Solved: Re: IP Helper-address

fbabashahi · ‎06-28-2021

Hi , I have a two switch 3750 that is stacked , I have two VLANS , one VLAN 1 (for clients) and the second VLAN 161(for servers) I use IP helper-address for relay-agent , clients get IP without any problem but the broadcast also send to other interfaces .

does it work right(i don't think so) ?

why is that ?

how to prevent this happened ?

interface Vlan1
description Clients
IP address 192.168.3.100 255.255.252.0
IP helper-address 172.16.1.1
IP helper-address 172.16.1.2

Giuseppe Larosa · ‎06-29-2021

Hello @fbabashahi ,

>> so to other interfaces in VLAN1 is normal ?

yes it is the DHCP request is generated as a frame with ethernet broadcast destination and for this reason it reaches every port in VLAN1. The SVI interface interface vlan1 is just one of these hosts and it will perform the change to DHCP servers as configured with ip helper-address.

>> Is there any way to prevent it (because if someone run DHCP the clients will get IP) ?

Not directly as a broadcast frame is flooded to all ports in a VLAN ( also called a broadcast domain for this reason).

However, enabling a feature like DHCP snooping and setting all access ports as untrusted will prevent rogue unwanted DHCP servers from disturbing your network

The answer is look for DHCP snooping.

Hint: an untrusted port for DHCP snooping will drop messages coming from a DHCP server and allows only messages generated by a client. This is the reason why DHCP snooping can be effective in blocking unwanted DHCP servers.

You need to trust uplink ports if they are L2 trunks and you need to trust ports to WLC wireless controllers, as the WLC makes some minor change in the DHCP request that is not accepted by DHCP snooping.

Hope to help

Giuseppe

View solution in original post