Computer NetworksDHCP

Dynamic Host Configuration Protocol (DHCP)

LevelIntermediate

Duration60 mins

TopicDHCP

5 / 5

DHCP Relay

Bridging the Broadcast Barrier

DHCP faces a fundamental networking constraint: broadcast traffic doesn't cross routers. A client's DHCP Discover, sent to 255.255.255.255, reaches every device on the local network segment but goes no further. Without intervention, this means every subnet would need its own DHCP server.

For a small office with three subnets, this might mean three DHCP servers. For an enterprise campus with hundreds of VLANs, it would mean hundreds of servers—an administrative nightmare. For a multi-site enterprise, the complexity becomes unmanageable.

DHCP relay agents solve this problem elegantly. A relay agent intercepts broadcast DHCP messages on the local subnet, encapsulates them in unicast packets, and forwards them to DHCP servers on remote subnets. The server's response follows the reverse path. From the client's perspective, DHCP works exactly as if the server were local.

This page examines relay agent operation in detail: the forwarding logic, addressing mechanics, Option 82 enrichment, enterprise deployment patterns, and troubleshooting techniques.

What You Will Learn

By the end of this page, you will understand how DHCP relay agents enable centralized DHCP across routed networks, the technical details of message forwarding, how Option 82 provides client location information, and best practices for enterprise relay deployments.

The Broadcast Problem

To understand why relay agents are necessary, we must understand the broadcast constraint that DHCP operates under.

Why DHCP Uses Broadcast:

DHCP clients have a bootstrap problem: they need to communicate with a server to get configuration, but they have no configuration until they communicate with the server. The solution is broadcast:

Layer 2 Broadcast: Client sends Ethernet frame to FF:FF:FF:FF:FF:FF
Layer 3 Broadcast: Client addresses IP packet to 255.255.255.255
Source Address: Client uses 0.0.0.0 (no address yet)

Every device on the local subnet receives the broadcast. DHCP servers process it; other devices ignore it.

The Router Barrier:

Routers, by design, do not forward broadcast traffic:

Each broadcast domain (subnet) has its own broadcast address
Forwarding broadcasts would flood the entire network
Broadcasts are meant for local consumption only

Converting Mermaid diagram...

Without Relay: One Server Per Subnet

Absent relay functionality, every routed subnet requires a local DHCP server. For a network with 50 VLANs:

50 DHCP servers or services
50 scope configurations
50 points of management
50 potential failure points

This doesn't scale. Enterprise networks need centralized DHCP with one or few servers managing all subnets. Relay agents make this possible.

Historical Note: BOOTP Relay

DHCP relay functionality originated in BOOTP (RFC 951/1542). The 'BOOTP relay agent' terminology persists in many implementations. DHCP relay is fully backward compatible with BOOTP relay—the same mechanism works for both protocols.

Relay Agent Operation

A DHCP relay agent is a network device (typically a router or Layer 3 switch) that intercepts broadcast DHCP messages and unicasts them to configured DHCP servers. The relay agent acts as an intermediary, making the DHCP exchange appear local to both client and server.

Forward Path (Client → Server):

Receive Broadcast: Relay receives DHCP Discover/Request on local interface
Check giaddr: If giaddr is 0, this is a new message (not already relayed)
Set giaddr: Relay sets giaddr to its IP address on the receiving interface
Increment hops: Relay increments the hops field
Unicast Forward: Relay sends packet to configured DHCP server IP(s)

Key Insight: giaddr

The giaddr (Gateway IP Address) field is the critical information the server needs:

Tells server which subnet the client is on
Server uses giaddr to select the correct scope
Server sends response back to relay at giaddr
Relay knows which local interface to use for delivery

DHCP Message Fields Modified by Relay
Field	Before Relay	After Relay	Purpose
giaddr	0.0.0.0	Relay's local IP (e.g., 192.168.1.1)	Identifies client subnet for scope selection
hops	0	1 (or current + 1)	Counts relay hops; prevents loops
IP Source	0.0.0.0	Relay's IP	Enables return routing
IP Dest	255.255.255.255	Server's IP	Unicast to specific server
UDP Source	68	67	Relay uses server port
UDP Dest	67	67	Server port unchanged

Return Path (Server → Client):

Server Processing: Server sees giaddr ≠ 0, so client is remote
Scope Selection: Server uses giaddr to identify client's subnet and select scope
Unicast Response: Server sends response to giaddr (the relay)
Relay Receives: Response arrives at relay's IP address, port 67
Client Delivery: Relay broadcasts (or unicasts) to client on local subnet

Broadcast vs Unicast Delivery:

How does the relay deliver to a client that doesn't have an IP?

Broadcast: Most common—relay broadcasts on local subnet, client accepts based on xid
Unicast to MAC: Some relays unicast directly to client's MAC from chaddr
Depends on flags: If BROADCAST flag is set, relay must broadcast

Converting Mermaid diagram...

Server Scope Selection with Relay

When a DHCP server receives a relayed request, it must determine which address pool to use. The giaddr field is the key to this selection.

Scope Selection Algorithm:

Check giaddr: If giaddr is non-zero, client is remote
Match giaddr to scope: Find scope that contains giaddr in its subnet
Select address: Allocate from the matching scope
Apply scope options: Use scope-specific DNS, gateway, etc.

Example:

Server has three scopes configured:

Scope	Subnet	Range	Gateway
Scope-1	192.168.1.0/24	192.168.1.100-200	192.168.1.1
Scope-2	192.168.2.0/24	192.168.2.100-200	192.168.2.1
Scope-3	192.168.3.0/24	192.168.3.100-200	192.168.3.1

Request arrives with giaddr = 192.168.2.1:

Server matches 192.168.2.1 to Scope-2
Allocates address from 192.168.2.100-200 range
Gateway option returns 192.168.2.1

The Relay IS the Gateway:

Note that giaddr typically equals the default gateway for the client's subnet. This is by design—the router serving as relay agent is usually the same router serving as default gateway.

Scope Configuration Must Match Network

The DHCP server must have a scope configured for every subnet it serves via relay. If giaddr doesn't match any configured scope, the server cannot allocate an address and the client receives no response. Always verify scope-to-relay alignment when deploying.

Multiple Relay Hops:

In some network designs, DHCP messages may traverse multiple relay agents:

Client → Relay1 (access layer) → Relay2 (distribution layer) → Server

Hop Counting:

Each relay increments the hops field
Servers may reject requests exceeding a hop threshold (default often 4)
Prevents infinite loops if misconfigured
giaddr remains unchanged after first relay (identifies originating subnet)

Secondary Relay Forwarding:

If a relay receives a message with giaddr already set, it forwards without modification
Original giaddr preserved so server identifies correct subnet
Rarely needed but supported for complex topologies

Option 82: Relay Agent Information

Option 82 is a powerful extension that allows relay agents to insert additional information about the client's physical network location. This enables sophisticated policies based on where a client connects, not just who the client is.

Option 82 Structure:

Option 82 contains sub-options, with two being most common:

Sub-Option	Name	Content	Purpose
1	Circuit ID	Port/VLAN identifier	Specific switch port where client connected
2	Remote ID	Switch identifier	Which switch the client connected to

Example Circuit ID:

Option 82, Sub-option 1 (Circuit ID):
  Switch: access-sw-floor3
  Port: Gi0/15
  VLAN: 100

Example Remote ID:

Option 82, Sub-option 2 (Remote ID):
  MAC: 00:1A:2B:3C:4D:5E
  Name: access-sw-floor3.corp.example.com

Option 82 Use Cases

•Location-Based Addressing — Assign addresses based on physical port: devices on floor 3 get 192.168.3.x, floor 4 gets 192.168.4.x, regardless of VLAN
•Port Security — Limit each port to one DHCP address; detect MAC spoofing or unauthorized hubs
•Asset Tracking — Log which switch port granted which IP at what time for compliance and security auditing
•Policy Assignment — Apply different lease times, DNS, or bandwidth policies based on connection location
•Troubleshooting — Identify exactly where a problematic device connects without tracing cables
•Multi-Tenant Isolation — In shared infrastructure, use circuit ID to map tenants to address pools

Option 82 Processing:

At the Relay Agent (Insert):

Relay receives DHCP message from client
Relay adds Option 82 with local port/switch information
Relay forwards to server with Option 82 included

At the Server (Process):

Server receives message with Option 82
Server can use Option 82 for policy decisions:
- Scope selection
- Address reservation
- Logging and auditing
Server includes Option 82 in response (for relay processing)

At the Relay Agent (Strip):

Relay receives server response
Relay may remove Option 82 before delivering to client
Client receives clean DHCP message

Note: The client never sees Option 82—it's a relay-to-server mechanism.

DHCP Snooping and Option 82

Many Layer 2 switches support 'DHCP snooping' which inserts Option 82 even though the switch isn't a Layer 3 relay agent. The switch adds circuit ID (port) and remote ID (switch), then lets the frame continue toward the actual relay or server. This provides location information without requiring every access switch to relay.

Relay Configuration Patterns

Relay agent configuration varies by platform, but the core requirements are consistent: interface selection and server destination.

Basic Relay Configuration:

relay_config_examples.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Cisco IOS Router
# Configure on each interface (SVI/VLAN) where clients exist
 
interface Vlan100
  ip address 192.168.1.1 255.255.255.0
  ip helper-address 192.168.10.5           ! Primary DHCP server
  ip helper-address 192.168.10.6           ! Secondary DHCP server
 
interface Vlan200
  ip address 192.168.2.1 255.255.255.0
  ip helper-address 192.168.10.5
  ip helper-address 192.168.10.6
 
# 'ip helper-address' forwards UDP broadcasts for multiple protocols
# including DHCP (67, 68), TFTP (69), DNS (53), etc.
 
# To limit to DHCP only:
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
# (leaves DHCP active)
 
-----------------------------------------------------------
 
# Linux (using dhcrelay from ISC DHCP)
# Start relay daemon specifying interfaces and servers
 
dhcrelay -i eth0 -i eth1 192.168.10.5 192.168.10.6
 
# -i eth0: Listen for broadcasts on eth0
# -i eth1: Listen for broadcasts on eth1
# 192.168.10.5 192.168.10.6: Forward to these servers
 
# For systemd service, configure /etc/default/isc-dhcp-relay:
SERVERS="192.168.10.5 192.168.10.6"
INTERFACES="eth0 eth1"
OPTIONS=""
 
-----------------------------------------------------------
 
# Windows Server (RRAS DHCP Relay Agent)
# Configure via Routing and Remote Access console:
# 1. Install DHCP Relay Agent under IP Routing
# 2. Add interfaces where relay should listen
# 3. Configure server addresses in relay properties
 
# PowerShell (Windows Server 2016+):
Add-RemoteAccessRADIUS -ComputerName "dhcp-server.corp.local"
# (Note: Windows typically uses full DHCP server role rather than relay)

Multiple Server Configuration:

For redundancy, configure relay to forward to multiple DHCP servers:

ip helper-address 192.168.10.5   ! Primary
ip helper-address 192.168.10.6   ! Secondary

Behavior:

Relay forwards client requests to BOTH servers
Both servers may respond with OFFER
Client accepts one offer (typically first received)
Non-selected server releases the offered address

Server Ordering: Most relay implementations forward to all configured servers simultaneously. The 'primary/secondary' distinction is conceptual—whichever responds first usually wins. For deterministic failover, use DHCP failover protocol between servers instead.

Helper Address Scope

Cisco's 'ip helper-address' forwards multiple UDP broadcast types by default (DHCP, TFTP, DNS, TACACS, etc.). Verify this is desired behavior. In high-security environments, explicitly disable forwarding for unwanted services or use Kea/ISC DHCP relay which only handles DHCP.

Enterprise Deployment Architecture

Enterprise networks require careful DHCP architecture design. The relay agent model enables centralized management while accommodating complex, hierarchical network topologies.

Common Enterprise Patterns:

Centralized DHCP (Single Location):

All DHCP servers in one data center; all remote subnets use relay.

       [Data Center]
    ┌─────────────────┐
    │  DHCP Server 1  │──┐
    │  DHCP Server 2  │──┼── Failover pair
    └─────────────────┘  │
            │            │
            └────────────┘
                 │
    ┌────────────┴────────────┐
    │         WAN/MPLS        │
    └────────────┬────────────┘
         ┌───────┼───────┐
         │       │       │
    [Site A] [Site B] [Site C]
    Relay    Relay    Relay

Advantages:

Single management point
Consistent policies
Simplified backup/recovery
Centralized logging

Disadvantages:

WAN dependency for DHCP
Latency for remote sites
WAN failure = no new addresses

Mitigation: Long lease durations at remote sites ensure existing devices continue operating during WAN outages. Only new devices or expired leases are affected.

Troubleshooting DHCP Relay

DHCP relay issues can be subtle because problems may occur at the client, relay, network path, or server. Systematic troubleshooting requires understanding the complete flow.

Common Relay Problems:

DHCP Relay Troubleshooting Checklist

•Relay not configured — Verify 'ip helper-address' (or equivalent) is configured on the correct interface (the SVI/VLAN interface where clients reside)
•Wrong helper address — Server IP incorrect or unreachable; verify with ping from relay to server
•Firewall blocking — UDP 67/68 blocked between relay and server; check ACLs and firewall rules
•No matching scope — Server has no scope for the subnet indicated by giaddr; verify scope configuration
•Return path issues — Server response can't reach relay; verify routing from server back to relay's giaddr
•Option 82 policy rejection — Server configured to require Option 82 but relay not inserting it; align configurations
•ARP issues — Relay can't deliver to client; verify relay can ARP for client's MAC on local subnet

Diagnostic Approach:

Verify Client → Relay: Capture on relay; confirm DISCOVER is received
- Check relay interface is DHCP snooping trusted (if enabled)
- Verify relay service is running
Verify Relay → Server: Capture on server (or path); confirm relayed request arrives
- Check giaddr is set correctly
- Verify UDP 67 reaches server
Verify Server Processing: Check server logs for scope selection
- Does giaddr match a configured scope?
- Are addresses available in the pool?
Verify Server → Relay: Capture on relay; confirm server response arrives
- Server sends to giaddr
- Check routing and firewalls on return path
Verify Relay → Client: Capture on client subnet; confirm OFFER/ACK delivered
- Relay broadcasts or unicasts to client
- Client accepts response (matching xid)

relay_debug_commands.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Cisco IOS - Debug DHCP relay
debug ip dhcp server packet
debug ip dhcp server events
show ip dhcp relay information
show ip helper-address
 
# View relay statistics
show ip dhcp server statistics
 
# Verify interface has helper configured
show running-config interface vlan100
 
# Linux - Check dhcrelay service
systemctl status isc-dhcp-relay
journalctl -u isc-dhcp-relay -f    # Follow logs
 
# Packet capture at relay (Linux)
tcpdump -i eth0 port 67 or port 68 -nn -v
 
# Windows - DHCP Relay Agent
# Use Event Viewer > Applications and Services Logs > Microsoft > Windows > DHCP-Server
 
# Wireshark filter for relayed traffic
dhcp && bootp.gi != 0.0.0.0    # Shows only relayed messages

The giaddr Test

In packet captures, the presence of a non-zero giaddr instantly tells you the message was relayed. If DISCOVER has giaddr=0, it hasn't been relayed (yet). If OFFER has giaddr non-zero, it was in response to a relayed request. Use giaddr to quickly identify relay-involved conversations.

Summary: DHCP Relay Mastered

We've comprehensively examined DHCP relay agents—the mechanism that enables centralized DHCP across routed networks. Let's consolidate the key takeaways:

Key Takeaways

•Broadcast doesn't cross routers — DHCP's use of broadcast creates a boundary problem that relay agents solve by converting broadcast to unicast.
•giaddr identifies the client subnet — The relay sets giaddr to its local interface IP, enabling the server to select the correct scope for the remote client.
•Relay modifies specific fields — giaddr, hops, and IP/UDP headers change; chaddr, xid, and options remain unchanged through relay.
•Option 82 adds location information — Circuit ID and Remote ID sub-options enable policies based on physical connection point.
•Configure relay on L3 interfaces — The 'ip helper-address' (or equivalent) command is applied to VLAN interfaces, not physical ports.
•Enterprise patterns vary — Centralized, distributed, or hierarchical relay architectures suit different availability and management requirements.
•Troubleshoot methodically — Follow the message path: client→relay→server→relay→client, capturing at each point to isolate failures.

Module Complete:

You've now mastered DHCP comprehensively—from the dynamic addressing concepts through the DORA process, message structures, lease management, and relay agent operation. This knowledge prepares you to design, deploy, and troubleshoot DHCP infrastructure in networks of any scale.

Module Complete

Congratulations! You've completed the DHCP module. You now possess expert-level understanding of the Dynamic Host Configuration Protocol—the invisible infrastructure that makes network connectivity automatic and scalable. These skills are essential for network administration, Systems engineering, and troubleshooting connectivity issues in any IP network.

5 / 5

Loading learning content...

Computer NetworksDHCP

Dynamic Host Configuration Protocol (DHCP)

LevelIntermediate

Duration60 mins

TopicDHCP

5 / 5

DHCP Relay

Bridging the Broadcast Barrier

This page examines relay agent operation in detail: the forwarding logic, addressing mechanics, Option 82 enrichment, enterprise deployment patterns, and troubleshooting techniques.

What You Will Learn

The Broadcast Problem

To understand why relay agents are necessary, we must understand the broadcast constraint that DHCP operates under.

Why DHCP Uses Broadcast:

DHCP clients have a bootstrap problem: they need to communicate with a server to get configuration, but they have no configuration until they communicate with the server. The solution is broadcast:

Layer 2 Broadcast: Client sends Ethernet frame to FF:FF:FF:FF:FF:FF
Layer 3 Broadcast: Client addresses IP packet to 255.255.255.255
Source Address: Client uses 0.0.0.0 (no address yet)

Every device on the local subnet receives the broadcast. DHCP servers process it; other devices ignore it.

The Router Barrier:

Routers, by design, do not forward broadcast traffic:

Each broadcast domain (subnet) has its own broadcast address
Forwarding broadcasts would flood the entire network
Broadcasts are meant for local consumption only

Converting Mermaid diagram...

Without Relay: One Server Per Subnet

Absent relay functionality, every routed subnet requires a local DHCP server. For a network with 50 VLANs:

50 DHCP servers or services
50 scope configurations
50 points of management
50 potential failure points

This doesn't scale. Enterprise networks need centralized DHCP with one or few servers managing all subnets. Relay agents make this possible.

Historical Note: BOOTP Relay

Relay Agent Operation

Forward Path (Client → Server):

Receive Broadcast: Relay receives DHCP Discover/Request on local interface
Check giaddr: If giaddr is 0, this is a new message (not already relayed)
Set giaddr: Relay sets giaddr to its IP address on the receiving interface
Increment hops: Relay increments the hops field
Unicast Forward: Relay sends packet to configured DHCP server IP(s)

Key Insight: giaddr

The giaddr (Gateway IP Address) field is the critical information the server needs:

Tells server which subnet the client is on
Server uses giaddr to select the correct scope
Server sends response back to relay at giaddr
Relay knows which local interface to use for delivery

DHCP Message Fields Modified by Relay
Field	Before Relay	After Relay	Purpose
giaddr	0.0.0.0	Relay's local IP (e.g., 192.168.1.1)	Identifies client subnet for scope selection
hops	0	1 (or current + 1)	Counts relay hops; prevents loops
IP Source	0.0.0.0	Relay's IP	Enables return routing
IP Dest	255.255.255.255	Server's IP	Unicast to specific server
UDP Source	68	67	Relay uses server port
UDP Dest	67	67	Server port unchanged

Return Path (Server → Client):

Server Processing: Server sees giaddr ≠ 0, so client is remote
Scope Selection: Server uses giaddr to identify client's subnet and select scope
Unicast Response: Server sends response to giaddr (the relay)
Relay Receives: Response arrives at relay's IP address, port 67
Client Delivery: Relay broadcasts (or unicasts) to client on local subnet

Broadcast vs Unicast Delivery:

How does the relay deliver to a client that doesn't have an IP?

Broadcast: Most common—relay broadcasts on local subnet, client accepts based on xid
Unicast to MAC: Some relays unicast directly to client's MAC from chaddr
Depends on flags: If BROADCAST flag is set, relay must broadcast

Converting Mermaid diagram...

Server Scope Selection with Relay

When a DHCP server receives a relayed request, it must determine which address pool to use. The giaddr field is the key to this selection.

Scope Selection Algorithm:

Check giaddr: If giaddr is non-zero, client is remote
Match giaddr to scope: Find scope that contains giaddr in its subnet
Select address: Allocate from the matching scope
Apply scope options: Use scope-specific DNS, gateway, etc.

Example:

Server has three scopes configured:

Scope	Subnet	Range	Gateway
Scope-1	192.168.1.0/24	192.168.1.100-200	192.168.1.1
Scope-2	192.168.2.0/24	192.168.2.100-200	192.168.2.1
Scope-3	192.168.3.0/24	192.168.3.100-200	192.168.3.1

Request arrives with giaddr = 192.168.2.1:

Server matches 192.168.2.1 to Scope-2
Allocates address from 192.168.2.100-200 range
Gateway option returns 192.168.2.1

The Relay IS the Gateway:

Note that giaddr typically equals the default gateway for the client's subnet. This is by design—the router serving as relay agent is usually the same router serving as default gateway.

Scope Configuration Must Match Network

Multiple Relay Hops:

In some network designs, DHCP messages may traverse multiple relay agents:

Client → Relay1 (access layer) → Relay2 (distribution layer) → Server

Hop Counting:

Each relay increments the hops field
Servers may reject requests exceeding a hop threshold (default often 4)
Prevents infinite loops if misconfigured
giaddr remains unchanged after first relay (identifies originating subnet)

Secondary Relay Forwarding:

If a relay receives a message with giaddr already set, it forwards without modification
Original giaddr preserved so server identifies correct subnet
Rarely needed but supported for complex topologies

Option 82: Relay Agent Information

Option 82 Structure:

Option 82 contains sub-options, with two being most common:

Sub-Option	Name	Content	Purpose
1	Circuit ID	Port/VLAN identifier	Specific switch port where client connected
2	Remote ID	Switch identifier	Which switch the client connected to

Example Circuit ID:

Option 82, Sub-option 1 (Circuit ID):
  Switch: access-sw-floor3
  Port: Gi0/15
  VLAN: 100

Example Remote ID:

Option 82, Sub-option 2 (Remote ID):
  MAC: 00:1A:2B:3C:4D:5E
  Name: access-sw-floor3.corp.example.com

Option 82 Use Cases

•Location-Based Addressing — Assign addresses based on physical port: devices on floor 3 get 192.168.3.x, floor 4 gets 192.168.4.x, regardless of VLAN
•Port Security — Limit each port to one DHCP address; detect MAC spoofing or unauthorized hubs
•Asset Tracking — Log which switch port granted which IP at what time for compliance and security auditing
•Policy Assignment — Apply different lease times, DNS, or bandwidth policies based on connection location
•Troubleshooting — Identify exactly where a problematic device connects without tracing cables
•Multi-Tenant Isolation — In shared infrastructure, use circuit ID to map tenants to address pools

Option 82 Processing:

At the Relay Agent (Insert):

Relay receives DHCP message from client
Relay adds Option 82 with local port/switch information
Relay forwards to server with Option 82 included

At the Server (Process):

Server receives message with Option 82
Server can use Option 82 for policy decisions:
- Scope selection
- Address reservation
- Logging and auditing
Server includes Option 82 in response (for relay processing)

At the Relay Agent (Strip):

Relay receives server response
Relay may remove Option 82 before delivering to client
Client receives clean DHCP message

Note: The client never sees Option 82—it's a relay-to-server mechanism.

DHCP Snooping and Option 82

Relay Configuration Patterns

Relay agent configuration varies by platform, but the core requirements are consistent: interface selection and server destination.

Basic Relay Configuration:

relay_config_examples.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Cisco IOS Router
# Configure on each interface (SVI/VLAN) where clients exist
 
interface Vlan100
  ip address 192.168.1.1 255.255.255.0
  ip helper-address 192.168.10.5           ! Primary DHCP server
  ip helper-address 192.168.10.6           ! Secondary DHCP server
 
interface Vlan200
  ip address 192.168.2.1 255.255.255.0
  ip helper-address 192.168.10.5
  ip helper-address 192.168.10.6
 
# 'ip helper-address' forwards UDP broadcasts for multiple protocols
# including DHCP (67, 68), TFTP (69), DNS (53), etc.
 
# To limit to DHCP only:
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
# (leaves DHCP active)
 
-----------------------------------------------------------
 
# Linux (using dhcrelay from ISC DHCP)
# Start relay daemon specifying interfaces and servers
 
dhcrelay -i eth0 -i eth1 192.168.10.5 192.168.10.6
 
# -i eth0: Listen for broadcasts on eth0
# -i eth1: Listen for broadcasts on eth1
# 192.168.10.5 192.168.10.6: Forward to these servers
 
# For systemd service, configure /etc/default/isc-dhcp-relay:
SERVERS="192.168.10.5 192.168.10.6"
INTERFACES="eth0 eth1"
OPTIONS=""
 
-----------------------------------------------------------
 
# Windows Server (RRAS DHCP Relay Agent)
# Configure via Routing and Remote Access console:
# 1. Install DHCP Relay Agent under IP Routing
# 2. Add interfaces where relay should listen
# 3. Configure server addresses in relay properties
 
# PowerShell (Windows Server 2016+):
Add-RemoteAccessRADIUS -ComputerName "dhcp-server.corp.local"
# (Note: Windows typically uses full DHCP server role rather than relay)

Multiple Server Configuration:

For redundancy, configure relay to forward to multiple DHCP servers:

ip helper-address 192.168.10.5   ! Primary
ip helper-address 192.168.10.6   ! Secondary

Behavior:

Relay forwards client requests to BOTH servers
Both servers may respond with OFFER
Client accepts one offer (typically first received)
Non-selected server releases the offered address

Helper Address Scope

Enterprise Deployment Architecture

Enterprise networks require careful DHCP architecture design. The relay agent model enables centralized management while accommodating complex, hierarchical network topologies.

Common Enterprise Patterns:

Centralized DHCP (Single Location):

All DHCP servers in one data center; all remote subnets use relay.

       [Data Center]
    ┌─────────────────┐
    │  DHCP Server 1  │──┐
    │  DHCP Server 2  │──┼── Failover pair
    └─────────────────┘  │
            │            │
            └────────────┘
                 │
    ┌────────────┴────────────┐
    │         WAN/MPLS        │
    └────────────┬────────────┘
         ┌───────┼───────┐
         │       │       │
    [Site A] [Site B] [Site C]
    Relay    Relay    Relay

Advantages:

Single management point
Consistent policies
Simplified backup/recovery
Centralized logging

Disadvantages:

WAN dependency for DHCP
Latency for remote sites
WAN failure = no new addresses

Mitigation: Long lease durations at remote sites ensure existing devices continue operating during WAN outages. Only new devices or expired leases are affected.

Troubleshooting DHCP Relay

DHCP relay issues can be subtle because problems may occur at the client, relay, network path, or server. Systematic troubleshooting requires understanding the complete flow.

Common Relay Problems:

DHCP Relay Troubleshooting Checklist

•Relay not configured — Verify 'ip helper-address' (or equivalent) is configured on the correct interface (the SVI/VLAN interface where clients reside)
•Wrong helper address — Server IP incorrect or unreachable; verify with ping from relay to server
•Firewall blocking — UDP 67/68 blocked between relay and server; check ACLs and firewall rules
•No matching scope — Server has no scope for the subnet indicated by giaddr; verify scope configuration
•Return path issues — Server response can't reach relay; verify routing from server back to relay's giaddr
•Option 82 policy rejection — Server configured to require Option 82 but relay not inserting it; align configurations
•ARP issues — Relay can't deliver to client; verify relay can ARP for client's MAC on local subnet

Diagnostic Approach:

Verify Client → Relay: Capture on relay; confirm DISCOVER is received
- Check relay interface is DHCP snooping trusted (if enabled)
- Verify relay service is running
Verify Relay → Server: Capture on server (or path); confirm relayed request arrives
- Check giaddr is set correctly
- Verify UDP 67 reaches server
Verify Server Processing: Check server logs for scope selection
- Does giaddr match a configured scope?
- Are addresses available in the pool?
Verify Server → Relay: Capture on relay; confirm server response arrives
- Server sends to giaddr
- Check routing and firewalls on return path
Verify Relay → Client: Capture on client subnet; confirm OFFER/ACK delivered
- Relay broadcasts or unicasts to client
- Client accepts response (matching xid)

relay_debug_commands.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Cisco IOS - Debug DHCP relay
debug ip dhcp server packet
debug ip dhcp server events
show ip dhcp relay information
show ip helper-address
 
# View relay statistics
show ip dhcp server statistics
 
# Verify interface has helper configured
show running-config interface vlan100
 
# Linux - Check dhcrelay service
systemctl status isc-dhcp-relay
journalctl -u isc-dhcp-relay -f    # Follow logs
 
# Packet capture at relay (Linux)
tcpdump -i eth0 port 67 or port 68 -nn -v
 
# Windows - DHCP Relay Agent
# Use Event Viewer > Applications and Services Logs > Microsoft > Windows > DHCP-Server
 
# Wireshark filter for relayed traffic
dhcp && bootp.gi != 0.0.0.0    # Shows only relayed messages

The giaddr Test

Summary: DHCP Relay Mastered

We've comprehensively examined DHCP relay agents—the mechanism that enables centralized DHCP across routed networks. Let's consolidate the key takeaways:

Key Takeaways

•Broadcast doesn't cross routers — DHCP's use of broadcast creates a boundary problem that relay agents solve by converting broadcast to unicast.
•giaddr identifies the client subnet — The relay sets giaddr to its local interface IP, enabling the server to select the correct scope for the remote client.
•Relay modifies specific fields — giaddr, hops, and IP/UDP headers change; chaddr, xid, and options remain unchanged through relay.
•Option 82 adds location information — Circuit ID and Remote ID sub-options enable policies based on physical connection point.
•Configure relay on L3 interfaces — The 'ip helper-address' (or equivalent) command is applied to VLAN interfaces, not physical ports.
•Enterprise patterns vary — Centralized, distributed, or hierarchical relay architectures suit different availability and management requirements.
•Troubleshoot methodically — Follow the message path: client→relay→server→relay→client, capturing at each point to isolate failures.

Module Complete:

Module Complete

5 / 5