Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1158
Views
5
Helpful
3
Replies

IP Helper-address

Go to solution
fbabashahi
Spotlight
Spotlight

‎06-28-2021 10:18 PM

Hi , I have a two switch 3750 that is stacked , I have two VLANS , one VLAN 1 (for clients) and the second VLAN 161(for servers) I use IP helper-address for relay-agent , clients get IP without any problem but the broadcast also send to other interfaces .

 

does it work right(i don't think so) ?

why is that ?

how to prevent this happened ? 

 

interface Vlan1
description Clients
IP address 192.168.3.100 255.255.252.0
IP helper-address 172.16.1.1
IP helper-address 172.16.1.2  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to fbabashahi

‎06-29-2021 11:12 PM - edited ‎06-29-2021 11:13 PM

Hello @fbabashahi ,

>> so to other interfaces in VLAN1 is normal ? 

yes it is the DHCP request is generated as a frame with ethernet broadcast destination and for this reason it reaches every port in VLAN1. The SVI interface interface vlan1 is just one of these hosts and it will perform the change to DHCP servers as configured with ip helper-address.

 

>> Is there any way to prevent it (because if someone run DHCP the clients will get IP) ?

Not directly as a broadcast frame is flooded to all ports in a VLAN ( also called a broadcast domain for this reason).

However, enabling a feature like DHCP snooping and setting all access ports as untrusted will prevent rogue unwanted DHCP servers from disturbing your network

The answer is look for DHCP snooping.

Hint: an untrusted port for DHCP snooping will drop messages coming from a DHCP server and allows only messages generated by a client. This is the reason why DHCP snooping can be effective in blocking unwanted DHCP servers.

You need to trust uplink ports if they are L2 trunks and you need to trust ports to WLC wireless controllers, as the WLC makes some minor change in the DHCP request that  is not accepted by DHCP snooping.

 

Hope to help

Giuseppe

 

View solution in original post

3 Replies 3

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-28-2021 11:41 PM - edited ‎06-28-2021 11:43 PM

Hello @fbabashahi ,

>> but the broadcast also send to other interfaces

to other interfaces in VLAN1 this is normal and you don't need to worry about.

 

do you mean to interfaces to VLANs different from VLAN 1 and VLAN 161 ?

if so you have an issue.

First of all, the ip helper-address converts broadcasts related to some protocols to packets with a unicast destination that can be routed in your case one packet is sent to server1 172.16.1.1 and another copy of the same packet is sent to server2 172.16.1.2.

 

If you see broadcast DHCP request originated by clients in VLAN1 received as broadcast on interfaces belonging to anotherVLAN X, this means that somewhere VLAN1 and this other VLAN X are joined for example by connecting to each other two access ports one in VLAN 1 and the other in VLAN X with a LAN cable.

Look in your switches and search in the log messages for CDP messages related to VLAN mismatch or native VLAN mismatch.

 

if you find the unwanted link between VLAN 1 and VLAN X the suggestion is to shut down it.

 

Finally if you see the broadcast DHCP request originated by a client in VLAN 1 in all VLANs defined on the switch I'm afraid that this is more likely a SW bug as the probabilities that there jumpers between VLAN1 and each other VLAN is not probable.

 

Hope to help

Giuseppe

 

 

0 Helpful

Go to solution
fbabashahi
Spotlight
Spotlight
In response to Giuseppe Larosa

‎06-29-2021 07:05 PM - edited ‎06-29-2021 08:57 PM

Hi @Giuseppe Larosa, thank you so much , so to other interfaces in VLAN1 is normal ? 

Is there any way to prevent it (because if someone run DHCP the clients will get IP) ?

 

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to fbabashahi

‎06-29-2021 11:12 PM - edited ‎06-29-2021 11:13 PM

Hello @fbabashahi ,

>> so to other interfaces in VLAN1 is normal ? 

yes it is the DHCP request is generated as a frame with ethernet broadcast destination and for this reason it reaches every port in VLAN1. The SVI interface interface vlan1 is just one of these hosts and it will perform the change to DHCP servers as configured with ip helper-address.

 

>> Is there any way to prevent it (because if someone run DHCP the clients will get IP) ?

Not directly as a broadcast frame is flooded to all ports in a VLAN ( also called a broadcast domain for this reason).

However, enabling a feature like DHCP snooping and setting all access ports as untrusted will prevent rogue unwanted DHCP servers from disturbing your network

The answer is look for DHCP snooping.

Hint: an untrusted port for DHCP snooping will drop messages coming from a DHCP server and allows only messages generated by a client. This is the reason why DHCP snooping can be effective in blocking unwanted DHCP servers.

You need to trust uplink ports if they are L2 trunks and you need to trust ports to WLC wireless controllers, as the WLC makes some minor change in the DHCP request that  is not accepted by DHCP snooping.

 

Hope to help

Giuseppe

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card