCP snooping dropping packets: The relay port is not trusted.
Client's broadcast flag misinterpretation: Rarely, but if the client sets broadcast flag to 1 and the relay cannot unicast, the client won't receive the offer.
Verify Interface and IP Configuration
Start by checking the interface that should be performing relay. Use `show ip interface brief` to confirm the interface is up/up. Then use `show ip interface <interface>` to verify that the `ip helper-address` is present. If it's missing, the relay is not configured. Also check that the interface has a valid IP address; the GIADDR will be this IP. If the IP is wrong, the DHCP server will allocate addresses from the wrong subnet.
Test Basic Connectivity to DHCP Server
From the relay router, ping the DHCP server's IP address. If ping fails, there is a routing problem. Use `show ip route` to verify the route exists. If not, add a static route or ensure dynamic routing is working. Also check if any ACL on the relay or intermediate routers is blocking ICMP or UDP 67/68. Use `show access-lists` to inspect ACLs.
Check DHCP Server Configuration
On the DHCP server, verify that a scope (or pool) exists for the subnet of the relay interface. The server uses GIADDR to select the pool. For example, if GIADDR is 192.168.1.1, the server must have a pool for 192.168.1.0/24. If the pool is missing or exhausted, the server will not respond. Use `show ip dhcp pool` on Cisco IOS servers or check the server logs.
Capture and Analyze DHCP Packets
Use `debug ip udp` on the relay router (with caution) or `debug ip dhcp server packet` on the server. Look for the DHCPDISCOVER arriving at the relay and being forwarded as unicast. On the server, verify the packet's GIADDR field. If the relay forwards the packet but the server doesn't respond, the server likely doesn't have the correct scope. Also use `show ip dhcp server statistics` to see if packets are received.
Verify No ACLs or Firewalls Blocking DHCP
Check for any access-lists applied to the relay interface (inbound or outbound) that might block UDP 67/68. Use `show ip interface <interface> | include access-list`. Also check for zone-based firewalls or VRF configuration. If an ACL is present, ensure it permits UDP 67 from any to the DHCP server and UDP 68 from the server to any (or the relay). Remember that the relay sends from its own IP, not from 0.0.0.0.
Check DHCP Snooping Configuration
If DHCP snooping is enabled on the switch that connects to the relay router, the relay port must be configured as a trusted port. Use `show ip dhcp snooping` to see the status. If the port is untrusted, DHCP packets from the relay will be dropped. Configure the port as trusted with `ip dhcp snooping trust` in interface configuration mode.
Verify Broadcast Forwarding and Helper Address
Ensure the `ip helper-address` is pointing to the correct DHCP server IP. Also, by default, the router forwards DHCP broadcasts only if the interface is configured with helper address. However, if you have disabled forwarding of UDP 67 globally using `no ip forward-protocol udp 67`, the helper address will not work. Use `show ip forward-protocol` to check which UDP ports are forwarded. Ensure 67 is listed.
In a typical enterprise campus network, DHCP servers are centralized in a data center for manageability. Each access switch VLAN has clients that need IP addresses. The VLAN's SVI (Switch Virtual Interface) on the distribution switch acts as the DHCP relay. For example, VLAN 10 (192.168.10.0/24) has an SVI with IP 192.168.10.1. The ip helper-address 10.10.10.5 is configured on that SVI. The DHCP server at 10.10.10.5 has a scope for 192.168.10.0/24. This works seamlessly until a new VLAN is added and the engineer forgets to add the helper address on the new SVI. Clients in that VLAN get APIPA addresses (169.254.x.x). The fix is simple: add ip helper-address to the SVI.
Another scenario: A company acquires a smaller office and extends the network. The new site's router is configured with ip helper-address pointing to the central DHCP server, but the server's scope for the new subnet is missing. Clients receive no response. The network engineer checks the relay, sees the helper address is correct, pings the server successfully, but the server logs show no offers sent. The solution is to add the appropriate scope on the server.
A more complex issue involves DHCP snooping. A switch with DHCP snooping enabled drops DHCP packets from untrusted ports. If the relay router is connected to a port that is not trusted, the relay's unicast to the server might be dropped (though snooping typically only checks server-side ports). But more commonly, the server's response unicast to the relay might be dropped if the switch sees the relay as a DHCP server. The fix is to mark the port connecting to the relay as trusted.
Scale considerations: A single DHCP server can handle thousands of clients. The relay agent does not have significant performance impact. However, if many helper addresses are configured, the router must replicate the broadcast to each server, increasing CPU usage slightly. In large networks, multiple relay agents can forward to the same server, which must be configured with multiple scopes.
Misconfiguration: If the ip helper-address is placed on the wrong interface (e.g., the WAN interface instead of the LAN SVI), the relay will not receive client broadcasts. Also, if the relay's interface IP is not the same subnet as the clients, the GIADDR will be wrong.
The CCNA 200-301 exam tests DHCP relay troubleshooting under objective 4.3 (Troubleshoot DHCP). Expect scenario-based questions where a client cannot obtain an IP address and you must identify the cause. Common trap answers include:
"The DHCP server is unreachable" – This is often true, but the question might present a scenario where the server is reachable (ping works) but the relay is missing the helper address. Candidates often jump to connectivity issues first.
"The client's NIC is faulty" – While possible, exam questions rarely include hardware failure. They focus on configuration errors.
"The DHCP server has no available IP addresses" – This is a valid cause, but the question may indicate that the pool has free addresses. The real issue could be that the server doesn't have a scope for the client's subnet (GIADDR mismatch).
"The relay agent is not configured to forward DHCP broadcasts" – This is a common correct answer. The missing ip helper-address is a classic exam scenario.
Specific values and commands to memorize:
- ip helper-address <server-ip> – must be on the interface facing clients.
- show ip interface – verify helper address presence.
- show ip route – check route to server.
- debug ip udp – but be careful; often they ask which command to use.
- Default forwarded UDP ports: 67, 68, 69, 53, 37, 137, 138, 49, 116.
- GIADDR is set to the relay agent's interface IP.
Decision rule for scenario questions: If a client in one VLAN gets an IP but a client in another VLAN does not, the problem is likely specific to that VLAN's relay configuration or server scope. If no clients get IPs, check the server connectivity or global relay configuration.
Elimination strategy: Always check if the question mentions a router or Layer 3 switch between client and server. If so, focus on relay configuration. If the server is on the same subnet, relay is not needed.
DHCP relay converts client broadcast to unicast and inserts GIADDR (relay interface IP) for subnet identification.
The 'ip helper-address <server-ip>' command must be configured on the interface facing DHCP clients.
By default, Cisco routers forward broadcasts for 8 UDP services including DHCP (67/68).
Use 'show ip interface' to verify helper address configuration.
The DHCP server must have a scope for the subnet indicated by GIADDR.
DHCP snooping can block relayed packets if the relay port is not trusted.
Always verify basic IP connectivity (ping) from relay to DHCP server first.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Relay (ip helper-address)
Forwards DHCP broadcasts across subnets as unicast.
Configured on routers or Layer 3 switches.
Inserts GIADDR to identify client subnet.
Operates at Layer 3 (IP).
Essential for centralized DHCP servers.
DHCP Snooping
Filters DHCP messages to prevent rogue servers.
Configured on Layer 2 switches.
Builds a DHCP snooping binding table.
Operates at Layer 2 (MAC).
Security feature; can interfere with relay if not trusted.
Mistake
The relay agent must have a route to the DHCP server, but the server must also have a route back to the relay.
Correct
The server sends its response to the relay's IP address, so the server must have a route to the relay's subnet. However, the relay's route to the server is also necessary for the initial unicast. Both directions must be routable.
Candidates often forget that the response also needs routing.
Mistake
The GIADDR is set to the client's IP address after it gets one.
Correct
The GIADDR is set by the relay agent to the IP address of the interface that received the client's broadcast. It is the gateway IP for the client's subnet. The client does not have an IP at the time of the DISCOVER.
Confusion between GIADDR (gateway) and CIADDR (client IP).
Mistake
The 'ip helper-address' command must be applied to the interface connected to the DHCP server.
Correct
It must be applied to the interface that receives the client's DHCP broadcast (the interface in the client's subnet). The relay forwards the broadcast to the server via any available route.
Candidates think the helper helps the server, but it helps the client.
Mistake
DHCP relay only forwards DHCP packets.
Correct
By default, it forwards broadcasts for eight UDP services. You can disable non-DHCP forwarding with 'no ip forward-protocol udp <port>'.
Many CCNA resources focus only on DHCP, so candidates forget the other services.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
On Cisco IOS, 'ip helper-address' is the command used to configure DHCP relay. There is no separate 'ip dhcp relay' command. The helper address forwards broadcasts for multiple UDP services by default. Some platforms may have 'ip dhcp relay' for specific DHCP relay features like Option 82, but for basic relay, 'ip helper-address' is standard. Exam tip: Always use 'ip helper-address' for DHCP relay.
The GIADDR (Gateway IP Address) tells the DHCP server which subnet the client is on. The server uses this to select the correct IP address pool. Without GIADDR, the server would not know which scope to allocate from, especially if the server is not on the same subnet as the client. The relay sets GIADDR to the IP of its interface that received the client broadcast.
Yes. You can configure up to 32 helper addresses per interface. The router will forward the DHCP broadcast to each configured server. This is useful for redundancy or if multiple DHCP servers serve different scopes. However, be aware that each server will receive the request, and the client may receive multiple offers.
Use the global configuration command 'no ip forward-protocol udp <port>' for each service you want to block. For example, to block TFTP, use 'no ip forward-protocol udp 69'. To block all except DHCP, you need to disable each one. Alternatively, you can use a more restrictive approach with ACLs, but the standard method is to use the forward-protocol commands.
The broadcast flag is a bit in the DHCP packet that indicates whether the client can receive unicast responses. If set to 1 (broadcast), the server (or relay) must send the response as a broadcast. If set to 0 (unicast), the response can be unicast. Most clients set this to 0, but some older or misconfigured clients set it to 1. The relay must respect this flag.
Yes, but it uses a different mechanism. For IPv6, DHCPv6 relay uses the 'ipv6 dhcp relay destination' command under interface configuration. The relay agent uses a DHCPv6 relay-forward message. The concepts are similar, but the packet format and commands differ. For CCNA, focus on IPv4 DHCP relay.
First, verify the helper address is correct and on the right interface. Then check if the DHCP server has a scope for the client subnet. Also ensure that the relay can reach the server (ping). If everything looks good, check for ACLs blocking UDP 67/68. Finally, check DHCP snooping if enabled. Use 'debug ip udp' to see if packets are being forwarded.
You've just covered Troubleshoot: DHCP Relay Not Working — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?