Re: ip helper-address across tunnel

droberts1214 · ‎07-23-2009

I have a router that I have added ip helper addresses to for dhcp use. It is up and working but I ran into a snag in the process that I have yet to figure out. Originally I had planned on adding the helper addresses to the existing 172.16.21.1/24 range (gig 0/1.2) & segmenting the dhcp scope to retain some static IPs that were still in the range. For a reason I have yet to identify with the helper addresses applied to gig 0/1.2 the router would not pass dhcp requests upstream through the tunnel. I then added the range 172.16.27.1/24 (gig 0/1.4) to the router, added permits to the PIX as needed & configured IP helper addresses pointing to our dhcp servers & it worked.

The tunnel terminates into a cisco PIX firewall.

Any ideas as to why dhcp requests would not be passed on gig 0/1.2?

The config below is from the live running config, it doesn't show it now, but I did have the helper addresses on gig 0/1.2 prior to creation of gig 0/1.4.

Are there any common causes that would prevent ip helper addresses from working?

ip subnet-zero

!

ip cef

!

crypto keyring AAAA vrf dn

local-address GigabitEthernet0/0

pre-shared-key address XXXXXXXXXX key XXXXXXXXX

pre-shared-key hostname XXXXXXXXXXX key XXXXXXXXXX

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

crypto isakmp profile AAAA

vrf dn

keyring AAAA

self-identity address

match identity host XXXXXXXX dn

match identity address 204.61.1.36 255.255.255.255 dn

!

crypto ipsec transform-set AAAA esp-3des esp-md5-hmac

!

crypto map AAAA-map 10 ipsec-isakmp

set peer 204.61.1.36

set transform-set AAAA

set isakmp-profile AAAA

match address 120

!

interface Tunnel0

ip address 10.13.2.1 255.255.0.0

no ip redirects

ip nhrp map 10.13.0.1 164.58.245.58

ip nhrp map multicast 164.58.245.58

ip nhrp network-id 507813

ip nhrp holdtime 300

ip nhrp nhs 10.13.0.1

no ip route-cache cef

no ip split-horizon eigrp 13

tunnel source GigabitEthernet0/0

tunnel mode gre multipoint

tunnel key XXXXXXXXXX

tunnel vrf dn

!

interface Loopback0

ip address 10.14.2.1 255.255.255.255

h323-gateway voip bind srcaddr 10.14.2.1

!

interface GigabitEthernet0/0

ip vrf forwarding dn

ip address NNN.NNN.NNN.NNN 255.255.255.252

no ip redirects

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

crypto map AAAA-map

!

interface GigabitEthernet0/1

description Internal LAN

no ip address

no ip redirects

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1.2

description Data Network

encapsulation dot1Q 2

ip vrf forwarding dn

ip address 172.16.21.1 255.255.255.0

no snmp trap link-status

!

interface GigabitEthernet0/1.3

description IP Phones

encapsulation dot1Q 3

ip address 10.80.2.1 255.255.255.0

no snmp trap link-status

!

interface GigabitEthernet0/1.4

description Data Network for DHCP

encapsulation dot1Q 27

ip vrf forwarding dn

ip address 172.16.27.1 255.255.255.0

ip helper-address 10.100.0.10

ip helper-address 10.100.0.11

ip helper-address 10.100.0.12

no snmp trap link-status

!

router eigrp 13

network 10.13.0.0 0.0.255.255

network 10.14.2.1 0.0.0.0

network 10.80.2.0 0.0.0.255

no auto-summary

neighbor 10.13.0.1 Tunnel0

!

ip classless

ip route vrf dn 0.0.0.0 0.0.0.0 NNN.NNN.NNN.NNN

!

ip nat inside source list 2 interface GigabitEthernet0/0 vrf dn overload

!

access-list 120 permit ip 172.16.21.0 0.0.0.255 any

access-list 120 permit ip 172.16.27.0 0.0.0.255 any

Laurent Aubert · ‎07-26-2009

Hi,

Looks weird indeed. What you could try is to reapply the helper-address on Gi0/1.2, generate a DHCP request on both VLANs and trace the packets generated by the router. A debug ip packets detailed associated to an ACL could help.

You can also try to catch the packets behind the FW, closer to the DHCP server.

HTH

Laurent.

Marwan ALshawi · ‎07-26-2009

dose the dhcp server has a route back to the client network