Configure the DHCP Relay Agent

You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the threat defense device because it does not forward broadcast traffic.

You can remedy this situation by configuring the interface of the threat defense device that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.

Note

DHCP Relay is not supported in transparent firewall mode.

Procedure

Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Select DHCP > DHCP Relay.

Step 3

In the IPv4 Relay Timeout and IPv6 Relay Timeout fields, enter the amount of time in seconds that the threat defense device waits to time out the DHCP relay agent. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.

The timeout is for address negotiation through the local DHCP Relay agent.

Step 4

(Optional) Check Trust All Information to set all client interfaces as trusted.

You can configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the threat defense DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the threat defense will drop that packet by default. You can preserve Option 82 and forward the packet by identifying an interface as a trusted interface.

Step 5

On DHCP Relay Agent, click Add, and configure the following options:

  • Interface—The interface connected to the DHCP clients.

  • Enable IPv4 Relay—Enables IPv4 DHCP Relay for this interface.

  • Set Route(For IPv4) Changes the default gateway address in the DHCP message from the server to that of the threat defense device interface that is closest to the DHCP client, which relayed the original DHCP request. This action allows the client to set its default route to point to the threat defense device even if the DHCP server specifies a different router. If there is no default router option in the packet, the threat defense device adds one containing the interface address.

  • Enable IPv6 Relay—Enables IPv6 DHCP Relay for this interface.

Step 6

Click OK to save the DHCP relay agent changes.

Step 7

On DHCP Servers, click Add, and configure the following options:

Add the IPv4 and IPv6 server addresses as separate entries, even if they belong to the same server.

  • Server—The IP address of the DHCP server. Chose an IP address from the drop-down list. To add a new one, see Creating Network Objects

  • Interface—The interface to which the specified DHCP server is attached. The DHCP Relay agent and the DHCP server cannot be configured on the same interface.

Step 8

Click OK to save the DHCP server changes.

Step 9

Click Save on the DHCP page to save your changes.