For consistency, align the VLAN subinterface numbers with the physical interface numbers they serve. For example, interface vlan.1 serves DHCP for the network attached to ethernet1/1. This allows you to associate them with each other faster and troubleshoot issues more easily later.

When production IP address space is used for the VLAN interfaces, giving them IP addresses with 32-bit netmasks will conserve address space. You can use addresses from a single network (for example, 1.1.1.0/24) for all the VLAN interfaces. Because these interfaces exist solely to serve DHCP to a local network, the addresses assigned to the VLAN interfaces don’t need to be routable in the rest of the enterprise. Operationally, this means that the same network space and addresses can be used for VLAN interfaces on all firewalls in the enterprise.

When configuring this solution for multiple interfaces, the routing configuration changes slightly. On the default (production) virtual router, you can configure a network route to the VLAN interfaces instead of a collection of host routes. In the figure below all of the VLAN interfaces have addresses that can be summarized using a 1.1.1.0/24 route.

On the DHCP virtual router, add network routes for each network for which a VLAN interface serves DHCP and set the default (production) virtual router as the next hop. Adding network rather than host routes for the DHCP relay agents allows the probe feature on the DHCP servers to function.