[nsp] Strange problem ip helper on hybride Cat6500
Jeroen Vos
Jeroen.Vos at omroep.nl
Wed Apr 14 11:29:41 EDT 2004
net10-uit is just a name of the ACL.
'uit' is dutch for the word 'out'. We use this naming convention for
every ACL.
Greetings.
--
Jeroen Vos
-----Oorspronkelijk bericht-----
Van: Konstantin Barinov [mailto:sbr at infonet.ee]
Verzonden: Wednesday, April 14, 2004 5:24 PM
Aan: Jeroen Vos
CC: cisco-nsp at puck.nether.net
Onderwerp: Re: [nsp] Strange problem ip helper on hybride Cat6500
ip access-group net10-uit out
Guess there must be "net10-out"? :)
br
--
Konstantin Barinov
INFONET AS, Tallinn, Estonia
Wednesday, April 14, 2004, 5:17:27 PM, you wrote:
JV> Hello,
JV> We have a strange problem with the command ip helper-address.
JV> Situation:
DHCP client -->> Cat6500 --> Cat6500 --> DHCP server
JV> Hybride mode, IOS 12.1(20)E2 CatOS 7.6.5 ( redundant supervisor2
MSFC2)
JV> This is a standard configuration for all interfaces, except the ip
JV> addressen.
JV> interface Vlan10
JV> description *** Hosting netwerk ***
JV> ip address 10.10.10.253 255.255.255.0 alt ip address 10.10.10.254
JV> 255.255.255.0
JV> ip access-group net10-in in
JV> ip access-group net10-uit out
JV> ip helper-address 10.10.10.37
JV> no ip redirects
JV> no ip unreachables
JV> load-interval 30
JV> no cdp enable
JV> standby 10 ip 10.10.10.1 alt standby 10 ip 10.10.10.1
JV> standby 10 priority 120 alt standby 10 priority 110
JV> ip access-group net10-in in
JV> permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
log
JV> We have configured about 20 Vlan's with the same ip helper-address
on
JV> the same CAT6500 and all these vlan's behave normal, except vlan10.
The
JV> question is why ?
JV> With situation we have tested:
JV> - A DHCP request is send to the server. The DHCP server accepts the
JV> request, and send a reply. The reply does not reach the client.
After
JV> removing the ACLs', nothing happend.
JV> - Placed the DHCP-server in the same subnet, it works.
JV> - Placed the DHCP-server in a different subnet, on the same Cat6500,
it
JV> works.
JV> - Placed the DHCP-server in a different subnet, on a different
Cat6500,
JV> it failed. No ACL's between the Cat6500's.
JV> A little problem is also, that we don't know a way to log the return
JV> traffic, because;
JV> - Logging in ACL's (IOS) don't work. Maybe because the ip
JV> helper-address-table? is first used and then the ACL becomes active.
JV> - Traffic between the MSFC(layer3) and supervisor(Layer2) is not
visible
JV> with a sniffer, or something like that. There has to be a
translation
JV> between the layers.
JV> Maybe, someone can point me to a new direction for these problems.
JV> Greetings.
More information about the cisco-nsp
mailing list