[nsp] Strange problem ip helper on hybride Cat6500

Church, Chuck cchurch at wamnetgov.com
Wed Apr 14 11:54:59 EDT 2004


That inbound ACL isn't going to allow HSRP hellos, causing both to go
active.  Could that be the issue, if not on this interface, maybe on the
one the DHCP server is located? 


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Wam!Net Government Services - Design & Implementation Team
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch at wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com
-----Original Message-----
From: Jeroen Vos [mailto:Jeroen.Vos at omroep.nl] 
Sent: Wednesday, April 14, 2004 11:30 AM
To: Konstantin Barinov
Cc: cisco-nsp at puck.nether.net
Subject: RE: [nsp] Strange problem ip helper on hybride Cat6500

net10-uit is just a name of the ACL. 
'uit' is dutch for the word 'out'. We use this naming convention for
every ACL.


Greetings.
--
Jeroen Vos 





-----Oorspronkelijk bericht-----
Van: Konstantin Barinov [mailto:sbr at infonet.ee]
Verzonden: Wednesday, April 14, 2004 5:24 PM
Aan: Jeroen Vos
CC: cisco-nsp at puck.nether.net
Onderwerp: Re: [nsp] Strange problem ip helper on hybride Cat6500



ip access-group net10-uit out

Guess there must be "net10-out"? :)



br
--
Konstantin Barinov
INFONET AS, Tallinn, Estonia

Wednesday, April 14, 2004, 5:17:27 PM, you wrote:

JV> Hello,

JV> We have a strange problem with the command ip helper-address.

JV> Situation:

DHCP client -->> Cat6500  --> Cat6500 --> DHCP server
JV> Hybride mode, IOS 12.1(20)E2 CatOS 7.6.5 ( redundant supervisor2
MSFC2)

JV> This is a standard configuration for all interfaces, except the ip
JV> addressen.
JV> interface Vlan10
JV>  description *** Hosting netwerk ***
JV>  ip address 10.10.10.253 255.255.255.0 alt ip address 10.10.10.254
JV> 255.255.255.0
JV>  ip access-group net10-in in
JV>  ip access-group net10-uit out
JV>  ip helper-address 10.10.10.37
JV>  no ip redirects
JV>  no ip unreachables
JV>  load-interval 30
JV>  no cdp enable
JV>  standby 10 ip 10.10.10.1 alt standby 10 ip 10.10.10.1
JV>  standby 10 priority 120 alt standby 10 priority 110

JV> ip access-group net10-in in
JV>  permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
log


JV> We have configured about 20 Vlan's with the same ip helper-address
on
JV> the same CAT6500 and all these vlan's behave normal, except vlan10.
The
JV> question is why ?

JV> With situation we have tested:

JV> - A DHCP request is send to the server. The DHCP server accepts the
JV> request, and send a reply. The reply does not reach the client.
After
JV> removing the ACLs', nothing happend.
JV> - Placed the DHCP-server in the same subnet, it works.
JV> - Placed the DHCP-server in a different subnet, on the same Cat6500,
it
JV> works.
JV> - Placed the DHCP-server in a different subnet, on a different
Cat6500,
JV> it failed. No ACL's between the Cat6500's. 

JV> A little problem is also, that we don't know a way to log the return
JV> traffic, because; 
JV> - Logging in ACL's (IOS) don't work. Maybe because the ip
JV> helper-address-table? is first used and then the ACL becomes active.
JV> - Traffic between the MSFC(layer3) and supervisor(Layer2) is not
visible
JV> with a sniffer, or something like that. There has to be a
translation
JV> between the layers.

JV> Maybe, someone can point me to a new direction for these problems.


JV> Greetings.


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list