DHCP Explained — DORA, Scopes, and the ip helper-address Relay (CCNA Tutorial)
Free CCNA-level DHCP tutorial for US networking learners. The DORA exchange step by step, why every message is a broadcast, the Cisco IOS server config, ip helper-address relay across subnets, and the show commands that prove leases are landing.
Every device you’ve ever plugged into a network — laptop, phone, printer, the badge reader by the door — booted up with no IP address and somehow got one within a second. That’s DHCP. It runs everywhere, it’s about 10% of the CCNA, and it breaks in exactly three predictable ways.
So this tutorial does two things: makes the DORA exchange click so the theory questions are free points, then walks the config and the one command that trips up every routed network — ip helper-address. This is the CCNA-scoped version; for the full options table, lease timing (T1/T2), DHCPv6, and the debug workflow, see the complete DHCP library topic.
The one-line idea
A device that just powered on has no IP, so it can’t send normal (unicast) traffic — there’s no source address to put in the packet. Its only move is to shout to the whole local network:
“Hello? Anyone? I need an IP.”
A DHCP server hears the shout and hands back an address, mask, gateway, and DNS. That’s the entire job. Everything else is detail.
DORA — the four messages
The handshake has four steps, and the mnemonic DORA is all you need to remember the order:
D — DISCOVER client → broadcast: "I have MAC aa:bb:cc:11:22:33. I need an IP."
O — OFFER server → broadcast: "Here's 10.0.0.45/24, gateway .1, DNS 8.8.8.8, lease 1 day."
R — REQUEST client → broadcast: "I'll take 10.0.0.45, offered by server .1."
A — ACK server → broadcast: "Confirmed. It's yours until the lease expires."
| # | Message | From | To | UDP ports |
|---|---|---|---|---|
| 1 | Discover | Client (0.0.0.0) | Broadcast 255.255.255.255 | 68 → 67 |
| 2 | Offer | Server | Broadcast | 67 → 68 |
| 3 | Request | Client | Broadcast | 68 → 67 |
| 4 | Ack | Server | Broadcast | 67 → 68 |
Two exam facts hide in that table:
- All four are broadcasts. The client has no IP yet (Discover, Request), and the Request is broadcast on purpose so any losing DHCP servers see it and release the address they had tentatively held.
- UDP 67 = server, UDP 68 = client. Memorize the pair. A surprising number of questions hinge on knowing the server listens on 67.
The config — a router as a DHCP server
A branch router or Layer-3 switch can be the DHCP server itself. Three pieces: exclude the addresses you don’t want handed out, define the pool, point clients at a gateway and DNS.
! 1. Reserve the addresses the pool must NOT give away
R1(config)# ip dhcp excluded-address 10.0.0.1 10.0.0.10
! 2. Define the scope
R1(config)# ip dhcp pool USERS
R1(dhcp-config)# network 10.0.0.0 255.255.255.0
R1(dhcp-config)# default-router 10.0.0.1
R1(dhcp-config)# dns-server 8.8.8.8 1.1.1.1
R1(dhcp-config)# lease 1
The single most common rookie mistake lives in line 1. Always exclude the gateway (and any static servers/printers). Skip it and the pool will happily lease out 10.0.0.1 — the router’s own IP — and now two devices fight over the same address. If subnetting still slows you down here, read Subnetting in your head first; DHCP scopes are obvious once CIDR is automatic.
Prove it works with the one command you’ll use every day on the job:
R1# show ip dhcp binding
IP address Client-ID/Hardware address Lease expiration Type
10.0.0.11 0100.5056.b3.22.45 Jun 11 2026 09:14 AM Automatic
10.0.0.12 0100.5056.b3.91.07 Jun 11 2026 09:15 AM Automatic
If you see leases, DORA completed. If the table is empty, the client never got an Offer — and 90% of the time, that’s the next section.
The line everyone forgets: ip helper-address
Here’s the catch that defines real networks: routers don’t forward broadcasts. DORA is all broadcasts. So the moment your DHCP server sits on a different subnet from the client — which is the normal enterprise setup — the Discover hits the router and dies right there.
The symptom is unmistakable: the client self-assigns a 169.254.x.x address (APIPA). That number means “I asked for DHCP and got total silence.”
The fix is one command on the client-facing interface, pointing at the server:
R1(config)# interface Vlan10
R1(config-if)# ip helper-address 10.99.0.5
Now the router stops dropping the broadcast and instead relays it as a unicast to the server, stamping the request with its own interface IP (the giaddr field) so the server knows which scope to lease from. The Offer comes back through the router to the client. One line, and DHCP crosses the Layer-3 boundary.
The rule: every client subnet whose DHCP server lives elsewhere needs its own
ip helper-address. Add a new VLAN, forget the helper, and only that VLAN fails to get IPs while every other VLAN works fine — the classic “new VLAN, no DHCP” ticket. For the deeper relay mechanics and Option 82, see DHCP Relay.
The 3 ways DHCP actually breaks
Almost every “I’m not getting an IP” ticket is one of these:
169.254.x.xon the client → no server reachable. Different subnet? Addip helper-address. Same subnet? Check the switch port / VLAN.- A duplicate-IP conflict → you forgot
ip dhcp excluded-addressfor the gateway or a static device. Exclude it, thenclear ip dhcp conflict *. - A rogue DHCP server → someone plugged in a home router and it’s handing out a bogus gateway, silently MITM-ing the VLAN. The defense is DHCP Snooping: trust only the uplink toward the real server, drop server-side messages everywhere else. That’s its own topic — see DHCP Snooping.
Knowing those three failure modes cold is worth more on the exam and the job than memorizing every option number.
Put it on real gear
Reading about DORA gets you halfway. Watching a lease land — then breaking it on purpose and fixing it — is what makes it stick:
- DHCP hands-on lab — build the server scope, set a PC to DHCP, watch the binding table fill, then move a client to another subnet, watch it fail with APIPA, and fix it with
ip helper-address. The “aha” is seeing the169.254address flip to a real lease the instant you add the helper.
Do it once and the relay command will never leave your head.
What’s next
- DHCP — full library topic — the complete reference: every option number, T1/T2 lease renewal, DHCPv6, and an 8-scenario debug workflow.
- DHCP Relay —
ip helper-addressin depth, plus Option 82. - NAT & PAT explained — the other half of IP Services, and the other guaranteed exam points.
DORA is four messages and the helper is one command — but tying them together until they’re reflex is exactly the kind of “make it automatic” repetition we drill on live gear in the 1:1 CCNA program. First session is free.
Get posts like this by email.
One short, opinionated tutorial per week. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.