This chapter provides a comprehensive exploration of DHCP Relay Agent configuration, a critical topic for the CompTIA Network+ N10-009 exam (Domain 2.5: Network Implementation). Understanding how to forward DHCP broadcasts across subnets is essential for network administrators managing multi-subnet environments. Exam questions on this area typically account for 5-8% of the total, often appearing in troubleshooting and configuration scenarios.
Jump to a section
Imagine a large company with offices in multiple cities, but all incoming mail is sent to a central headquarters (the DHCP server) in New York. An employee in the San Francisco office needs to receive a package (an IP address lease). The employee puts a delivery request (a DHCP Discover broadcast) into the local mailbox. However, the local post office in San Francisco (the DHCP relay agent) knows that the central mail processing hub is in New York. Instead of trying to deliver the request itself (which it cannot, because it's a broadcast and the server is on a different subnet), the local post office repackages the request into a special express envelope (unicast) addressed directly to the central hub. It also writes its own return address (the relay agent's IP address) on the envelope. When the central hub receives the repackaged request, it looks at the return address to know which office the request came from. The hub then prepares the package (DHCP Offer) and sends it back via express mail (unicast) to the San Francisco post office. The post office then delivers the offer to the employee's desk. This entire mechanism ensures that the employee in San Francisco can receive packages from the central hub even though they are not in the same city, and the hub knows exactly which local office to send the reply to.
What is a DHCP Relay Agent and Why Does It Exist?
A DHCP Relay Agent is a network device (typically a router or a Layer 3 switch) that forwards DHCP broadcast messages between clients and servers on different IP subnets. The fundamental problem it solves is that DHCP client messages (Discover, Request) are broadcast at Layer 2 and Layer 3. By default, routers do not forward broadcasts across subnets. Without a relay agent, a DHCP client on one subnet cannot obtain an IP address from a DHCP server located on a different subnet. This forces organizations to either place a DHCP server on every subnet (costly and inefficient) or use a relay agent to forward the messages as unicast.
How DHCP Relay Agent Works Internally – Step-by-Step Mechanism
The DHCP relay process is defined in RFC 1542 (and updated by RFC 2131). The relay agent intercepts DHCP broadcast packets and modifies them before forwarding as unicast. Here is the detailed mechanism:
Client Broadcasts DHCP Discover: A client on subnet A sends a DHCP Discover message to the broadcast IP address 255.255.255.255 and destination MAC FF:FF:FF:FF:FF:FF. The source IP is 0.0.0.0 because the client has no IP yet.
Relay Agent Interception: The router interface connected to subnet A receives the broadcast. If the router is configured with the ip helper-address command (Cisco) or equivalent, it intercepts the DHCP broadcast. The relay agent checks the destination UDP port (67 for DHCP server) and the source port (68 for DHCP client).
3. Relay Agent Modification: The relay agent performs the following modifications to the DHCP packet:
- Sets the GIADDR (Gateway IP Address) field: This is the IP address of the interface on which the broadcast was received. This field tells the DHCP server which subnet the client is on, so the server can assign an appropriate IP address from the correct scope.
- Changes the destination IP address: From 255.255.255.255 to the unicast IP address of the DHCP server (specified in the ip helper-address command).
- Changes the destination MAC address: To the MAC address of the next-hop router toward the DHCP server.
- Sets the source IP address: To the relay agent's outgoing interface IP address (the one used to reach the server).
- Sets the source MAC address: To the MAC of that outgoing interface.
- Sets the TTL (Time to Live): To a value that allows the packet to reach the server.
Unicast Forwarding to DHCP Server: The relay agent sends the modified DHCP Discover as a unicast IP packet to the DHCP server. The server sees the GIADDR field and knows the client's subnet.
Server Responds with DHCP Offer: The DHCP server creates a DHCP Offer with an IP address from the appropriate scope. It sets the destination IP to the GIADDR (the relay agent's interface IP) and sends it as unicast to the relay agent.
Relay Agent Forwards Offer to Client: The relay agent receives the unicast Offer, strips the server's response, and then broadcasts the DHCP Offer on the original subnet (subnet A) using the client's MAC address (from the CHADDR field). The client receives it and continues with the DORA process.
Subsequent DORA Steps: The same relay process repeats for DHCP Request and DHCP Acknowledgment.
Key Components, Values, Defaults, and Timers
GIADDR (Gateway IP Address): This is the most critical field. It must be set to the IP address of the relay agent's interface that received the client broadcast. If set incorrectly, the server will assign an IP from the wrong subnet.
Helper Address: The command ip helper-address <server-IP> on Cisco routers enables DHCP relay. It defaults to forwarding UDP broadcasts for ports 67 (DHCP), 69 (TFTP), 53 (DNS), 37 (Time), 49 (TACACS), and 137-138 (NetBIOS). To restrict, use ip forward-protocol udp <port> to disable unwanted ports.
DHCP Server Ports: UDP 67 (server) and UDP 68 (client). The relay agent listens on port 67 and forwards to the server on port 67.
Default TTL: The relay agent sets a TTL (usually 64 or 255) to ensure the packet reaches the server. The exact default varies by vendor.
Relay Agent Information Option (Option 82): Some relay agents add Option 82 to the packet, which includes the circuit ID (interface) and remote ID (agent identifier). This is used for DHCP snooping and IP address assignment policies.
Configuration and Verification Commands
Cisco IOS Configuration Example:
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip helper-address 10.10.10.5This configures interface Gi0/0 (on subnet 192.168.1.0/24) to relay DHCP broadcasts to the server at 10.10.10.5.
Verification Commands:
show ip interface <interface>: Displays whether helper address is configured.
show ip dhcp relay: Shows relay statistics (Cisco specific).
debug ip dhcp server events: Monitors DHCP server activities.
debug ip packet: Use with caution; shows packets forwarded.
Linux/Unix Configuration Example (using dhcrelay):
dhcrelay -i eth0 -i eth1 10.10.10.5This runs the relay agent on interfaces eth0 and eth1, forwarding to server 10.10.10.5.
Interaction with Related Technologies
- DHCP Snooping: A security feature that filters untrusted DHCP messages. Relay agents can work with DHCP snooping by adding Option 82. The snooping switch uses Option 82 to validate the source port and prevent rogue DHCP servers. - VLANs: In a switched environment with VLANs, each VLAN is a separate broadcast domain. A relay agent must be configured on the SVI (Switch Virtual Interface) for each VLAN that needs DHCP services. For example:
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip helper-address 10.10.10.5VRF (Virtual Routing and Forwarding): In MPLS or multi-tenant environments, relay agents must be configured within the correct VRF to ensure the GIADDR reflects the correct routing context.
DHCPv6 Relay: For IPv6, the relay agent uses a different mechanism (RFC 3315). It forwards DHCPv6 messages using multicast addresses (All_DHCP_Relay_Agents_and_Servers: FF02::1:2). The configuration command is ipv6 dhcp relay destination <server-IPv6-address>.
Client Sends DHCP Discover
When a client boots up or requests a new lease, it sends a DHCP Discover broadcast packet. The source IP is 0.0.0.0, destination IP is 255.255.255.255, and source port is 68, destination port is 67. The client's MAC address is in the CHADDR field. This packet is confined to the local subnet because routers do not forward broadcasts.
Relay Agent Intercepts Broadcast
The router or Layer 3 switch with an interface on the client's subnet receives the broadcast. If the interface is configured with an IP helper address, the device intercepts the packet. The relay agent checks that the destination UDP port is 67 (DHCP server) and that it is a broadcast. It then prepares to forward the packet.
Relay Agent Modifies Packet
The relay agent changes the destination IP from 255.255.255.255 to the unicast IP of the DHCP server specified in the helper address. It sets the GIADDR field to the IP address of the interface that received the broadcast. The source IP becomes the relay agent's outgoing interface IP. The destination MAC is set to the next-hop router's MAC. The TTL is set appropriately.
Relay Agent Forwards Unicast to Server
The relay agent sends the modified DHCP Discover as a standard unicast IP packet toward the DHCP server. The packet traverses the network normally, being routed hop by hop. The server receives the packet and sees the GIADDR, which tells it the client's subnet.
Server Responds with DHCP Offer
The DHCP server selects an available IP address from the scope that matches the GIADDR subnet. It creates a DHCP Offer packet with the offered IP in the YIADDR field. The destination IP is set to the GIADDR (the relay agent's interface IP). The server sends the Offer as unicast back to the relay agent.
Relay Agent Forwards Offer to Client
The relay agent receives the unicast Offer. It then creates a new broadcast on the original client subnet. It sets the destination MAC to the client's MAC (from CHADDR) and broadcasts the Offer. The client receives it and proceeds with the next step (Request). The same relay process repeats for Request and Acknowledgment.
In enterprise networks, DHCP relay agents are ubiquitous. Consider a large university with multiple buildings, each with its own subnet (e.g., 10.1.1.0/24 for dorm A, 10.1.2.0/24 for dorm B). Instead of deploying a DHCP server in each building, a centralized DHCP server in the data center handles all leases. Each building's access switch or router is configured with ip helper-address on the VLAN interface. This simplifies management and reduces costs. However, if the relay agent is misconfigured (e.g., wrong GIADDR due to incorrect interface IP), clients may receive IP addresses from the wrong subnet, causing connectivity issues.
Another common scenario is in cloud environments. For example, in AWS, a VPC with multiple subnets uses a DHCP options set, but on-premises networks that extend to the cloud via VPN often require relay agents to forward DHCP requests from on-premises subnets to a central server. Network engineers must ensure that the relay agent's interface IP (GIADDR) matches the subnet from which the request originates. If not, the server may assign an IP from a different scope, leading to IP conflicts.
Performance considerations: A single relay agent can handle thousands of clients, but it must be robust. In high-density environments (e.g., large conference venues), multiple relay agents may be used for redundancy. The relay agent adds minimal latency (microseconds) because it only modifies packet headers. However, if the relay agent is overloaded, DHCP timeouts can occur. Monitoring with show ip dhcp relay statistics helps identify dropped packets.
Common misconfigurations: Forgetting to configure ip helper-address on all VLAN interfaces that need DHCP; setting the helper address to a non-existent server; or having ACLs that block UDP port 67/68 between relay and server. Also, if the relay agent's interface IP changes (e.g., after renumbering), the GIADDR field becomes stale, and clients on that subnet will receive wrong IPs until the configuration is updated.
For N10-009 objective 2.5 (Network Implementation), the exam focuses on the role of DHCP relay agents in extending DHCP services across subnets. Key points tested:
Purpose: The exam asks why a relay agent is needed (to forward broadcasts across routers). Wrong answer: 'To provide redundancy for DHCP servers.' That is incorrect; redundancy is achieved via multiple servers.
GIADDR field: Questions often ask which field in the DHCP packet tells the server the client's subnet. The answer is GIADDR. Common wrong answer: 'CHADDR' (client hardware address) – this only identifies the client MAC, not the subnet.
Configuration commands: Be able to identify the Cisco command ip helper-address <server-IP> on an interface. A trap question might show ip dhcp relay or ip forward-protocol – these are not correct. The exact command is ip helper-address.
Default forwarded ports: The exam may ask which UDP ports are forwarded by default when ip helper-address is used. Answer: 67 (DHCP), 69 (TFTP), 53 (DNS), 37 (Time), 49 (TACACS), 137-138 (NetBIOS). A common wrong answer is 'only port 67' – but the default includes several ports.
Troubleshooting: If a client cannot get an IP from a remote server, the likely cause is a missing or misconfigured relay agent. Another cause: ACL blocking UDP 67/68. The exam loves to present scenarios where the relay agent is configured but the GIADDR is wrong – e.g., the relay agent's interface IP is on a different subnet than the client's broadcast.
Option 82: The exam may touch on DHCP snooping and Option 82. Know that Option 82 is added by the relay agent and contains circuit ID and remote ID.
Edge case: If the DHCP server is on the same subnet as the client, a relay agent is unnecessary. The exam may ask: 'When is a relay agent not needed?' Answer: when the server is on the same broadcast domain.
To eliminate wrong answers, apply the mechanism: if the problem is cross-subnet, the solution must involve broadcast forwarding. If the question mentions 'broadcast not forwarded,' the answer is relay agent. If the question mentions 'wrong subnet IP assigned,' the issue is likely GIADDR misconfiguration.
DHCP relay agents forward broadcast DHCP messages (Discover, Request) as unicast to a remote server.
The GIADDR field in the DHCP packet tells the server which subnet the client is on.
Cisco command: 'ip helper-address <server-IP>' configured on the client-facing interface.
Default forwarded UDP ports: 67, 69, 53, 37, 49, 137, 138.
The relay agent does not assign IP addresses; it only forwards modified packets.
If the GIADDR is incorrect, clients may receive IPs from the wrong subnet.
DHCPv6 relay uses multicast and the command 'ipv6 dhcp relay destination'.
These come up on the exam all the time. Here's how to tell them apart.
DHCP Relay Agent
Forwards DHCP broadcasts across subnets as unicast
Modifies the GIADDR field
Does not assign IP addresses
Requires configuration on router interfaces
Works with any DHCP server
DHCP Server
Assigns IP addresses and lease times
Uses GIADDR to select scope
Does not forward broadcasts
Centralized or distributed deployment
Must have scopes configured
Mistake
A DHCP relay agent is the same as a DHCP server.
Correct
A relay agent only forwards packets; it does not assign IP addresses. The server assigns addresses. The relay agent modifies the GIADDR field to indicate the client's subnet.
Mistake
The relay agent changes the source IP of the client's packet.
Correct
The relay agent changes the destination IP to the server's unicast address and sets its own IP as the source. The client's original source IP (0.0.0.0) is replaced by the relay agent's outgoing interface IP.
Mistake
Configuring 'ip helper-address' on a router automatically forwards all UDP broadcasts.
Correct
By default, it forwards only specific UDP ports (67, 69, 53, 37, 49, 137, 138). Other broadcasts are not forwarded unless explicitly configured.
Mistake
The relay agent must be on the same subnet as the DHCP server.
Correct
The relay agent can be anywhere; it forwards unicast to the server. The server can be multiple hops away. The relay agent only needs to be on the client's subnet to receive the broadcast.
Mistake
DHCP relay agents are only used in IPv4 networks.
Correct
DHCPv6 relay agents exist for IPv6 (RFC 3315). They use multicast addresses and different configuration commands (e.g., 'ipv6 dhcp relay destination').
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A DHCP relay agent forwards DHCP messages between client and server with minimal modification (GIADDR). A DHCP proxy acts as an intermediary that can make decisions, such as assigning IPs from a local pool or filtering requests. Proxies are less common; relay agents are standard for simple broadcast forwarding.
Yes, as long as the relay agent can reach the DHCP server via the VPN. The relay agent sends unicast packets, which can traverse VPN tunnels. Ensure that routing is correct and that firewall rules allow UDP 67/68.
Use 'show ip dhcp relay' (Cisco) to see statistics. Also, use packet captures (Wireshark) on the client subnet to see DHCP offers. On the server, check logs for requests with the correct GIADDR.
Clients on remote subnets will not receive DHCP responses. They will timeout and may use Automatic Private IP Addressing (APIPA) (169.254.x.x). The client will keep sending Discover broadcasts every few seconds until a lease is obtained.
Yes, a router can be configured as both. For example, it can serve DHCP on one interface and relay on another. However, this is uncommon because it complicates troubleshooting.
Option 82 is the Relay Agent Information Option. It contains the circuit ID (interface) and remote ID (agent identifier). It is used by DHCP snooping to validate the source port and prevent rogue DHCP servers. It is added by the relay agent.
Yes, the relay agent must have an interface (or SVI) in the same VLAN/subnet to receive the client's broadcast. The relay agent's IP on that interface becomes the GIADDR.
You've just covered DHCP Relay Agent Configuration — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?