Dynamic Host Configuration Protocol (DHCP) allows a client device to automatically obtain the information for services and configuration necessary to operate on a given network. To initiate this protocol, the client first sends out a broadcast packet called a DHCP Discover, contextualized below:
DHCP Discovers are restricted to a broadcast domain and cannot be routed. However, it is unnecessary to have a DHCP server for each subnet. DHCP relay agents (aka. iphelper) can be used to send these DHCP Discover packets to an appropriate DHCP server in a different broadcast domain using unicast.
In the following example, there are two VLANs behind a Layer 3 networking device which limits the broadcast domain. Because the client resides on VLAN 20 and is configured for a 192.168.0.0/24 address space, its DHCP discover packets cannot traverse the routing hop to the DHCP server on VLAN 10, which is configured for a 10.0.0.0/24 address space:
However, the DHCP Discover from the client can reach the DHCP server if the routing device is configured to act as a DHCP relay between VLAN 10 and VLAN 20 in the above example.
The Cisco Meraki MX security appliance supports the ability to configure DHCP relay on a per-subnet basis. For example, an MX in this example network should have the following configuration:
Note: The MX must have VLANs enabled in order to relay DHCP to another server.
Note: The DHCP server configured must be in a subnet configured on the MX, including directly-connected VLANs, static routes, and subnets participating in AutoVPN. DHCP servers sitting behind a 3rd-party VPN peer are not supported.
Note: If multiple relay servers are configured, the MX will forward DHCP requests to them all simultaneously.
To enable DHCP relay:
- Navigate to Security & SD-WAN > Configure > DHCP
- Locate the subnet in the list that should have DHCP relay enabled.
- For Client addressing, change the drop-down menu to Relay DHCP to another server.
- In the DHCP server IP box that appears, enter the IP address of the DHCP server that should serve this subnet.
- At the bottom of the page, click Save Changes
Note: The MX is always going to use the subnet from the highest VLAN as the source subnet when it's sending the request to the DHCP server. If the VLAN is not shared across the VPN then the request will be dropped as it is not permitted through the tunnel.
See Configuring DHCP services on the MX Security Appliance and Using Packet Capture to Troubleshoot Client-side DHCP Issues for more information about DHCP.