View Categories

SecureSchool: DHCP Relay Agent

5 min read

Table of Contents

DHCP Relay Agent #

Overview #

SecureSchool supports DHCP Relay Agent mode, which allows the appliance to forward DHCP broadcast requests
from client networks to an external DHCP server.

In this mode, SecureSchool does not assign IP addresses itself. Instead, it listens for DHCP requests on
selected interfaces or VLANs and relays those requests to a specified DHCP server elsewhere on the network (for example,
a Windows Server, router, or core switch).

When to Use DHCP Relay Agent #

Use DHCP Relay Agent when:

  • DHCP services are provided by an external device.
  • SecureSchool is positioned inline between client networks and the DHCP server (e.g., clients on VLANs behind the
    Inside interface, with the DHCP server on the Outside interface or another internal segment).
  • Multiple VLANs or interfaces need to obtain DHCP leases from a centralized server.
  • You want to avoid managing DHCP scopes directly on SecureSchool.
Do not use this mode if:

SecureSchool will be acting as the DHCP server.

DHCP Services Modes #

SecureSchool supports three DHCP operation modes:

  • Disabled — SecureSchool does not participate in DHCP traffic.
  • DHCP Server — SecureSchool assigns IP addresses directly to clients.
  • DHCP Relay Agent — SecureSchool forwards DHCP requests to an external DHCP server.

This article applies specifically to DHCP Relay Agent mode.

Configuring DHCP Relay Agent #

Step 1: Enable DHCP Relay Agent Mode #

  1. Navigate to Setup → DHCP Services
  2. Select DHCP Relay Agent
  3. Click Save Changes
Note:

Once enabled, additional relay configuration options become available.

Step 2: Configure the DHCP Relay Server IP #

Enter the IP address of the external DHCP server that will assign IP addresses to clients.

  • This must be a reachable IP address from SecureSchool.
  • The server must have DHCP scopes configured for all relayed networks.
Note:

SecureSchool supports a single relay destination IP.

Step 3: Select DHCP Relay Interfaces #

Choose the interfaces and/or VLANs on which SecureSchool should listen for and forward DHCP requests.
Only selected interfaces will participate in DHCP relay.

Important:

Do not select the interface facing the DHCP server itself, as this can create unnecessary relay loops.

Typical selections may include:

  • Inside (LAN) interface
  • Student VLANs
  • Staff VLANs
  • Guest VLANs

Step 4: Save Configuration #

After entering the DHCP server IP and selecting relay interfaces, click Save Changes.
Changes take effect immediately.

DHCP Scope Requirements #

The external DHCP server must meet the following requirements:

  • A valid DHCP scope exists for each relayed subnet.
  • Correct subnet mask and IP range are defined.
  • Correct default gateway is assigned for each network (typically the SecureSchool interface IP on that subnet).
  • DNS server options are properly configured.
Reminder:

SecureSchool does not create, modify, or manage DHCP scopes in relay mode.

Network and Firewall Considerations #

  • UDP ports 67 and 68 must be permitted between SecureSchool and the DHCP server (in both directions).
  • Routing must exist between SecureSchool and the DHCP server for all relayed networks.
  • The external DHCP server must be able to route back to the client subnets (often via SecureSchool as the default gateway for those subnets).
  • Only one DHCP server should respond per subnet to avoid address conflicts.

Verifying DHCP Relay Operation #

To verify proper operation:

  1. Renew a client’s DHCP lease (e.g., Windows ipconfig /renew or Linux dhclient).
  2. Confirm the client receives:
    • An IP address from the correct subnet
    • The correct default gateway
    • The correct DNS servers
  3. Check DHCP leases on the external DHCP server.

Troubleshooting Tips #

Clients do not receive an IP address #

  • Verify the DHCP Relay Server IP is correct and reachable.
  • Confirm the correct interfaces/VLANs are selected for relay.
  • Ensure DHCP scopes exist on the external server for the client subnets.

Clients receive an incorrect IP range #

  • Confirm subnet and VLAN mappings match the external server’s scope configuration.
  • Verify scope configuration on the DHCP server.

Intermittent DHCP issues #

  • Check for multiple active DHCP servers on the same network.
  • Verify firewall rules, routing, and UDP 67/68 permeability.

DHCP requests not reaching the server #

  • Use packet captures to confirm relayed packets arrive with the correct giaddr (gateway IP address) set to
    SecureSchool’s interface IP on the client subnet.

Summary #

DHCP Relay Agent mode allows SecureSchool to integrate cleanly into networks with centralized DHCP infrastructure.
By forwarding DHCP requests from selected interfaces to an external server, SecureSchool supports flexible network
designs without duplicating DHCP services.

Need Help? #

If you have questions or would like help confirming relay settings, routing, or DHCP scope requirements,
contact K12USA Support.

SecureSchool
What are your Feelings

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

SOCIAL NETWORKS

CONTACT US

Phone: 1-877-225-0100 (toll-free) or 732-929-1485

Fax: 732-359-1522

Email: support@K12USA.com

Mail:

K12USA.com

24 Highland Bend

Island Heights, NJ 08732

JOIN OUR MAILING LIST

K12USA.com ©1999-2026