Configuring DHCP on Routers and Switches

1. What Is DHCP and Why Configure It?

DHCP (Dynamic Host Configuration Protocol) is an application-layer protocol (UDP ports 67/68) that automatically assigns IP addresses and network configuration parameters to devices when they connect to a network. Without DHCP, every device would require manual IP configuration — an impractical burden in any network beyond a handful of hosts. For a full conceptual overview see DHCP Overview and Common Port Numbers for port details.

A DHCP server provides clients with:

  • IP address — from a configured pool
  • Subnet mask — defines the local network
  • Default gateway — the router's IP for inter-network traffic
  • DNS server(s) — for hostname resolution
  • Lease time — how long the address is valid before renewal
  • Optional: NTP server, WINS server, domain name, TFTP server (for IP phones/APs)
Environment DHCP Role Typical Setup
SOHO / Small network Router acts as DHCP server Single pool for one subnet
Enterprise LAN Central server (Windows/Linux) or Layer 3 switch Multiple pools; relay agents on each VLAN SVI
Multi-VLAN campus Layer 3 switch relays per VLAN to central server ip helper-address on each SVI

Related pages: How DHCP Works (DORA) | ARP & arp -a | VLANs | DHCP Snooping & DAI

2. The DORA Process — How DHCP Works

Before configuring DHCP, understanding the DORA exchange is essential. Every IP lease begins with these four messages: 

  Client                                        DHCP Server
    │                                                │
    │── DHCP DISCOVER (broadcast) ─────────────────▶│
    │   Src: 0.0.0.0:68  Dst: 255.255.255.255:67    │
    │   "I need an IP address — anyone there?"       │
    │                                                │
    │◀── DHCP OFFER (broadcast or unicast) ─────────│
    │   "Here is 192.168.1.15 for you, valid 7 days" │
    │                                                │
    │── DHCP REQUEST (broadcast) ──────────────────▶│
    │   "I accept 192.168.1.15 from this server"     │
    │   (broadcast so other servers know)            │
    │                                                │
    │◀── DHCP ACK (broadcast or unicast) ───────────│
    │   "Confirmed — 192.168.1.15 is yours"          │
    │   Includes: mask, gateway, DNS, lease time     │
    │                                                │
  Client configures 192.168.1.15/24, GW 192.168.1.1
Why broadcasts? The client has no IP yet during DISCOVER and REQUEST — it cannot use unicast. DHCP uses UDP broadcasts so all DHCP servers on the segment hear the request. This also means DHCP broadcasts do not cross router boundaries — which is why ip helper-address (DHCP relay) is needed when the server is on a different subnet.

3. Configuring a Cisco Router as a DHCP Server

Cisco IOS has a built-in DHCP server. Configuring it requires defining a pool (the range of addresses to assign), excluding any static addresses, and setting pool options.

Key Commands Explained

Command Location Purpose
ip dhcp excluded-address Global config Reserve IPs that DHCP must never assign (routers, servers, printers)
ip dhcp pool <name> Global config Create a named DHCP pool and enter dhcp-config mode
network DHCP pool config Define the subnet this pool serves
default-router DHCP pool config Set the default gateway sent to clients (Option 3)
dns-server DHCP pool config Set DNS server IP(s) sent to clients (Option 6)
lease DHCP pool config Set lease duration in days (or infinite for no expiry)
domain-name DHCP pool config Set the DNS domain sent to clients (Option 15)
service dhcp Global config Enable the DHCP service (on by default; use if previously disabled)

Complete DHCP Server Configuration

See the full step-by-step walkthrough in the DHCP Server Configuration Lab. 

Router> enable
Router# configure terminal

! ── Step 1: Exclude static addresses BEFORE creating the pool ────────────
! Always do this first — prevents DHCP assigning your gateway/server IPs
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.9
!                                         ↑           ↑
!                                 Start of      End of excluded range
!                                 excluded range (gateway + reserved hosts)

! ── Step 2: Create the DHCP pool ─────────────────────────────────────────
Router(config)# ip dhcp pool LAN_POOL
Router(dhcp-config)# network 192.168.1.0 255.255.255.0   ! Subnet this pool serves
Router(dhcp-config)# default-router 192.168.1.1          ! Gateway (Option 3)
Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4         ! Primary + secondary DNS (Opt 6)
Router(dhcp-config)# domain-name company.local           ! DNS domain (Option 15)
Router(dhcp-config)# lease 7                             ! Lease = 7 days
Router(dhcp-config)# exit

! ── Step 3: Ensure DHCP service is running ───────────────────────────────
Router(config)# service dhcp

! ── Step 4: Save configuration ───────────────────────────────────────────
Router(config)# end
Router# write memory
Order matters: Always configure ip dhcp excluded-address before creating the pool. Cisco IOS processes the excluded list at pool creation time. If you exclude addresses after creating the pool, those addresses may already have been assigned to clients from a previous DHCP request.

Verify the DHCP Server

! View all current DHCP leases (IP, MAC, expiry, client ID)
Router# show ip dhcp binding

IP address       Client-ID/         Lease expiration        Type
                 Hardware address
192.168.1.10     0100.1a2b.3c4d.5e  Mar 22 2025 10:14 AM    Automatic
192.168.1.11     0100.2233.4455.66  Mar 22 2025 11:02 AM    Automatic

! View pool utilisation and statistics
Router# show ip dhcp pool

Pool LAN_POOL :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 254
 Leased addresses               : 2
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index    IP address range                    Leased addresses
 192.168.1.12     192.168.1.1      - 192.168.1.254   2

! View any IP conflicts detected
Router# show ip dhcp conflict

! Enable real-time debugging for DHCP events (lab use only)
Router# debug ip dhcp server events

4. DHCP Static Reservations (Manual Bindings)

A static binding (also called a manual binding or reservation) ties a specific MAC address to a specific IP address. The DHCP server always assigns that IP to the device with that MAC — useful for servers, printers, and IP phones that need a predictable address without fully manual configuration. 

! Static binding — always give 192.168.1.200 to the device with MAC 001a.2b3c.4d5e
Router(config)# ip dhcp pool PRINTER_RESERVATION
Router(dhcp-config)# host 192.168.1.200 255.255.255.0     ! Specific IP for this device
Router(dhcp-config)# hardware-address 001a.2b3c.4d5e      ! Client's MAC address
Router(dhcp-config)# client-name Printer-HR               ! Optional hostname label
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# exit
Static reservations use separate pools: Each manual binding requires its own dedicated pool with the host command instead of network. The host command specifies a /32 host address, not a subnet. The reserved IP should also be in the ip dhcp excluded-address range to prevent the dynamic pool from accidentally assigning it before the bound device requests it.

5. DHCP Relay — ip helper-address

DHCP broadcasts cannot cross router or Layer 3 boundaries. When clients are on a different subnet from the DHCP server, a DHCP relay agent forwards the client's broadcast to the server as a unicast — and relays the server's response back. In Cisco IOS, this is configured with ip helper-address.

How ip helper-address Works

  Client (192.168.10.x)       Router (Relay Agent)        DHCP Server (10.0.0.5)
       │                           │                           │
       │── DHCP DISCOVER ─────────▶│                           │
       │   (broadcast)             │                           │
       │                           │── DHCP DISCOVER ─────────▶│
       │                           │   (unicast to 10.0.0.5)   │
       │                           │   giaddr = 192.168.10.1   │
       │                           │   (gateway interface IP)  │
       │                           │                           │
       │                           │◀── DHCP OFFER ────────────│
       │                           │   (offer for .10.x subnet)│
       │◀── DHCP OFFER ────────────│                           │
       │                           │                           │
       │── DHCP REQUEST ──────────▶│── DHCP REQUEST ──────────▶│
       │◀── DHCP ACK ──────────────│◀── DHCP ACK ──────────────│
       │                           │                           │
  Client gets IP from              Router uses giaddr so DHCP server
  correct subnet pool              knows which pool to use
giaddr (Gateway IP Address): When the relay agent forwards the DISCOVER, it inserts its own interface IP address into the giaddr field of the DHCP packet. The DHCP server uses this address to identify which subnet the client is on and selects the matching pool. Without giaddr, the server wouldn't know which pool to use.

Configuring ip helper-address on a Router

See the full relay lab: DHCP Relay Agent (ip helper-address) Lab. 

! Client subnet: 192.168.10.0/24, DHCP server: 10.0.0.5
Router(config)# interface GigabitEthernet0/0
Router(config-if)# ip address 192.168.10.1 255.255.255.0
Router(config-if)# ip helper-address 10.0.0.5     ! Forward DHCP to this server
Router(config-if)# no shutdown

Configuring ip helper-address on a Layer 3 Switch SVI

! Each VLAN SVI that has clients needs its own ip helper-address
Switch(config)# ip routing                          ! Enable Layer 3 routing

Switch(config)# interface Vlan10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# ip helper-address 10.0.0.5      ! Relay VLAN 10 DHCP to server
Switch(config-if)# no shutdown

Switch(config)# interface Vlan20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# ip helper-address 10.0.0.5      ! Same server serves VLAN 20 too
Switch(config-if)# no shutdown
Multiple helper addresses: You can configure multiple ip helper-address entries on a single interface — the relay agent forwards the DHCP request to all of them. Useful for redundant DHCP servers: 
Router(config-if)# ip helper-address 10.0.0.5     ! Primary DHCP server
Router(config-if)# ip helper-address 10.0.0.6     ! Secondary/redundant DHCP server

Verify DHCP Relay

! Confirm ip helper-address is applied on the interface
Switch# show ip interface Vlan10
Vlan10 is up, line protocol is up
  Internet address is 192.168.10.1/24
  Helper address is 10.0.0.5             ← Relay is configured

! Debug relay activity (use with caution in production)
Switch# debug ip dhcp relay

6. Multi-VLAN DHCP — Multiple Pools on One Server

In enterprise environments, a single DHCP server (or a router) commonly serves multiple VLANs simultaneously using separate pools — one per subnet. The DHCP server uses the giaddr field from relayed requests to match the correct pool.

Scenario: Three VLANs, One Router/Server

  VLAN 10 (HR)     192.168.10.0/24  →  Pool HR_POOL
  VLAN 20 (IT)     192.168.20.0/24  →  Pool IT_POOL
  VLAN 30 (Guest)  192.168.30.0/24  →  Pool GUEST_POOL

  Layer 3 Switch SVIs relay each VLAN's DHCP requests to Router/Server

DHCP Server Configuration (on a Router or Layer 3 Switch)

! ── Exclude gateway and static-use addresses from each pool ───────────────
ip dhcp excluded-address 192.168.10.1 192.168.10.9    ! HR — gateway + servers
ip dhcp excluded-address 192.168.20.1 192.168.20.19   ! IT — gateway + servers
ip dhcp excluded-address 192.168.30.1 192.168.30.9    ! Guest — gateway only

! ── HR VLAN Pool ──────────────────────────────────────────────────────────
ip dhcp pool HR_POOL
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 10.0.0.53
 domain-name hr.company.local
 lease 1

! ── IT VLAN Pool ──────────────────────────────────────────────────────────
ip dhcp pool IT_POOL
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 10.0.0.53
 domain-name it.company.local
 lease 3

! ── Guest VLAN Pool (short lease, public DNS) ────────────────────────────
ip dhcp pool GUEST_POOL
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
 dns-server 8.8.8.8
 lease 0 4                           ! 0 days 4 hours — short guest lease

Layer 3 Switch Relay Configuration

! On the Layer 3 switch — one ip helper-address per VLAN SVI
Switch(config)# interface Vlan10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# ip helper-address 10.0.0.5

Switch(config)# interface Vlan20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# ip helper-address 10.0.0.5

Switch(config)# interface Vlan30
Switch(config-if)# ip address 192.168.30.1 255.255.255.0
Switch(config-if)# ip helper-address 10.0.0.5

7. DHCP on a Layer 3 Switch (as Server)

A Layer 3 switch running ip routing can act as a DHCP server for connected VLANs directly — without needing a separate DHCP server device. This is common in small to medium enterprise designs where the distribution switch serves as both the inter-VLAN router and DHCP server. See Inter-VLAN Routing (Layer 3 Switch) for how SVIs are set up to enable this. 

! Layer 3 switch serving multiple VLANs directly (no external DHCP server needed)
Switch(config)# ip routing                          ! Required for Layer 3 functions

! Exclude static addresses
Switch(config)# ip dhcp excluded-address 192.168.10.1 192.168.10.9
Switch(config)# ip dhcp excluded-address 192.168.20.1 192.168.20.19

! Define pools
Switch(config)# ip dhcp pool VLAN10_POOL
Switch(dhcp-config)# network 192.168.10.0 255.255.255.0
Switch(dhcp-config)# default-router 192.168.10.1
Switch(dhcp-config)# dns-server 8.8.8.8
Switch(dhcp-config)# lease 1

Switch(config)# ip dhcp pool VLAN20_POOL
Switch(dhcp-config)# network 192.168.20.0 255.255.255.0
Switch(dhcp-config)# default-router 192.168.20.1
Switch(dhcp-config)# dns-server 8.8.8.8
Switch(dhcp-config)# lease 1

! SVIs — switch answers DHCP for directly attached VLANs (no relay needed)
Switch(config)# interface Vlan10
Switch(config-if)# ip address 192.168.10.1 255.255.255.0
Switch(config-if)# no shutdown

Switch(config)# interface Vlan20
Switch(config-if)# ip address 192.168.20.1 255.255.255.0
Switch(config-if)# no shutdown

Switch(config)# end
Switch# write memory
Layer 2 vs Layer 3 switch: A Layer 2 switch cannot run a DHCP server (no IP routing capability). It can only relay DHCP requests to an external server using ip helper-address on its management VLAN interface. A Layer 3 switch has full routing capability and can act as both a DHCP server and relay agent.

8. DHCP Snooping — Security Against Rogue DHCP Servers

DHCP Snooping is a Layer 2 security feature on Cisco switches that prevents rogue (unauthorised) DHCP servers from responding to client requests. Without it, any device connected to the switch could act as a DHCP server — directing clients to a malicious gateway (man-in-the-middle attack).

How DHCP Snooping Works

  • Ports are classified as trusted (connected to legitimate DHCP servers or uplinks) or untrusted (connected to end clients).
  • DHCP Offer and DHCP Ack messages arriving on untrusted ports are silently dropped — clients on those ports cannot receive IP addresses from rogue servers.
  • Valid DHCP exchanges on trusted ports are recorded in the DHCP Snooping Binding Table — used by DAI (Dynamic ARP Inspection) for ARP validation.
! Enable DHCP Snooping globally
Switch(config)# ip dhcp snooping

! Enable on specific VLANs
Switch(config)# ip dhcp snooping vlan 10,20,30

! Mark uplink/trunk ports as trusted (DHCP server is upstream)
Switch(config)# interface GigabitEthernet0/24     ! Uplink to router/DHCP server
Switch(config-if)# ip dhcp snooping trust

! All other ports default to untrusted — rogue DHCP blocked
! Optional: limit DHCP message rate on untrusted ports (anti-DoS)
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip dhcp snooping limit rate 10   ! Max 10 DHCP packets/sec

! Verify DHCP Snooping
Switch# show ip dhcp snooping
Switch# show ip dhcp snooping binding

See: DHCP Snooping & Dynamic ARP Inspection (Step-by-Step)

9. Complete Verification Command Reference

Command What It Shows When to Use
show ip dhcp binding All active DHCP leases: IP, client MAC, expiry, type Verify clients received addresses; confirm a specific host's lease
show ip dhcp pool Pool names, utilisation, address range, lease statistics Check pool utilisation; detect if pool is near exhaustion
show ip dhcp conflict Addresses that triggered IP conflict detection Diagnose IP conflicts; entries here are withdrawn from the pool
show ip dhcp server statistics DHCP message counters (Discover, Offer, Request, Ack, NAK) Diagnose DORA issues; see if DHCP requests are arriving/responses sent
show ip interface <int> Helper address configured on the interface Confirm relay is configured and pointing to correct server
show running-config | section dhcp All DHCP configuration in the running config Quick overview of all pools, exclusions, and service dhcp status
show ip dhcp snooping binding DHCP Snooping binding table: IP, MAC, VLAN, interface, expiry Verify snooping is working; used by DAI for ARP validation
debug ip dhcp server events Real-time DHCP server event log Lab troubleshooting — watch DORA in real time; stop with undebug all
debug ip dhcp relay Real-time DHCP relay events (forwarding/receiving) Confirm relay is forwarding correctly to the DHCP server

10. Troubleshooting DHCP Issues

For a guided step-by-step troubleshooting walkthrough, see Troubleshooting DHCP Clients Lab.

Symptom Likely Cause Diagnostic & Fix
Clients get 169.254.x.x (APIPA) address No DHCP response received — server unreachable, or pool exhausted Check show ip dhcp pool for exhaustion; verify ip helper-address is configured and server is reachable; check show ip dhcp server statistics for Ack/NAK counts
Clients getting wrong subnet/gateway Wrong pool matched (giaddr issue) or rogue DHCP server responding Verify ip helper-address points to the correct server; enable DHCP Snooping to block rogue servers; check pool default-router value
IP address conflicts reported by clients Static IPs not excluded; DHCP assigning addresses already in use Add missing addresses to ip dhcp excluded-address; run show ip dhcp conflict and clear ip dhcp conflict *
Pool exhausted — no more IPs available Lease time too long; stale leases not releasing; pool too small Shorten lease time; clear ip dhcp binding * (carefully — forces all clients to re-request); extend pool range or add subnet
DHCP relay not working (clients on different VLAN get no IP) Missing or wrong ip helper-address; routing between relay and server is broken; firewall blocking UDP 67/68 show ip interface <SVI> for helper address; ping DHCP server from relay router; check firewall rules on path
DHCP works initially then stops Pool leases not being released; snooping binding table full; interface went down Check show ip dhcp pool utilisation; verify show interfaces for SVI status; check snooping config
Specific client never gets correct IP (gets a different pool's address) VLAN tagging issue — client traffic reaching wrong SVI; relay pointing to wrong server Verify access port VLAN assignment; check ip helper-address on correct SVI; trace with debug ip dhcp server events

DHCP Conflict Resolution

! View all detected IP conflicts
Router# show ip dhcp conflict

IP address        Detection method   Detection time          VRF
192.168.1.25      Ping               Mar 20 2025 14:23       default

! Addresses in the conflict table are WITHHELD from the pool until cleared
! Clear all conflicts (re-adds them to the assignable pool)
Router# clear ip dhcp conflict *

! Clear a single conflict entry
Router# clear ip dhcp conflict 192.168.1.25

! Clear all dynamic bindings (forces all clients to re-request)
Router# clear ip dhcp binding *

11. DHCP on Layer 2 vs Layer 3 Switches — Key Differences

Capability Layer 2 Switch Layer 3 Switch
Acts as DHCP server ❌ No — cannot run DHCP server ✅ Yes — full DHCP server with ip routing enabled
DHCP relay (ip helper-address) Limited — only on the management VLAN interface, not per-VLAN ✅ Yes — on each SVI independently
DHCP Snooping ✅ Yes — Layer 2 feature available on managed switches ✅ Yes
Inter-VLAN routing ❌ No ✅ Yes — can route between VLANs and serve each one directly
Suitable for Access layer switches that pass DHCP traffic through to uplink Distribution layer switches that are the DHCP server or relay for campus

12. Common Misconceptions

  • "ip helper-address must be configured on every switch in the path."
    Only the interface where clients connect needs ip helper-address — typically the SVI on the Layer 3 distribution switch or the router interface facing the client subnet. Intermediate Layer 2 switches just pass the traffic through transparently.
  • "DHCP excluded-address removes addresses from the pool."
    ip dhcp excluded-address does not change the pool's network range. The pool still covers the full subnet. The exclusion list is a separate list that DHCP checks before assigning — matching addresses are skipped. You must exclude your gateway, servers, and any static devices before running the DHCP server.
  • "Clearing DHCP bindings immediately fixes IP exhaustion issues."
    Clearing bindings (clear ip dhcp binding *) removes all lease records and forces all clients to re-request IPs. This is disruptive — every connected device briefly loses its IP. Use it only in maintenance windows and only when necessary. The underlying cause (short lease time, too-small pool, stale clients) must still be addressed.
  • "A Layer 2 switch cannot participate in DHCP at all."
    A Layer 2 switch cannot be a DHCP server, but it is still part of the DHCP path — it transparently forwards DHCP broadcast frames between clients and the relay or server. DHCP Snooping is also a Layer 2 feature available on managed Layer 2 switches.

13. Key Points & Exam Tips

  • DHCP uses UDP port 67 (server) and UDP port 68 (client). Always broadcast-based initially (client has no IP yet).
  • DORA = Discover → Offer → Request → Ack — the four DHCP messages.
  • Always configure ip dhcp excluded-address before the pool — excludes gateway, servers, and statically assigned hosts.
  • ip dhcp pool defines the subnet, gateway, DNS, and lease time. network sets the subnet; default-router sets the gateway.
  • ip helper-address converts DHCP broadcasts to unicast for forwarding to a remote DHCP server — required whenever the server is on a different subnet.
  • The relay agent inserts its interface IP into the giaddr field — the DHCP server uses this to select the matching pool.
  • show ip dhcp binding — active leases. show ip dhcp pool — utilisation. show ip dhcp conflict — conflicted addresses.
  • DHCP Snooping blocks rogue DHCP servers by dropping DHCP Offer/Ack on untrusted ports. Requires explicit trust on uplink ports.
  • A Layer 2 switch cannot run a DHCP server. A Layer 3 switch with ip routing can.
  • Static bindings use separate pools with host (not network) and hardware-address — always gives the same IP to one MAC.

Related pages: How DHCP Works (DORA) | ARP & arp -a | VLANs | DHCP Snooping & DAI

14. DHCP Configuration Quiz

1. A network engineer configures a DHCP pool for 192.168.1.0/24 but forgets to run ip dhcp excluded-address 192.168.1.1 192.168.1.9. What is the most likely consequence?

Correct answer is C. Cisco IOS does not automatically exclude any addresses from a DHCP pool. Without ip dhcp excluded-address 192.168.1.1 192.168.1.9, the DHCP server may assign 192.168.1.1 (the router's gateway IP) to a client. That client and the gateway would then have the same IP — causing an IP conflict and disrupting connectivity for all hosts on that subnet. Always configure exclusions before or when creating the pool.

2. A client on VLAN 20 (192.168.20.0/24) receives an APIPA address (169.254.x.x) instead of a DHCP address. The DHCP server is at 10.0.0.5 on a different subnet. The Layer 3 switch SVI for VLAN 20 is configured but has no ip helper-address. Why does the client not get a DHCP address?

Correct answer is D. DHCP Discover is a broadcast (Dst: 255.255.255.255). Broadcasts are stopped at Layer 3 boundaries — the VLAN 20 SVI does not forward the broadcast to the DHCP server's subnet. Without ip helper-address 10.0.0.5 on the VLAN 20 SVI, the relay agent function is not active and the broadcast is simply dropped. The client retries several times, times out, and falls back to APIPA self-assignment (169.254.x.x). Adding ip helper-address 10.0.0.5 to interface Vlan20 fixes this.

3. What is the purpose of the giaddr field that the DHCP relay agent inserts into forwarded DHCP Discover messages?

Correct answer is B. The Gateway IP Address field (giaddr) is set to the IP address of the relay agent's interface on the client's subnet — in this case, the VLAN SVI IP. The DHCP server uses the giaddr to determine which subnet the client belongs to and selects the matching pool. For example, if giaddr is 192.168.20.1, the server knows to offer an address from the 192.168.20.0/24 pool. Without giaddr, the server would not know which pool to use when serving multiple subnets.

4. A network has a DHCP pool for 192.168.1.0/24 with 254 usable addresses. ip dhcp excluded-address 192.168.1.1 192.168.1.10 is configured. How many addresses are available for dynamic DHCP assignment?

Correct answer is A. The /24 subnet has 256 total addresses — 192.168.1.0 (network) and 192.168.1.255 (broadcast) are not assignable, leaving 254 usable host addresses. The exclusion range 192.168.1.1 through 192.168.1.10 removes 10 addresses from DHCP assignment. 254 - 10 = 244 addresses available for dynamic assignment. The DHCP pool's network range still covers the full /24 — the exclusion list is checked before assigning and those 10 are skipped.

5. An engineer wants the printer at MAC address 001a.2b3c.4d5e to always receive 192.168.1.200 from the DHCP server. Which configuration achieves this?

Correct answer is C. Static DHCP reservations (manual bindings) require a dedicated pool using host (not network) to specify the exact IP, and hardware-address to tie it to the client's MAC. When the printer sends a DHCP Discover, the server matches the MAC to this pool and always offers 192.168.1.200. Additionally, 192.168.1.200 should be in the excluded-address list to prevent the dynamic pool from accidentally assigning it before the printer requests it. Option D uses non-existent command syntax.

6. DHCP Snooping is enabled on a switch. A new legitimate DHCP server was added on GigabitEthernet0/24 (the uplink port). Clients are still not receiving IP addresses. What is the most likely cause?

Correct answer is B. DHCP Snooping marks all ports as untrusted by default. DHCP Offer and Ack messages arriving on untrusted ports are dropped — the switch treats them as potential rogue server responses. Even though Gi0/24 connects to a legitimate DHCP server, DHCP Snooping doesn't know that until the port is explicitly trusted. The fix is: interface GigabitEthernet0/24 → ip dhcp snooping trust. This tells the switch to allow DHCP server messages from that port.

7. A router's DHCP pool for 192.168.1.0/24 shows 0 available addresses in show ip dhcp pool. The lease time is set to 30 days. Clients keep getting APIPA addresses. No new clients have been added. What is the best immediate fix and long-term solution?

Correct answer is D. A 30-day lease on a /24 subnet means any device that connected in the last 30 days holds its lease even after leaving. A 254-host subnet with 30-day leases will exhaust its pool if more than 244 devices have connected in the past month. clear ip dhcp binding * immediately frees all current leases (disruptive — clients re-request). The proper long-term fix is a shorter lease time (1-7 days is common) so addresses are reclaimed from inactive devices promptly. Monitor with show ip dhcp pool to track utilisation.

8. Multiple VLAN SVIs on a Layer 3 switch all use the same ip helper-address 10.0.0.5. The DHCP server at 10.0.0.5 has three separate pools configured. How does the server know which pool to use for each VLAN's clients?

Correct answer is A. When the relay agent on VLAN 10's SVI (192.168.10.1) receives a DHCP Discover, it sets the giaddr field to 192.168.10.1 before forwarding to the server. The server sees giaddr = 192.168.10.1 and searches its pools for one whose network statement contains 192.168.10.1 — selecting the 192.168.10.0/24 pool. Similarly, VLAN 20's SVI (192.168.20.1) causes the server to select the 192.168.20.0/24 pool. One DHCP server can serve unlimited subnets this way — all using the same server IP.

9. An engineer runs show ip dhcp conflict and sees 192.168.1.30 listed. What does this mean and what must be done before that address can be assigned again?

Correct answer is C. When the DHCP server is about to assign an address, it pings it first (Cisco default). If the ping gets a response, another device already uses that IP — the server records it as a conflict and withholds it from future assignments to avoid duplicate IPs. The conflict entry stays permanently until an administrator reviews the situation and runs clear ip dhcp conflict 192.168.1.30 (or clear ip dhcp conflict * for all conflicts). After clearing, the address returns to the assignable pool.

10. An engineer configures the following on an interface:
ip helper-address 10.0.0.5
ip helper-address 10.0.0.6
What happens to DHCP Discover messages received on this interface?

Correct answer is B. When multiple ip helper-address entries are configured on an interface, the relay agent unicasts a copy of the DHCP Discover to each helper address simultaneously. Both DHCP servers receive the request. The client receives Offers from both servers and accepts the first one (typically sending a DHCP Request that includes the chosen server's IP). The other server sees the Request is for a different server and does not ACK it. This provides DHCP redundancy — if one server is down, the other still serves clients.

← Back to Home