[nsp] Strange problem ip helper on hybride Cat6500

Konstantin Barinov sbr at infonet.ee
Wed Apr 14 11:23:34 EDT 2004


ip access-group net10-uit out

Guess there must be "net10-out"? :)



br
--
Konstantin Barinov
INFONET AS, Tallinn, Estonia

Wednesday, April 14, 2004, 5:17:27 PM, you wrote:

JV> Hello,

JV> We have a strange problem with the command ip helper-address.

JV> Situation:

DHCP client -->> Cat6500  --> Cat6500 --> DHCP server
JV> Hybride mode, IOS 12.1(20)E2 CatOS 7.6.5 ( redundant supervisor2 MSFC2)

JV> This is a standard configuration for all interfaces, except the ip
JV> addressen.
JV> interface Vlan10
JV>  description *** Hosting netwerk ***
JV>  ip address 10.10.10.253 255.255.255.0 alt ip address 10.10.10.254
JV> 255.255.255.0
JV>  ip access-group net10-in in
JV>  ip access-group net10-uit out
JV>  ip helper-address 10.10.10.37
JV>  no ip redirects
JV>  no ip unreachables
JV>  load-interval 30
JV>  no cdp enable
JV>  standby 10 ip 10.10.10.1 alt standby 10 ip 10.10.10.1
JV>  standby 10 priority 120 alt standby 10 priority 110

JV> ip access-group net10-in in
JV>  permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log


JV> We have configured about 20 Vlan's with the same ip helper-address on
JV> the same CAT6500 and all these vlan's behave normal, except vlan10. The
JV> question is why ?

JV> With situation we have tested:

JV> - A DHCP request is send to the server. The DHCP server accepts the
JV> request, and send a reply. The reply does not reach the client. After
JV> removing the ACLs', nothing happend.
JV> - Placed the DHCP-server in the same subnet, it works.
JV> - Placed the DHCP-server in a different subnet, on the same Cat6500, it
JV> works.
JV> - Placed the DHCP-server in a different subnet, on a different Cat6500,
JV> it failed. No ACL's between the Cat6500's. 

JV> A little problem is also, that we don't know a way to log the return
JV> traffic, because; 
JV> - Logging in ACL's (IOS) don't work. Maybe because the ip
JV> helper-address-table? is first used and then the ACL becomes active.
JV> - Traffic between the MSFC(layer3) and supervisor(Layer2) is not visible
JV> with a sniffer, or something like that. There has to be a translation
JV> between the layers.

JV> Maybe, someone can point me to a new direction for these problems.


JV> Greetings.



More information about the cisco-nsp mailing list