In a branch office environment, it is often desirable to backhaul DHCP requests to a centralized DHCP server. DHCP request are initially sent to a broadcast address and therefore do not typically get forwarded through a router or other layer 3 device. Many realize that it is possible to overcome this challenge by configuring a helper address on a router. However, fewer realize this can be done on the ASA firewall as well.
The ASA calls this “dhcprelay”. Assuming the centralized DHCP server is 10.2.2.2, the following compares “dhcprelay” configuration on the ASA to the “ip helper-address” configuration on an IOS device.
ASA DHCP Relay Configuration
//DHCP server is located outside at 10.2.2.2 //inside interface has dhcp clients ASA(config)# dhcprelay server 10.2.2.2 outside ASA(config)# dhcprelay enable inside
IOS Helper Address Configuration (Router Equivalent Example)
//Interface Fa0/0 dhcp clients //DHCP server is at 10.2.2.2 interface FastEthernet0/0 ip helper-address 10.2.2.2
As can be seen here, it is possible to centralize the DHCP configuration in a branch office environment. This is true with both IOS and ASA environments. The other thing that many don’t realize is that this will work through a VPN tunnel as well. All that is necessary is that the inside interface range and the dhcp server IP address be included in the crypto acl. This usually requires no special configuration.