This article provides information about the behavior of the ScreenOS firewall, when it acts a DHCP relay. Also, it provides information about the DHCP Relay concept, its flow on the ScreenOS firewall, and certain important ScreenOS features that are related to DHCP relay.
DHCP Relay Agent:
- A DHCP relay agent relays Dynamic Host Configuration Protocol (DHCP) messages between DHCP clients and DHCP servers on different IP networks.
- When acting as a DHCP relay agent, the security device forwards DHCP requests and assignments between DHCP clients, which are directly attached to one interface and one or more DHCP servers that are accessible via another interface.
- The client sends the DHCP request.
- The firewall receives it and as the firewall is configured for DHCP relay, it will treat it as self traffic, which is different from flow traffic, in terms of the firewall handling process.
- As it is self traffic, the firewall will use the default VR to perform the route lookup to reach the DHCP server. Then the route associates the interface IP address as the source IP address for the DHCP relay packet and replays this packet with the new source IP address to DHCP server.
- The DHCP server replies with a DHCP response packet to the relay source IP and the firewall sends it to the client.
Important points about DHCP relay agent on ScreenOS:
- The clients and servers can be in either the same security zone or separate security zones.
- A DHCP relay agent can be configured on one or more physical or VLAN interfaces on a security device.
- The DHCP relay agent and DHCP server or client functions cannot be cnfigured on the same interface.
- When the security device functions as a DHCP relay agent, its interfaces must be in eitherr the route mode or function as a Layer 3 device.
- Up to three DHCP servers for each DHCP relay agent can be configured.
- ScreenOS supports the DHCP relay in different VSYSs and for VLAN-tagged sub interfaces.