DHCP clients need to use UDP broadcasts to send their initial DHCPDISCOVER messages because the clients do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts are not usually forwarded because most routers are configured to not forward broadcast traffic. When the DHCP client broadcasts a DHCPDISCOVER message, the relay agent sends the broadcast message toward the server, which may create Address Resolution Protocol (ARP) entries due to unnecessary ARP checks performed by the client after receiving the ACK message. If there are two entries in the ARP table, one times out after the ARP timeout. You can remedy this situation by configuring the interface of your router that is receiving the broadcasts to forward certain classes of broadcasts to a helper address. You can use more than one helper address per interface.

When a router forwards these address assignment/parameter requests, it acts as a DHCP relay agent. The Cisco router implementation of the DHCP relay agent is provided through the ip helper-address interface configuration command.

In the figure below, the DHCP client broadcasts a request for an IP address and additional configuration parameters on its local LAN. Router B, acting as a DHCP relay agent, picks up the broadcast and generates a new DHCP message to send out on another interface. As part of this DHCP message, the relay agent inserts the IP address of the interface containing the ip helper-address command into the gateway IP address (giaddr) field of the DHCP packet. This IP address enables the DHCP server to determine which subnet should receive the packet. The DHCP relay agent sends the local broadcast, through IP unicast, to the DHCP server address 172.16.1.2 that is specified by the ip helper-address interface configuration command.

Figure 1

Forwarding UDP Broadcasts to a DHCP Server Using a Helper Address

Perform this task to configure the DHCP relay agent to forward packets to a DHCP server.

Automatic DHCP address allocation is typically based on an IP address, which may be either the gateway IP address (giaddr field of the DHCP packet) or the incoming interface IP address. In some networks, additional information may be required to further determine the IP addresses that need to be allocated. By using the relay agent information option (option 82), the Cisco IOS relay agent can include additional information about itself when forwarding client-originated DHCP packets to a DHCP server. Cisco software supports this functionality by using the ip dhcp relay information option command. The relay agent will automatically add the circuit identifier suboption and the remote ID suboption to the relay agent information option and forward them to the DHCP server.

The DHCP server can use this information to assign IP addresses, perform access control, and set quality of service (QoS) and security policies (or other parameter-assignment policies) for each subscriber of a service provider network.

The figure below shows how the relay agent information option is inserted into the DHCP packet as follows:

1. The DHCP client generates a DHCP request and broadcasts it on the network.
2. The DHCP relay agent intercepts the broadcast DHCP request packet and inserts the relay agent information option (option 82) into the packet. The relay agent information option contains related suboptions.
3. The DHCP relay agent unicasts the DHCP packet to the DHCP server.
4. The DHCP server receives the packet, uses the suboptions to assign IP addresses and other configuration parameters to the packet, and forwards the packet back to the client.
5. The suboption fields are stripped off of the packet by the relay agent while forwarding the packet to the client.

Figure 2

Operation of the Relay Agent Information Option

A DHCP relay agent may receive a message from another DHCP relay agent that already contains relay information. By default, the relay information from the previous relay agent is replaced. If this behavior is not suitable for your network, you can use the ip dhcp relay information policy {drop | keep | replace} global configuration command to change it.

To ensure the correct operation of the reforwarding policy, disable the relay agent information check by using the no ip dhcp relay information check global configuration command.

The interface configuration allows a Cisco router to reach subscribers with different DHCP option 82 requirements on different interfaces.

Perform this task to enable an ISP to add a unique identifier to the subscriber identifier suboption of the relay agent information option. The unique identifier enables an ISP to identify a subscriber, assign specific actions to that subscriber (for example, assignment of the host IP address, subnet mask, and domain name system [DNS]), and trigger accounting.

Before the introduction of the subscriber identifier suboption, if a subscriber moved from one Network Access Server to another, each ISP had to be informed of the change and all ISPs had to reconfigure the DHCP settings for the affected customers at the same time. Even if the service was not changed, every move involved administrative changes in the ISP environment. With the introduction of the subscriber identifier suboption, if a subscriber moves from one Network Access Server to another, there is no need for a change in the configuration on the DHCP server or the ISPs.

DHCP relay class support for client identification allows the Cisco relay agent to forward client-generated DHCP messages to different DHCP servers based on the content of the following four options:

• Option 60: vendor class identifier
• Option 77: user class
• Option 124: vendor-identifying vendor class
• Option 125: vendor-identifying vendor-specific information

Each option identifies the type of client that is sending the DHCP message.

Relay pools provide a method to define DHCP pools that are not used for address allocation. These relay pools can specify that DHCP messages from clients on a specific subnet should be forwarded to a specific DHCP server. These relay pools can be configured with relay classes inside the pool that help determine the forwarding behavior.

For example, after receiving the option in a DHCP DISCOVER message, the relay agent will match and identify the relay class from the relay pool and then direct the DHCP DISCOVER message to the DHCP server associated with that identified relay class.

In an example application, a Cisco router acting as a DHCP relay agent receives DHCP requests from two VoIP services (H.323 and the Session Initiation Protocol [SIP]). The requesting devices are identified by option 60.

Both VoIP services have a different back-office infrastructure, so they cannot be serviced by the same DHCP server. Requests for H.323 devices must be forwarded to the H.323 server, and requests from SIP devices must be forwarded to the SIP server. The solution is to configure the relay agent with relay classes that are configured to match option 60 values sent by the client devices. Based on the option value, the relay agent will match and identify the relay class, and forward the DHCP DISCOVER message to the DHCP server associated with the identified relay class.

The Cisco IOS DHCP server examines the relay classes that are applicable to a pool and then uses the exact match class regardless of the configuration order. If the exact match is not found, the DHCP server uses the first default match found.

DHCP relay support for Multiprotocol Label Switching (MPLS) VPNs enables a network administrator to conserve address space by allowing overlapping addresses. The relay agent can support multiple clients on different VPNs, and many of these clients from different VPNs can share the same IP address.

Configuring VPNs involves an adjustment to the usual DHCP host IP address designation. VPNs use private address spaces that might not be unique across the Internet.

In some environments, a relay agent resides in a network element that also has access to one or more MPLS VPNs. A DHCP server that provides service to DHCP clients on those different VPNs must locate the VPN in which each client resides. The network element that contains the relay agent typically captures the VPN association of the DHCP client and includes this information in the relay agent information option of the DHCP packet.

DHCP relay support for MPLS VPNs allows the relay agent to forward this necessary VPN-related information to the DHCP server using the following three suboptions of the DHCP relay agent information option:

• VPN identifier
• Subnet selection
• Server identifier override

The VPN identifier suboption is used by the relay agent to inform the DHCP server about the VPN for every DHCP request that the relay agent passes on to the DHCP server; the VPN identifier suboption is also used to properly forward any DHCP reply that the DHCP server sends back to the relay agent. The VPN identifier suboption contains the VPN ID configured on the incoming interface to which the client is connected. If you configure the VPN routing and forwarding (VRF) name but not the VPN ID, the VRF name is used as the VPN identifier suboption. If the interface is in the global routing space, VPN suboptions are not added.

The subnet selection suboption allows the separation of the subnet, where the client resides, from the IP address used to communicate with the relay agent. In typical DHCP processing, the gateway address specifies both the subnet on which a DHCP client resides and the IP address that the server can use to communicate with the relay agent. Situations exist where the relay agent needs to specify the subnet on which a DHCP client resides that is different from the IP address that the server can use to communicate with the relay agent. The subnet selection suboption is included in the relay agent information option and passed on to the DHCP server. The gateway address is changed to the outgoing interface of the relay agent toward the DHCP server. The DHCP server uses this gateway address to send reply packets back to the relay agent.

The server identifier override suboption value is copied in the reply packet from the DHCP server instead of the normal server ID address. The server identifier override suboption contains the incoming interface IP address, which is the IP address on the relay agent that is accessible from the client. Using this information, the DHCP client sends all renew and release packets to the relay agent. The relay agent adds all the VPN suboptions to the packets and forwards the packets to the original DHCP server.

After adding these suboptions to the DHCP relay agent information option, the gateway address is changed to the outgoing interface of the relay agent toward the DHCP server. When the packets are returned from the DHCP server, the relay agent removes the relay agent information options from the packets and forwards the packets to the DHCP client on the correct VPN.

The figure below shows a VPN scenario where the DHCP relay agent and DHCP server can recognize the VPN within which each client resides. DHCP client 1 is part of VPN green, and DHCP client 2 is part of VPN red, and both have the same private IP address 192.168.1.0/24. Because the clients have the same IP address, the DHCP relay agent and DHCP server use the VPN identifier, subnet selection, and server identifier override suboptions of the relay agent information option to distinguish the correct VPN of the client.

Figure 3

VPN DHCP Configuration

When two relay agents are relaying messages between the DHCP client and the DHCP server, the relay agent closer to the server, by default, replaces the first option 82 information with its own option 82. The remote ID and circuit ID information from the first relay agent is lost. In some deployment scenarios, it is necessary to maintain the initial option 82 from the first relay agent, in addition to the option 82 from the second relay agent, for example, in a situation where an Intelligent Services Gateway (ISG) acting as a second relay agent is connected to a Layer 2 device. The Layer 2 device connects to the household and identifies the household with its own option 82.

The DHCP Relay Option 82 Encapsulation feature allows the second relay agent to encapsulate option 82 information in a received message from the first relay agent if the second relay agent is configured to add its own option 82 information. This configuration allows the DHCP server to use option 82 information from both relay agents. The DHCP server can use the VPN information from the second relay agent, along with the option 82 information from the first relay agent, to send correct address assignments and other configuration parameters for the client devices based on the VRF, option 60, and encapsulated option 82. The reply message from the DHCP server to the DHCP client traverses the same path as the request messages through the two relay agents to the DHCP client.

The figure below shows the processing that occurs on the two relay agents and the DHCP server when this feature is configured:

1. The DHCP client generates a DHCP message (including option 60) and broadcasts it on the network.
2. The first DHCP relay agent intercepts the broadcast DHCP request packet and inserts its own option 82 in the packet.
3. The relay agent automatically adds the circuit ID suboption and the remote ID suboption to option 82 and forwards them to the second relay agent.
4. The second relay agent encapsulates the first relay agent's option 82 and inserts its own option 82.
5. The gateway IP address (giaddr) is set to the incoming interface on the second relay agent and the original giaddr from the first relay agent is encapsulated.
6. The second DHCP relay agent unicasts the DHCP packet to the DHCP server.
7. The DHCP server receives the packet and uses the VPN suboption information from the second relay agent, along with the option 82 information from the first relay agent, to assign IP addresses and other configuration parameters and forwards the packet back to the second relay agent.
8. When the second relay agent receives the reply message from the server, it restores the encapsulated option 82 and prior giaddr from the first relay agent. The reply message is then sent to the prior giaddr.
9. The first relay agent strips option 82 off from the packet before forwarding the packet to the client.

Figure 4

Processing DHCP Relay Agent Information Option Encapsulation Support

You only need to configure helper addresses on the interface where the UDP broadcasts that you want to forward to the DHCP server are being received. You only need to configure the ip dhcp smart-relay command if you have secondary addresses on that interface and you want the router to step through each IP network when forwarding DHCP requests. If smart relay agent forwarding is not configured, all requests are forwarded using the primary IP address on the interface.

If the ip dhcp smart-relay command is configured, the relay agent counts the number of times that the client retries sending a request to the DHCP server when there is no DHCPOFFER message from the DHCP server. After three retries, the relay agent sets the gateway address to the secondary address. If the DHCP server still does not respond after three more retries, then the next secondary address is used as the gateway address.

This functionality is useful when the DHCP server cannot be configured to use secondary pools.

Some features that are not standardized will use the private Cisco relay agent suboption numbers. After the features are standardized, the relay agent suboptions are assigned the Internet Assigned Numbers Authority (IANA) numbers. Cisco software supports both private and IANA numbers for these suboptions.

Perform this task to configure the DHCP client to use private or IANA standard relay agent suboption numbers.

The show ip route dhcp command is useful to help troubleshoot issues with the DHCP relay agent that adds routes to clients from unnumbered interfaces. This command displays all routes added to the routing table by the DHCP server and the relay agent.

The following example shows how to enable the DHCP server, the relay agent, and the insertion and removal of the DHCP relay information option (option 82). Note that the Cisco IOS DHCP server is enabled by default. In this example, the DHCP server is disabled:

! Reenables the DHCP server.
service dhcp
ip dhcp relay information option
!
interface ethernet0/0
 ip address 192.168.100.1 255.255.255.0
 ip helper-address 10.55.11.3

The following example shows that for subscribers who are being serviced by the same aggregation router, the relay agent information option for ATM subscribers must be processed differently from that for Ethernet digital subscribers. For ATM subscribers, the relay agent information option is configured to be removed from the packet by the relay agent before forwarding the packet to the client. For Ethernet subscribers, the connected device provides the relay agent information option, and the option is configured to remain in the packet and be forwarded to the client.

ip dhcp relay information trust-all
interface Loopback0
 ip address 10.16.0.1 255.255.255.0
!
interface ATM3/0
 no ip address
!
interface ATM3/0.1
 ip helper-address 10.16.1.2
 ip unnumbered loopback0
 ip dhcp relay information option-insert
!
interface Loopback1
 ip address 10.18.0.1 255.255.255.0
!
interface Ethernet4
 no ip address
!
interface Ethernet4/0.1
 encapsulation dot1q 123
 ip unnumbered loopback1
 ip helper-address 10.18.1.2
 ip dhcp relay information policy-action keep

The following example shows how to add a unique identifier to the subscriber-identifier suboption of the relay agent information option:

ip dhcp relay information option
!
interface Loopback0 
 ip address 10.1.1.129 255.255.255.192 
!
interface ATM4/0 
 no ip address 
!
interface ATM4/0.1 point-to-point
 ip helper-address 10.16.1.2
 ip unnumbered Loopback0
 ip dhcp relay information option subscriber-id newperson123
 atm route-bridged ip
 pvc 88/800
 encapsulation aal5snap

In the following example, DHCP messages are received from DHCP clients on subnet 10.2.2.0. The relay agent will match and identify the relay class from the relay pool and forward the DHCP message to the appropriate DHCP server identified by the relay target command.

!
ip dhcp class H323
 option 60 hex 010203
!
ip dhcp class SIP
 option 60 hex 040506
! 
! The following is the relay pool:
ip dhcp pool pool1
 relay source 10.2.2.0 255.255.255.0
 class H323
  relay target 192.168.2.1
  relay target 192.168.3.1
!
 class SIP
  relay target 192.168.4.1

In the following example, the DHCP relay agent receives a DHCP request on Ethernet interface 0/1 and sends the request to the DHCP server located at IP helper address 10.44.23.7, which is associated with the VRF named vrf1:

ip dhcp relay information option vpn
!
interface ethernet 0/1
 ip helper-address vrf vrf1 10.44.23.7
!

In the following example, DHCP relay agent 1 is configured globally to insert the relay agent information option into the DHCP packet. DHCP relay agent 2 is configured to add its own relay agent information option, including the VPN information, and to encapsulate the relay agent information option received from DHCP relay agent 1. The DHCP server receives the relay agent information options from both the relay agents, uses this information to assign IP addresses and other configuration parameters, and forwards them back to the client.

DHCP Relay Agent 1

ip dhcp relay information option 

DHCP Relay Agent 2

ip dhcp relay information option
ip dhcp relay information option vpn
ip dhcp relay information option encapsulation

In the following example, the router will forward the DHCP broadcast received on Ethernet interface 0/0 to the DHCP server (10.55.11.3), by inserting 192.168.100.1 in the giaddr field of the DHCP packet. If the DHCP server has a scope or pool configured for the 192.168.100.0/24 network, the server will respond; otherwise, it will not respond.

Because the ip dhcp smart-relay global configuration command is configured, if the router sends three requests using 192.168.100.1 in the giaddr field and does not get a response, the router will move on and start using 172.16.31.254 in the giaddr field instead. Without the smart relay functionality, the router uses only 192.168.100.1 in the giaddr field.

ip dhcp smart-relay
!
interface ethernet0/0
 ip address 192.168.100.1 255.255.255.0
 ip address 172.16.31.254 255.255.255.0
 ip helper-address 10.55.11.3
!