Re: Ip Directed broadcast and ip helper

Joris Deprouw · ‎02-27-2014

Hi All,

What would happen if you configure an SVI eg VLAN 10 with an ip helper and then configure a VLAN 11 without ip helper, but with a physical dhcp server attached in that vlan. You then configure ip directed broadcast on both SVI's.

interface Vlan10

ip address 10.0.0.253 255.255.255.0

ip helper-address 192.168.1.1

no ip redirects

ip directed-broadcast

end

interface Vlan11

ip address 172.16.1.1 255.255.255.0

no ip redirects

ip directed-broadcast

end

Would it be possible that a dhcp request of a device in vlan 10 is picked up by the dhcp server in vlan 11 and that you get ip adresses assigned in vlan 10 from the range of vlan 11?

Thanks,

Best Regards,

Joris

Peter Paluch · ‎02-27-2014

Hi Joris,

The ip directed-broadcast has no meaning in your setup because DHCP does not communicate using directed broadcasts (i.e. packets addressed to the specific broadcast address of a particular IP subnet). DHCP either uses link-local broadcast of 255.255.255.255 or unicast communication, neither of which is influenced by the ip directed-broadcast. What this command does is actually allowing an outside device send a packet to the broadcast address of a particular network. Without this command, such packets would be dropped. However, as DHCP does not make use of directed broadcasts, this command would have no effect.

Would it be possible that a dhcp request of a device in vlan 10 is  picked up by the dhcp server in vlan 11 and that you get ip adresses  assigned in vlan 10 from the range of vlan 11?

A DHCP request in VLAN 10 will be forwarded only to the DHCP servers specified in the ip helper-address commands. Now, your example contains twice the same IP address 192.168.1.1. That was probably not intentional. In any case, once a DHCP server receives a relayed packet from a client, it will choose the appropriate pool to serve the client using the IP address of the DHCP relay agent that will be recorded in the relayed packet - in this case, 10.0.0.253. Using this information, a DHCP server is always able to exactly identify the network from which the request originated, and choose the correct pool. If clients in VLAN 10 are receiving wrong IP addresses then most probably, the DHCP server is misconfigured or misbehaving.

Best regards,

Peter

Mr JP · ‎03-29-2024

Hey @Peter Paluch, i think you almost answered my dilema. Im also testing a few things on a Packet tracer lab and would like to know, how can I make a device obtain an IP address via DHCP when the pool is hosted on a different router?

Example I want PC3 to belong in VLAN 30 and thus have a 192.168.30.xx IP address. PC3 is connected to SW1 which is connected to Router 1. R1 host the dhcp pool for vlan 10 and 20 but the DHCP pool for vlan 30 is actually hosted on R2.

I know DHCP relies on broadcast messages, which - by default - stay within the same broadcast domain but even the use of IP helper doesnt seem to work for me. In simulation mode, i can see R2 receiving the ICMP packet from PC3 but then drops it.

Any pointers would be appreaciated.

Thanks.

Giuseppe Larosa · ‎03-29-2024

Hello @Mr JP ,

in your case under the L3 interface that serves VLAN 30 IP subnet you need

ip helper-address <R2-IP-address >

so that DHCP broadcast messages are converted to unicast packets with destination <R2-IP-address > in the packet the gia field will contain the IP address that received the original broadcast request and this provides the right context to the remote server.

Hope to help

Giuseppe

Mr JP · ‎03-30-2024

I did use IP helper. R2 receives the packet but then drops it. When checking simulation mode:

- the destination is correct 192.168.30.254 (Which is the ip address of SVI for VLAN 30, default router for the vlan 30 pool, located on R2)

- But there's a source IP on the packet too and i'm not sure if that should be the case. The IP listed as the source is 10.10.10.1. Which is the Serial end point on R1 connecting the two routers. and therefore the dhcp reason for dropping the packet is "No address pool for 10.10.10.1"

Now that i think about it, i wonder if theres a way to configure some sort of policy MAC address table, if the MAC address is in that table, you'll get an IP regardless of the source IP the request is coming from.

Peter Paluch · ‎03-31-2024

Hello @Mr JP ,

May I ask you to share your Packet Tracer topology file? I believe it will be easier to understand your topology by looking into it. Reading through your description, I am seeing some conflicting facts but perhaps instead of swamping you with clarification questions, the simplest way would be to check your actual setup.

Thank you!

Best regards,
Peter

Mr JP · ‎03-31-2024

Sure, have a gander

Peter Paluch · ‎04-01-2024

Hello @Mr JP ,

Thank you!

I've checked your PT as you shared it. In its current configuration, R1 holds DHCP pools for VLANs 10, 20, and 30 which are directly connected so there is no IP helper required, and indeed, PC in VLAN30 on the Switch1 was reliably receiving an IP address from the DHCP server currently running on R1.

But you mentioned that you intended to have the DHCP pool for the IP subnet used in VLAN30 (192.168.30.0/24) on R2.

So what I did to test was:

I copied & pasted the DHCP pool for 192.168.30.0/24 (Pvlan30) from R1 to R2 letter-perfect, and I removed it from R1.
I configured a loopback interface on R2 (2.2.2.2/32) and advertised it in OSPF process 1 area 1.
I configured "ip helper-address 2.2.2.2" on R1's GigabitEthernet0/0.30

This configuration is working perfectly - as expected.

So now I don't understand what is the problem you encountered. Your Packet Tracer topology as shared by you is already working, and migrating the 192.168.30.0/24 DHCP pool from R1 to R2 while taking the necessary precautions also works perfectly well.

Hence I am confused since I don't see any problem here. Can you share a PT topology that reproduces and showcases the problem? Your current topology does not.

Thanks!

Best regards,
Peter

Mr JP · ‎04-01-2024

Good afternoon Peter,

Yes I think there has been a misunderstanding. I left some notes in PT to
explain what I was trying to test. You see in the zone where PCs for Vlan
10,20,30 are connected? Well I’ve added a PC which belongs to Vlan 50. That
Pc is connected to access sw1 (access port has been set to Vlan 50), which
itself is connected to R1 but the DHCP pool for Vlan 50 is located on R2.
I’ve even circled the elements I had issues with in colour. Sorry for the
confusion.

Pc 10,20,30 have no issues obtaining their IP address as they are directly
behind the router which host their DHCP server. (R1)

Mr JP · ‎04-13-2024

Hi Peter,

I managed to make the concept of my topology work how i wanted it to work in the end. The key was to use extra modules on the routers to add switching abilities and not use the serial connection or default gig port to connect the routers together.

Now devices connected to ports set to access VLAN 20 on Switch #1 can obtain their IP address from the vlan20 dhcp pool located on R2 even though Switch #1 isnt directly connected to that R2.

The experiment works both ways too. If i set a port to access VLAN 10 on Switch #2, the device connected on that port is able to obtain an IP address from VLAN10 DHCP pool located on R1 router.

Note: My next step is to add a 3rd router and switch, create couple more vlans and see if im able to make devices obtain IP adresses from the correct router depending on the port vlan access.

Jay Ocampo · ‎02-27-2014

Hi Joris,

To interpret it...

Broadcast received on Vlan 10 SVI will be forwarded as unicast to the ip helper Ip address as listed and should be able to reach the DHCP server. I don't see any issues if you put ip directed-broadcast in vlan 11 as this is unicast traffic coming from vlan 10. (ip helper IP should be on same segment with vlan 11.. )

Better disable ip directed-broadcast on that vlan which could cause DOS attacks.. unless otherwise you use Wake on Lan functionality..

Best...