HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Web and Unmanaged
Showing results for 
Search instead for 
Did you mean: 

do you need an interface configured on the switch in the vlan for dhcp relay

Occasional Contributor

do you need an interface configured on the switch in the vlan for dhcp relay


i'm using a HP1920 (or ,5120, 5500 or 5800 if you like).

I assume you need to configure an interface and ip on the switch in the vlan where you want to relay dhcp?

Example :

interface Vlan-interface24
ip address
dhcp select relay
dhcp relay server-select 1

interface Vlan-interface204
ip address

The interface in vlan 204 is used for layer 3 routing.  Vlan 24 thus stops at this switch.  Without ip address this dhcp relay does not work?

Reason behind this is i want to route all trafic in vlan 24 to a Checkpoint firewall and prefer to keep dhcp relay on the switch (we use a Windows dhcp server).  Now if i want to achieve this, my firewall will have for example address  This is the gateway for the dhcp server offer.  But a smart person could replace that gateway on his pc by, and thus bypass the firewall.


Or is it possible to write an acl to only allow dhcp trafic on that ip  

Ian Vaughan
Honored Contributor

Re: do you need an interface configured on the switch in the vlan for dhcp relay


Yes you need a Layer3 interface with an IP on it to do DHCP relay / IP helper as what you are doing really is turning the DHCP broadcast on the vlan into a directed unicast to travel over the routed interfaces to a specific server somewhere else on the network.

Does the firewall not offer any IP helper / DHCP relay? That way you wouldn't need any L3 on VLAN 24 and you could have it purely as L2.

Yes you could write an ACL that would only allow the L3 from vlan24 on the switch to access solely the dhcp server as a destination and deny all others so that it couldn't be used as a backdoor into the rest of the network.

On 5510 and 5800 you could do something creative with vpn-instances if you were so inclined but, thinking about it, you would have to relocate your DHCP-server so maybe not.

Let us know how you get on.





Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Tweets: @2techie4me