[nsp] Strange problem ip helper on hybride Cat6500

Sarkis Karagozian skaragozian at verio.net
Wed Apr 14 21:52:27 EDT 2004


I found this Cisco document: Transit Access Control Lists: Filtering at Your
Edge
Which includes these lines:
!--- The deny statement below should not be configured
!--- on Dynamic Host Configuration Protocol (DHCP) relays.

access-list 110 deny ip host 0.0.0.0 any

For complete Cisco Document go to:

http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_white_paper
09186a00801afc76.shtml#app1
Hope this helps



NTT/VERIO Data Center Engineer
Sarkis Karagozian
Skaragozian at verio.net
707 Wilshire Blvd. #490
Los Angeles, Ca 90017
Ofc. 213 489-2916, Cell. 213 272-9196

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Sam Munzani
Sent: Wednesday, April 14, 2004 1:37 PM
To: Jeroen Vos; cisco-nsp at puck.nether.net
Subject: Re: [nsp] Strange problem ip helper on hybride Cat6500

If you pay more attention to the config, Interface VLAN 10 and
Helper-address are on same interface. That means, clients hit DHCP server
directly(Broadcast gets answered by DHCP server directly since both on same
subnet) and not need to go through Helper-address command.

Am I missing anything here?

Sam Munzani


> Hello,
>
> We have a strange problem with the command ip helper-address.
>
> Situation:
>
> DHCP client --> Cat6500  --> Cat6500 --> DHCP server
> Hybride mode, IOS 12.1(20)E2 CatOS 7.6.5 ( redundant supervisor2 MSFC2)
>
> This is a standard configuration for all interfaces, except the ip
> addressen.
> interface Vlan10
>  description *** Hosting netwerk ***
>  ip address 10.10.10.253 255.255.255.0 alt ip address 10.10.10.254
> 255.255.255.0
>  ip access-group net10-in in
>  ip access-group net10-uit out
>  ip helper-address 10.10.10.37
>  no ip redirects
>  no ip unreachables
>  load-interval 30
>  no cdp enable
>  standby 10 ip 10.10.10.1 alt standby 10 ip 10.10.10.1
>  standby 10 priority 120 alt standby 10 priority 110
>
> ip access-group net10-in in
>  permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps log
>
>
> We have configured about 20 Vlan's with the same ip helper-address on
> the same CAT6500 and all these vlan's behave normal, except vlan10. The
> question is why ?
>
> With situation we have tested:
>
> - A DHCP request is send to the server. The DHCP server accepts the
> request, and send a reply. The reply does not reach the client. After
> removing the ACLs', nothing happend.
> - Placed the DHCP-server in the same subnet, it works.
> - Placed the DHCP-server in a different subnet, on the same Cat6500, it
> works.
> - Placed the DHCP-server in a different subnet, on a different Cat6500,
> it failed. No ACL's between the Cat6500's.
>
> A little problem is also, that we don't know a way to log the return
> traffic, because;
> - Logging in ACL's (IOS) don't work. Maybe because the ip
> helper-address-table? is first used and then the ACL becomes active.
> - Traffic between the MSFC(layer3) and supervisor(Layer2) is not visible
> with a sniffer, or something like that. There has to be a translation
> between the layers.
>
> Maybe, someone can point me to a new direction for these problems.
>
>
> Greetings.
> --
> Jeroen Vos
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list