Re: ip helper-address <DHCP IP Address>

sriram_pp · ‎03-22-2004

Hi, I planning to restrure the my network. We have 2000 pc's & 100 Server's Apx. All are in Class B network. Now Plan to segment the network. As per the plan, Servers will have one subnet and other desktop's will have spread access 40 subnet's. We are using 6509 & 6009 L3 Switch for Server segment and desktops CAT 4006-17 Nos, CAT4003-5 Nos, CAT5505-1 No, CAT-2950-3 Nos & CAT-2910-2 Nos.

Using Single DHCP Server (with out DHCP Relay agent) plan to use IP HELPER-ADDRESS <DHCP IP address> in L3 Switch for all the VLAN's. Please suggest will this command handle perfectly with out any problem ??

or Please suggest me what best we can do the network segmentation with more secured ??

Regds/Sri

ralfvd · ‎03-23-2004

As far as DHCP is concerned, this should be enough. But beware there may be other application relying on certain subnets or netmasks.

sriram_pp · ‎03-23-2004

Hi, let me know in details. I don't have any exp in this area. I am looking for Network segmentation article (Precautionary stpes before and after network segmentation). If you have anything please let me know

Regds/Sriram

jgross · ‎03-24-2004

Hi,

on all the vlan interfaces where the DHCP server doesn't reside you must configure

interface Vlan

description Client VLAN

ip helper-address

When a client now sends DHCP request, the router

forwards this request to the ip helper-address.

Because the router also puts in its own interface ip address as source ip, the packet finds the way back.

DHCP uses UDP port 67 and 68. With the command ip helper-address, there are also some other ports which are opened for udp. To close this ports you configure (global command)

no ip forward-protocol udp tftp

no ip forward-protocol udp nameserver

no ip forward-protocol udp domain

no ip forward-protocol udp time

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs

On your DHCP Server you have to configure a scope for each ip subnet.

If your dhcp server is located at ther server vlan, do NOT configure a helper-address there.

For the migration I would suggest to use two different ip subnets. Image all your clients are now in VLAN2 10.2.0.0/16. If you have this IP subnet on your Router you can't add a new VLAN with 10.2.1.0/24, because this overlaps.

So make the new VLANs with 10.3.1.0/24, 10.3.2.0/24, ... and move the clients to the new

vlans by change the vlan of the port where the PC is conneted to. When you then reboot the PC it shoud get a new ip from the dhcp and everything sould be fine.

Bye

Jo

ricky.morgan · ‎08-20-2004

One other issue you will see is that you will have to set all your user ports on your switchs to run portfast. If you don't you will find that sometimes the station will get an ip number and sometimes it will not. when we set portfast on all our switch port with users the problem goes away. Hope this will help. And the ip-helper command works fine. I have about 40 networks running on a 6509 and one dhcp server and it works great.

mfcu_support · ‎08-25-2004

Sorry for the noob question here, but could someone post the exact command. I have been trying to get this to work with a 1722 but have had no luck. Also do you have to type something other than config t to access this command? And do you have to write mem to save the changes?