Cisco 'ip helper-address' and Windows DHCP Servers
Thu, August 15, 2013 at 7:25
generalnetworkerror in best current practice, dhcp, routing, windows

All ip helper-address lines configured in your VLAN take the DHCP broadcast from the client, add the router’s (gateway) address into the UDP packet, then unicasts to the DHCP servers. [I’m sure the packet rewrite is only done once, then a copy sent to each DHCP server.] All the listed servers configured receive the DHCPDiscover packet by the router relay.

The redundancy of your DHCP servers not only depends on your OS, but the specific version! For Windows, your options range from a true split-scope in Windows 2008 R2 to active-failover redundancy in Windows 2012. For not-so-robust DHCP servers (e.g., Windows 2003), you can manually configure a split-scope. Common recommendation is the 80/20 rule with 80% of the leases configured on what you (and you alone) consider your primary DHCP server and 20% on the secondary. Exclusions get added to each DHCP server as they have overlapping scopes.

As I’m neither a fan of overlapping scopes in Windows 2003 as the *exclusions* tend to get hidden from view nor a fan of the 80/20 rule, I prefer to simply split the subnet in half in a pair of DHCP servers.  A /24 block for client leases becomes two /25 blocks. They key is the subnet mask in the scope is still a /24 [ mask].  Your start and end IP addresses in the range configured in the scope follows the /25. Now I do recommend some exclusions for network devices like VLAN interface IP addr’s and HSRP as well as some for static devices (e.g. printers) in the same subnet. So I exclude the first 16 (0-15) addresses — the zero (subnet) address wouldn’t be used anyway, of course — and exclude the top 16 (240-255) — 255 broadcast, of course. You can actually get away with not configuring the exclusion by simply starting and ending the IP address appropriately.

The basic scope information in a manually configured 50/50 split-scope (2x/25=/24) is similar to:

DHCP Primary
Scope-lower:, start, end, no exclusions
DHCP Secondary
Scope-upper:, start, end, no exclusions

Configure identical scopes (2x/24) with appropriate exclusions if you prefer this method:

DHCP Primary
Scope-full:, start, end, exclusions 1-15, 128-254
DHCP Secondary
Scope-full:, start, end, exclusions 1-127, 240-254

As there is an ever so slight delay with the duplicate DHCPDiscover packets that get unicast to each ip helper-address, all else being equal, the first DHCP server listed will usually be the first to respond with a DHCPOffer, and the address most likely chosen by the client when it makes its DHCPRequest — no guarantee though. So place your primary DHCP server first in your SVI (router)  for the VLAN. A client typically receives multiple DHCPOffers and decides on the best which is usually the first one received. The lease assignment completes only after the client sends a DHCPRequest back to the server — in case the server changed its mind about the lease or is no longer reachable or some-other-unforseen-event — and the server sends a final DHCPACK.

interface vlan 123
desc svi for vl123 dhcp relay example
ip address
ip helper-address ! Primary DHCP server
ip helper-address ! Secondary DHCP server

Between your data and voice VLANs, you may want to alternate what you consider the primary DHCP server for a given VLAN. I do this to help spread the lease load out a bit.


If a DHCP server’s scope is full, it won’t reply with a DHCPOffer, so the *offer* would come from another DHCP server, assuming it’s not also full. Keep in mind when troubleshooting that a Windows client will remember the IP they had leased last and attempt to get that again. Also keep in mind any reservations you do should be done on both servers and accounted in any ACLs or other policies you have such as in firewalls.

See Understanding and Troubleshooting DHCP in Catalyst Switch or Enterprise Networks for detailed explanation and sniffer traces of the DHCP relay process.

Originally posted as an answer on by the author and updated here.


Article originally appeared on general network error (
See website for complete article licensing information.