Re: IP Helper address implementation

jmb09 · ‎05-20-2025

Hello,

Until now, my network was on a single VLAN, VLAN 1.
I recently segmented the network into several VLANs.
I created a management VLAN (VLAN X) for my switchs (10 C2960X), and I put my servers in VLAN Y, and kept my workstations in VLAN 1
In my switches, VLAN 1 no longer has an IP address and is shutting down.

My problem is that my DHCP server is now in VLAN Y, and IP addresses are no longer being distributed to workstations .
So I configured the IP helper in the switches, but it's not working. I wonder if this could be due to VLAN 1 being shut down?

Do you have any ideas or advice?

marce1000 · ‎05-20-2025

- Use another VLAN for the workstations too (VLAN1 should be reserved for network management protocols)
, the on the SVI for that vlan define the helper-address pointing to the DHCP server.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jmb09 · ‎05-20-2025

Hello, thanks ....

I had to do it one days, our security services advice us to not use the vlan 1 ....

On the other hand i don't understand "SVI", sorry my english is too poor !

Thanks

David Ruess · ‎05-20-2025

Hello,

You need to configure the IP helper address at the default GW interface of the devices. So, if you need devices in VLAN V you need to configure a Default Gateway they can use and configure the helper address there.

Additionally, the device you configure the helper address on needs to be able to reach that IP address either through a routing protocol or static routes. The server will also need a route back to that network its giving an IP address to.

-David

jmb09 · ‎05-20-2025

Hello,

First thanks, did you mean that i should configure it in the vlan interface config and not just in conf t ?

I had several vlan only one has an ip and a GW : the management vlan ... and these VLAN is not accessible to others.

May be i should post one of my config ?

Thanks a lot,

Richard Burts · ‎05-20-2025

Yes it would be helpful if you did post the config.

Here are a few points that I hope will be helpful:

- if you have several vlans and have devices connected in the vlans, then each vlan should have its own vlan interface (SVI stands for Switch Virtual Interface) and each SVI should have an IP address in a unique subnet.

- the DHCP server should have a unique address pool for each of the subnets used on the switch vlan interfaces.

- the vlan interface for each vlan should have a helper-address configured which points to the DHCP server.

HTH

Rick

jmb09 · ‎05-20-2025

Hello,

Thanks, it' night here, so tomorrow i will recover a config on one switch and i will post it .... we will understand us better !

Thanks a lot !

mafzal · ‎05-20-2025

DHCP won't work if VLAN 1 has no active SVI with an IP helper, because the switch needs an interface in the VLAN to receive and relay broadcast DHCP packets.

Enable VLAN 1 temporarily or migrate clients to a new VLAN with a proper Layer 3 interface and IP helper configuration.

jmb09 · ‎05-21-2025

Good morning everybody !!!

Thanks for all thez answer, i think so that my problem comes from vlan 1 is off instead i i suggest last night i post one of my switch config below, so i remove port configuration (file is too long), and i remove my passwords ....

For Ip i kept :

X.X.X.X for my management VLAN, Y.Y.Y.Y for my servers VLAN and my workstations are always in VLAN 1 !

That's done :

!
! Last configuration change at 01:00:49 GMT Mon Jan 2 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service unsupported-transceiver
no service dhcp
!
hostname C2960-04
!
boot-start-marker
boot-end-marker
!
enable secret 5 something
!
username admin secret 5 something
no aaa new-model
clock timezone GMT 1 0
clock summer-time FR recurring last Sun Mar 2:00 last Sun Oct 2:00
switch 1 provision ws-c2960s-48fps-l
!
!
ip dhcp snooping vlan 1-100
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip domain-name lsm.cnrs.fr
ip name-server Y.Y.Y.10
ip name-server Y.Y.Y.13
login on-failure log
login on-success log
!
!
!
!
!
!
!
!
archive
path tftp://Y.Y.Y.7/ip4/$h-$t
write-memory
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
no errdisable detect cause gbic-invalid
errdisable recovery cause storm-control
!
!
!
!
vlan internal allocation policy ascending
!
lldp run
!
!
!
!
!
!
!
!
!
!

!
interface Vlan1
no ip address

ip helper-address Y.Y.Y.2
shutdown
!
interface Vlan99
ip address X.X.X.X 255.255.255.0
no ip route-cache
!
ip default-gateway X.X.X.254
no ip http server
no ip http secure-server
!
ip ssh logging events
ip ssh version 2
!
logging trap debugging
logging origin-id string C2960-04
logging host Y.Y.Y.6 transport udp port 49168
!
snmp-server community SETE RO
snmp-server host Y.Y.Y.9 v2c
!
line con 0
exec-timeout 60 0
login local
line vty 0 4
password 7 something
login local
transport input ssh
line vty 5 15
password 7 something
login local
transport input ssh
!
end

Actually my dhcp server is on VLAN 1 else my workstations don't get IP address, i would like to move these dhcps ervers in VLAN Y

Thanks

Richard Burts · ‎05-21-2025

Thank you for posting the switch configuration. It does provide some clarification. I (and I believe others as well) have been assuming in this discussion that your switch was operating as a layer 3 switch, which allows it to provide routing for traffic for several vlans/subnets. The posted config shows clearly that the switch is operating as layer 2 switch.

For multiple vlans/multiple subnets to work there must be a layer 3 device to provide inter vlan routing, and all of the various vlans need a connection to that layer 3 device, and that device needs to have a vlan interface in each of those vlans. Depending on where the DHCP server is this may be enough. Or it may be that the layer 3 device will need to configure ip helper-address for the various vlans to forward DHCP requests to the server.

HTH

Rick

jmb09 · ‎05-21-2025

Hello,

Thanks,

effectively i'm not a great specialist of networks and protocols and i begin to be too old for all these news technologies ...

All my switch are the same, just the number of ports change and my network core is a C-3850.

I don't take care about what you said concerning layer, it seems evident ... So i surrendly need to configure my firewall routers for that and not continue with ip-helper ...

Thanks a lot !

jmb09 · ‎05-21-2025

Hello !

Since I read your answer I've been thinking. I took a look on my network again and i note that i have some switch C2960X, some C2960-S and one C3850
As you said the S are layer 2 the other are layer 3, and suddenly i had another question :
Iif my workstations are connected to a layer 2 switch, the layer 2 switch connect to a layer 3 switch, and server also on a layer 3 did ip-helper could run ?

Thanks

Richard Burts · ‎05-21-2025

If we knew more about your network environment we could give you better advice. Since we do not have much detail about your network let me suggest in a very general way how it might work. Some switches are layer 2 only, while some other switches can be configured to operate as layer 2 only or could be configured to operate as layer 3. In your network there are some layer 2 switches, and now those switches have more than one vlan (which means that there would be more than one IP subnet, since each vlan would have its own IP subnet. The layer 2 switch would connect to a layer 3 on an interface configured as a trunk and carrying all of the vlans from the layer 2 switch. The layer 3 device would act as the default gateway for the vlans of the layer 2 switch. If the DHCP was configured on that layer 3 device then it could supply IP addresses to the various vlans. If the DHCP were configured on some other device then you would want to configure ip helper-address on the vlan interfaces pointing to where the DHCP server is.

HTH

Rick

jmb09 · ‎05-21-2025

Hello,

Sorry it's always me, your remarks about layers make me thinking a lots and as i'm not a network specialist, i'm looking for ....

SO i found this thread on the forum :

https://community.cisco.com/t5/switching/does-ip-helper-address-work-on-a-layer-2-switch-2950/td-p/1816526

Si i also thinking about a plan to renew all my switchs they beguin to be old now, i should have a talk with my chief !!!

Thanks

jmb09 · ‎05-22-2025

Hello,

Thank you for your explanation i begin to undestand better ....

Our central switch is a C3850, we cretae vlans on (actually about 10 vlans, on this 3850 we have our twso firewalls who's manage our network.

Other switch are in other building link to the C3850 by fiber and etherchannel (2 or 3 links). In each building we have 3-4 switch link between us by 2 RJ45 etherchannel.

Generally our 3850 is connect to a c2960x layer2+3 except and c2960s layer 2 are connected to the c2960x, except in one building ....

I will discuss next week with my chief, i'm thinking about making a renewing plan of all our equipment, i observed thats they run but begin to be old now, with the new security context may be we will be block rapidly !!

Thansk a lot for all ...