Aug 3




The Host in the network should get its IP address from a DHCP server.

Relay is the default router for the Host, but doesn’t have a DHCP service running. It will pass any DHCP requests from it’ f1/0 interface to the DHCP server that has DHCP pools configured on it, using the “ip helper-addres” command.

Between the DHCP router and the Relay router there is a public network, but behind Relay, there is a private network (Host is part of that network).  Relay will use NAT with overload (PAT) to service the private network.

Relay uses DHCP as it’s default route to the Internet, but DHCP doesn’t know about the private network in which Host is in (private networks shoudn’t be permitted to be accessed from the Internet).



ip dhcp pool DHCP_POOL

interface FastEthernet0/0
ip address


interface FastEthernet0/0
ip address
ip nat outside

interface FastEthernet1/0
ip address
ip helper-address
ip nat inside

ip nat inside source list NAT_HOSTS interface FastEthernet0/0 overload

ip access-list standard NAT_HOSTS


interface FastEthernet1/0
ip address dhcp


Relay will receive a DHCP request (broadcast) on F1/0 interface. Because of the “ip helper-address“, Relay will transform the request from broadcast to unicast and send it to the DHCP router. The  DHCP request will reach the router, it will assign  an IP from the pool, but the reply will never reach Host.


Using “debug ip dhcp server events“, “debug ip dhcp server packet” and “debug ip packet“, we can find out the problem.

The first thing that could come to mind is the fapt that if Relay receives a packet on F1/0 interface ( it will send an unicast message with the source IP address of that interface and a destination address of the ip-helper server. This is not true. The relayed request is considered to be generated by the local router (Relay). This means that the source IP address of the relayed request is that of the outgoing interface to the DHCP Server. Here is the debug ip packet output:

*Mar  1 02:33:23.127: IP: tableid=0, s= (FastEthernet0/0), d=200.0.0. 1 (FastEthernet0/0), routed via RIB

If  the source address of the IP packet does not have an IP address from the network, how does the DHCP Server know from witch pool to give out a free address. The answer is a field in the DHCP protocol, called GIADDR (Gateway IP Address). The value of this field will be the IP address of the interface in the private network.

The problem is that after the DHCP server chooses an IP from the pool, it will reply to the unicast request, with another unicast packet that has the destination IP the GIADDR, not the source address of the request. The output from debug ip dhcp server events:

*Mar  1 03:13:33.719: DHCPD: DHCPDISCOVER received from client 0063.6973.636f.2d 63.6330.322e.3035.6230.2e30.3031.302d.4661.312f.30 through relay
*Mar  1 03:13:33.731: DHCPD: Sending DHCPOFFER to client 0063.6973.636f.2d63.6330.322e.3035.6230.2e30.3031.302d.4661.312f.30 (
*Mar  1 03:13:33.731: DHCPD: unicasting BOOTREPLY for client cc02.05b0.0010 to relay

The DHCP router doesn’t know about the network because that is a private network behind a NAT.

A solution to the situation is to add a static route on the DHCP router to the private network. But this would ruin the purpose of NAT. A better solution is to avoid the scenario by design (still, the situation could come up in lab environments and you should now know why it behaves the way it does)

One Response to “DHCP Relay Server and NAT Case Study”

  1. 3rett Says:

    Thanks alot buddy. This is exactly what I was looking for. I’m assuming one way to effectively forward DHCP relay through NAT/PAT would be a VPN. So that’s what I’ll look into next……….

Leave a Reply