Re: "ip verify unicast reverse-path" and DHCP

jniessen · ‎05-29-2003

Has anyone else run into problems when trying to implement "ip verify unicast reverse-path" and using "ip helper-address" for reaching a centralized DHCP server?

When "ip verify" is enabled on the interface workstations can no longer get DHCP addresses. When debugging DHCP on the router it shows a DHCP request but never a reply. Also I see the following error because I am logging the deny's for "ip verify"

%SEC-6-IPACCESSLOGP: list 199 denied udp 169.254.223.34 (unresolved) (0) -> 255.255.255.255(0), 3 packets

The workstations are Windows NT and 2K.

It looks like windows uses the 169.254.xx.xx address to send the DHCP packets instead of 0.0.0.0.

Thanks

dgower · ‎05-29-2003

the 169.254.x.x address is the address which MS workstations will assign to themselves if they cannot get an IP address. What is the scope of your IP addresses on your DHCP server?

jniessen · ‎05-29-2003

I do not believe it is a scope problem. The "ip helper-address" feature works without "ip verify unicast....." turned on. It breaks after that feature is activated. I tried permitting UDP port 68 and 67 for "ip verify...." but it did not seem to help.

t.baranski · ‎05-29-2003

I've never used RFP, but I'd guess you need a route to 169.254.x.x before RPF will allow these packets through.

jasyoung · ‎05-29-2003

There are some versions of IOS, especially in 12.0 mainline, where there are bugs that cause this not to work. CSCdk80591 is one, I think there may be others, because I know for a fact I had at least one 12.0 rev above 12.0(3.5) affected. Try upgrading to the latest IOS in your train - there are GD releases available in both 12.0 and 12.1 mainline.