[nsp] Strange problem ip helper on hybride Cat6500

[Jeroen Vos]

Hello,

We have a strange problem with the command ip helper-address.

Situation:

DHCP client --> Cat6500  --> Cat6500 --> DHCP server
Hybride mode, IOS 12.1(20)E2 CatOS 7.6.5 ( redundant supervisor2 MSFC2)

This is a standard configuration for all interfaces, except the ip
addressen.
interface Vlan10
 description *** Hosting netwerk ***
 ip address 10.10.10.253 255.255.255.0 alt ip address 10.10.10.254
255.255.255.0
 ip access-group net10-in in
 ip access-group net10-uit out
 ip helper-address 10.10.10.37
 no ip redirects
 no ip unreachables
 load-interval 30
 no cdp enable
 standby 10 ip 10.10.10.1 alt standby 10 ip 10.10.10.1
 standby 10 priority 120 alt standby 10 priority 110

ip access-group net10-in in
 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log


We have configured about 20 Vlan's with the same ip helper-address on
the same CAT6500 and all these vlan's behave normal, except vlan10. The
question is why ?

With situation we have tested:

- A DHCP request is send to the server. The DHCP server accepts the
request, and send a reply. The reply does not reach the client. After
removing the ACLs', nothing happend.
- Placed the DHCP-server in the same subnet, it works.
- Placed the DHCP-server in a different subnet, on the same Cat6500, it
works.
- Placed the DHCP-server in a different subnet, on a different Cat6500,
it failed. No ACL's between the Cat6500's. 

A little problem is also, that we don't know a way to log the return
traffic, because; 
- Logging in ACL's (IOS) don't work. Maybe because the ip
helper-address-table? is first used and then the ACL becomes active.
- Traffic between the MSFC(layer3) and supervisor(Layer2) is not visible
with a sniffer, or something like that. There has to be a translation
between the layers.

Maybe, someone can point me to a new direction for these problems.


Greetings.
-- 
Jeroen Vos