Cisco IOS DHCP Relay Agent

Hello Boris,
the first thing I can think of is to enable the dhcp service using “service dhcp”.

  • “service dhcp” is enabled by default
  • “ip helper-address” needs dhcp service to be enabled in order to function
1 Like

Hello Boris

In addition to what @fugazz mentioned, some other things that may cause a DHCP relay agent to fail include:

  1. There must be a route from the IP address of the interface to the DHCP server
  2. The interface must be up and must be configured with an IP address
  3. The ip helper-address address configured must be that of an active DHCP server

I hope this has been helpful!

Laz

1 Like

Thanks you very much.

Hello Laz

Both explanations have been helpful. Thanks a lot.

1 Like

Is there a specific reason why a router forwards the offer and acknowledgement messages from the server as a broadcast?

Hello Marit

All of the communication that takes place between the DHCP relay and the DHCP host occur based on the regular DHCP process as described in this lesson:

Based on this lesson, and on how DHCP functions, both the OFFER and the ACK messages of DHCP are broadcast using the 255.255.255.255 IP address. However, it is true that at least the MAC address of the requesting host is known by both the server and the relay agent after the initial DISCOVERY packet is sent. The reasons behind why both the OFFER and the ACK are broadcast rather than unicast is further explained in this post:

I hope this has been helpful!

Laz

1 Like

Thanks, Laz, I missed that post.

Hi ,

I am practicing same scenario like you have explained but instead i have configured sub interface on the router connecting to the LAN but i do not see machines in LAN fetching the ip from the DHCP Server , i have configured helper ip under the 0.10 & for this testing I have switch now between Router & switch and port between switch & router is trunk on switch end and on router encapsulation enabled
Also i am able to reach 12.2 from the router where DHCP is defined

Regards
shaan

Hello Shaan

Based on your description of your topology, the setup should work correctly. I’m assuming that your subinterface of Fa0/0.10 is on VLAN 10. Based on your description, I’ve prepared the following diagram:

When troubleshooting, test the following:

  1. Make sure that the correct VLAN is configured on the trunk interface of the switch, as well as on the subinterface of the router
  2. Test the subinterface and trunk configuration by statically assigning an IP address to the PC, such as 192.168.12.55 255.255.255.0 and attempt to ping the Fa0/0.10 interface. If it is not successful, then there is a problem with the switch/trunk/router configuration.
  3. If the above test is successful, then you should check the relay agent configuration for correctness, and the operation of the DHCP server.

If you need some additional information about the configuration of subinterfaces, take a look at the following lesson:

I hope this has been helpful!

Laz

1 Like

Thank You Laz i tested & its working

Regards
shaan

1 Like

Hi Rene,
Suppose Host A,B & C connected with Router (R1) in 3 different interfaces. R1 is working as a Relay agent. R1 is connected with 3 different DHCP Servers (D1,D2&D3) to provide IP address to Host A,B &C. I mean A will get IP from D1, B will get from D2 & C will get from D3. I will configure 3 ip helper address in R1. Is this scenario feasible ? If yes then how R1 will map the broadcasts to helper addresses accordingly ?

May be configuring a single server with 3 different pools and using single ip-helper in R1, we can solve it. Or using VLAN, we can solve the problem. But my question is, is the said scenario feasible ? if yes then how ?
Thanks in advance.

Hello Anjan

Yes it is feasible because the IP helper address is configured on each interface. You would configure it like so:

  • Interface GE0/1 on which Host A is connected will have an IP helper address of 10.10.10.10
  • Interface GE0/2 on which Host B is connected will have an IP helper address of 10.10.20.10
  • Interface GE0/3 on which Host C is connected will have an IP helper address of 10.10.30.10

So each host, which belongs to a different subnet, will send their DHCP request, and the interface of the router to which it is attached will forward that request to the appropriate DHCP server.

Now this is not a very scalable solution, as it would require a different physical device for each DHCP server (or at least a different VM if you go virtual). Ideally, your suggestion would be the best, to create a single DHCP server, use the same server as the IP helper address, and simply have 3 different pools. This would solve it because the DHCP request from Host A will include the IP address and subnet mask of the interface on which the helper address is configured, and this subnet will inform the DHCP server from which pool to offer addresses. Introducing VLANs would not make a difference in the DHCP scenario.

I hope this has been helpful!

Laz

HI Laz,
I understand that R1 Relays DHCP messages as unicast, but I did not understand why DHCP Server also replies in unicast mode once it is in the same broadcast domain, I thought DHCP Server would follow DHCP messages as broadcast way.
Can you pls help me with this doubts. Thank you

Victor Hugo

Hello Victor

If the DHCP server is in the same network segment/broadcast domain as the client, then once the server receives the DHCPDISCOVER, it knows the MAC address of the client. This is because the MAC address of the client is used as the source MAC address in the Ethernet header of the DHCPDISCOVER message. Since the DHCP server knows the Layer 2 address of the client, there is no need to send a multicast DHCPOFFER message to the client. It can send a unicast DHCPOFFER message using the MAC address of the client as the destination address. In this case, it doesn’t matter what is found in the IP address fields of the IP header, since this communication is functioning at Layer 2, and such connectivity is achievable within the same network segment.

I hope this has been helpful!

Laz

Hi, I’m trying to figure out an issue with a network I’ve been building. DHCP relay isn’t working.

The vlan which the helper address is enabled on is at remote site. I can see from the debug that the DHCP request is being forwarded as unicast message toward the DHCP server.

The DHCP server is located on a core switch elsewhere, and has DHCP snooping enabled on the interface where the DHCP server is.

The interface which the unicast DHCP messages will reach the remote site through does not have DHCP snooping trust set on it.

This particular core switch is not under my control, and before I contact HQ and ask them I have this question-

Does DHCP snooping trust need to be enabled even on an interface that will be sending/receiving unicast (DHCP Relay) messages?

Thanks in advance.
Charles.

Hello Charles

When a port on a switch is configured as untrusted, then in order for any DHCP packets to be received and processed by that port, they must go through a process called packet validation. This essentially means it examines to see if a packet should be dropped or not. According to this Cisco documentation, one of the validation criteria is the following:

If an untrusted port receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0, it will be dropped unless that packet includes option 82 information

Now the issue gets a bit more complicated due to that pesky DHCP option 82. Option 82 was originally created in order to provide the DHCP relay agent the ability to identify itself and the client that sent the original unmodified DHCP message. But because option 82 is not always understood by all devices, it is often disabled on the switches.

So to answer your question, you should either have option 82 functioning correctly or disable it on the switch, and ensure that the port is trusted.

Your original question sounds concise and simple, but unfortunately, the answer is somewhat complex. You can find more info on these topics at the following links:

I hope this has been helpful!

Laz

Hello Rene;

I found a bit error in the course of DHCP RELAY AGENT.
on Router 1 when it is typed: show ip interface FastEthernet 0/0 the ip address of this interface must be 192.168.12.2 but it is 192.168.12.1 mentionned. May be a typing error
I say that because on the picture the intherface Fa0/0 of the router R1 has for ip adress 192.168.12.2

1 Like

Hello Daoud

Yes, you are correct, thanks for pointing that out. I will let @ReneMolenaar know to make the change.

Thanks again!

Laz

Hi Rene / Team,

One quick query from my practical experience

In my Company , I have a SVI with DHCP relay Agent Configured. Adding to this, I have QIP Tool for IP Address Mgmt
For the sake of Understanding , I am giving some Dummy Subnet with Vlan:

SVI Vlan 100
IP Address - 1.1.1.0/24

I have 3 Queries:

Case 1:

What would be the case if SVI 100 is configured with 1.1.1.0/24 and the subnet is configured as 1.1.1.0/23 in QIP Tool for respective DHCP Servers… Will the clients get IP Address? If so, what range of IPs would they get?

Case 2:
What would be the case if SVI 100 is configured with 1.1.1.0/24 and the subnet is configured as 1.1.1.0/25 in QIP Tool for respective DHCP Servers… Will the clients get IP Address? If so, what range of IPs would they get?

Case 3: I have multiple DHCP Relay Address configured… Which Relay Agent address would be used first by the SVI to reach the DHCP Server or all Servers would be reached at the same time via broadcast?

Please explain all 3 cases. Thanks

Hello Shankar

In your scenario, the SVI VLAN 100 is the interface that is configured as the relay agent, correct? In other words, the SVI VLAN 100 is on the same broadcast domain as the DHCP clients sending out their requests. In such a case, the SVI VLAN 100 will also necessarily function as the default gateway of the specific subnet, and will thus be responsible for routing all packets destined outside of the local subnet.

Now having said that, it is necessary to make sure that the subnet mask of this interface matches the subnet mask of the DHCP server, or in your case the QIP tool. If it doesn’t, then the subnet mask given to the DHCP client may cause connectivity issues.

In case 1, the DHCP client may be given an address such as 1.1.0.25/23 for example. This however is not on the same subnet as the default gateway SVI VLAN 100, at least from the point of view of the SVI. Therefore there will be connectivity issues when attempting to reach outside of the local subnet.

In case 2, you have a similar problem, but it may not be perceived. In this case, the client would get an IP address somewhere in the range of 1.1.1.0 to 1.1.1.127. This would give it communication with the default gateway without any problems. The problem will arise when the host wants to communicate with other hosts on the subnet with addresses like 1.1.1.135. In such a case, traffic would be sent to the default gateway, since from the point of view of the host, this is outside of its subnet. The default gateway would receive this and simply drop it since it perceives the destination as being on the same subnet.

In both cases 1 and 2, the operation will function, but there will be problems with connectivity.

For case 3, it is indeed possible to configure multiple IP helper addresses. According to Cisco, DHCPDISCOVER messages are sent to all the helper addresses configured on an interface. The client will obtain IP addressing information from whichever DHCP server responds first. It’s a similar situation to having two DHCP servers on the same subnet. It’s not ideal, as this can increase DHCP traffic on a network, but it is doable.

I hope this has been helpful!

Laz

1 Like