Ip helper-address concern..
Hi,
Is it advisable to use two ip helper-address in my network? And if possible how will set it up?
Thanks.
John
I will take a different tack in answering your question than Arvind did. I will start by saying that whether it is advisable or not depends on your local situation and what set of requirements you are trying to achieve. Arvind's response is based on the assumption that you are forwarding to 2 DHCP server (which may or may not be the case). I worked, at one time, with a customer who was very concerned about providing redundancy and eliminating single points of failure. They deployed 2 DHCP server serving addresses for each subnet in their network. In that situation having 2 helper-address configured is possible AND desirable. (Arvind is correct that there is some additional overhead in having 2 DHCP servers for a subnet - but there is a trade off of overhead and the advantage of eliminating single points of failure, where would your organization be in balancing those aspects?)
And there is the situation to consider where the 2 helper-address may not be both for DHCP. Perhaps you have an environment where some devices send requests for TFTP to the local broadcast but the TFTP server is not on the local subnet. In that case you might have a helper-address for the DHCP server and another helper-address for the TFTP server. So you might have this configured:
! helper for the DHCP
ip helper-address 172.16.1.51
! helper for TFTP
ip helper-address 172.16.2.45
So - is it possible to have 2 helper-address configured? Certainly it is. Is it desirable to have 2 helper-address configured? That depends on your local situation.
HTH
Rick
Similar Messages
-
PXE across subnets using IP Helper Address
For 10 years I have been trying to get my network engineers to add an IP Helper address of our SCCM PXE Server in order to provide an Enterprise PXE service for our campus (Large University). And every year they keep telling me
they won’t do it due to security concerns. I’m not exactly sure what they mean or what they are afraid of but I am looking for others who have been in this same situation and have been able to accomplish what has been a never ending exercise in futility for
me. I am looking for a white paper or a case study that I can use to help build my case and hope that someday I can convince our engineers that the world won't come to an end by adding IP Helper addresses... they won’t do it due to security concerns. I’m not exactly sure what they mean or what they are afraid of..
You need to get to the bottom of their specific concerns....
PXE involves the use of TFTP (to download the NBP + boot.sdi + boot.wim).
TFTP is neither robust/resilient nor particularly secure.
But I'm guessing that the concern must surely be more related to the payload/content (i.e. what is within the boot image itself) that might be the worry?
The boot image (potentially) contains licensed products (not directly a security concern), and certificates, accounts, passwords, scripts ?
If you have the F8 debug feature enabled in your boot image, it could be used to "live boot" a computer, access the filesystem on that computer, and basically provide uncontrolled access to the files/documents/data on that computer (assuming that your computers
are not using any form of disk encryption).
For this last reason, F8-debug should not remain enabled for "normal" operation.
In our organisation, we mitigate that risk with disk encryption. We also don't distribute boot media nor full media - PXE is the only way we deploy OS (well, outside of the datacentre, that is).
Our networking team were initially concerned about PXE - but not from the security aspect, more from the capacity/bandwidth perspective. So we worked with them to plan/design/place the boot servers, and the DP's placement.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Hi,
I just centralized our dhcp server to HQ server, and zdm pxe boot stopped working.
HQ dhcp server is oes2 sp3 on sles10sp3.
zdm7 is on oes2 sp3 and sles 10 sp3
HQ dhcp is on site A
and zdm imaging server is on site B (WAN)
Where I have configured ip-helper address for dhcp server on the router at site B.
setup before centralized dhcp.
zdm worked as dhcp server and proxydhcp for the site B, where in the novell-proxydhcp.conf was edited to contain LocalDHCPFlag = 1.
question: Do I also add the ip-helper addresse of proxydhcp server (HQ proxydhcp, which is zdm imaging server for HQ) in the router. or do I configure the router differently?
Hope I get a reply quick.
PilutakPilutakdahlnukissiorfiit,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
Hi All,
Does ip helper-address work with 2 ip ranges in a VLAN in a catalyst 3750?
ip forward-protocol udp 6112
int vlan 1
ip address 192.168.0.1 255.255.255.0
int vlan 2
ip helper-address 192.168.0.100
ip address 192.168.1.100 255.255.255.0
ip address 192.168.2.100 255.255.255.0 secondaryNormally, you need an "IP-Helper" command in the interface that is away from the resource you are trying to reach.
The broadcast request is received and if there's an IP-Helper established on that interface, the broadcast is passed toward that resource as a unicast ... so that it can pass through any other intermediate routers along the way.
Since you set that interface up as a "secondary," I believe it will work, since that interface is going to receive the broadcast request from either LAN (primary or secondary).
What I'm trying to figure out is why you are multi-netting ... it generally complicates things and is usually only used to accommodate transition from "the old address scheme" to "the new address scheme."
Are you short on ports?
Good Luck
Scott
Are you just short on ports? -
How to see if an ip helper-address is configured on a VLAN
Hi - I'm not exactly new to networking but this question will likely say otherwise :)
I'm trying to figure out the command to show the running-config of a VLAN. The goal is to see if an ip helper-address has been configured on a VLAN.
This is both for a Cisco 6509 and Nexus 5k.
I simply don't know all the commands for VLANs so I can't get this info presented to me.
Thank You in advanceThanks for the prompt reply! Still no bueno though.
On the 6509 I get the following:
6509#show ip interface vlan xxx
^
% Invalid input detected at '^' marker.
On the Nexus 5K I can't complete the command, stops down at show ip interface with the following listed as ? after interface:
5K# show ip interface ?
<CR>
> Redirect it to a file
>> Redirect it to a file in append mode
A.B.C.D Display interface for local IP address
brief Display summary of IP interface status and configuration
ethernet Ethernet IEEE 802.3z
loopback Loopback interface
mgmt Management interface
operational Display only interfaces that are administratively enabled
port-channel Port Channel interface
vrf Display per-VRF information
| Pipe command output to filter -
Ship to party search help address not display
Hi,
Using 'Edit internal address' We added one plant address, and the address no also generated. plant having several address.
But when we creating shopping cart, trying to select the ship to address from the search help, address not displaying in the list.
even we tried adding this address in the attributes as delivary address also .but the address not displaying in ship to party search help.
If any one faced this problem let us know how to proceed.
Thanks in advance,
prasad.sit is strange .
whatever you have defaulted ship to adress has to come.
did you maintain at position level and make ensure that you have really inherited.
FM bbp_read_attributes
for your user execute and make ensure that you have inheited ship to address
when you create ship to address . did you check this box Ship-to Address in Use Address as:
muthu -
Hi Everyone,
WLC has IP 10.10.10.5
AP has IP 10.10.10.6
AP is connected to switch which has say vlan 10 IP 192.168.50.2
AP manager interface has IP 192.168.50.1
USer is getting IP from ASA which has pool in subnet 192.168.50.x
Do i need to config ip helper command under the switch vlan 10?
Regards
MAheshBut WLC has interface called Wireless_visitor that has IP in the subnet 192.168.50.x.
We want wireless user to have 192.168.50.x.
Interface Wireless_visitor is dynamic interface with IP 192.168.50.1.
Switch has vlan that also has IP in subnet 192.168.50.x.
Uhhhh ... Your Wireless_Visitor dynamic interface has the same IP address subnet as your switch? I don't think this is going to work well. Your switch, ideally, should have the same management IP address as the WLC management IP address.
Your Dynamic Interface should have an IP Helper address in the configuration. -
Helper Address on a ONLY Layer 2 aware Switch
Hi,
Been scratching my head for a while now, i don't know why a switch even has the " Ip helper address" command, Dosent it need routing to acomplish this kind of a task?
I have a switch with 2 SVI's, fair enough, one for Vlan 10 and the other for Vlan 20,
Vlan 10 = 192.168.10.0/24
Vlan 20 = 192.168.20.0/24
I have a DHCP server on vlan 10, with the IP address 192.168.10.1, Now it has scopes for vlan 20 as well, i go into vlan 20 and do this:
# interface vlan 20
# ip address 192.168.20.1 255.255.255.0
#ip helper address 192.168.10.1
Now this should work right? but it dosen't !( Ive seen in Wireshark that it dosent even forward the DISCOVER Message on to SVI 10's Vlan 10 ports) ..But it does work when we configure a DEFAULT GATEWAY for the switch and the DHCP server is on a REMOTE Location where the switch does not have and interface directly connected to! what is this? its like blowing my mind! please elaborateIf this is a Layer 2 only switch then I cannot see how a helper address would work.
The SVI's you have created are going to be for management, they cannot be the Default Gateways of the Vlans IF the switch is Layer 2 only.
When your clients send out a DHCPDISCOVER message, that frame will hit the SVI address because its a 'host' on that same vlan that the client is on.
If this were a Layer 3 SVI (i.e on a Layer 3 switch) then it would forward that frame to the helper address configured. In order for the Layer 3 switch to forward the frame, it needs to do a lookup in its routing table for the destination subnet.
This is a layer 2 switch, is has no routing table so will be unable to forward the DHCPDISCOVER message to the helper address.
See here (Peters post) for an explanation of why the Layer 2 switch can act as a DHCP relay if the DHCP server is on a remote subnet:
https://supportforums.cisco.com/discussion/11385901/does-ip-helper-address-work-layer-2-switch-2950 -
Ip helper-address with two dhcp server
I have two dhcp server running on vlan1, which serving our workstation on vlan2. 10.10.10.51 is our primary and 10.10.10.52 is secondary server.
My question is:
- Which server would my workstation get the dhcp from?
- If the primary server is down, could I reach the second dhcp server? and if the primary server back online.. Which server would be serving our dhcp client?
interface Vlan1
ip address 10.10.10.1 255.255.255.0
no ip redirects
ip directed-broadcast
interface Vlan2
ip address 10.10.20.1 255.255.255.0
ip helper-address 10.10.10.51
ip helper-address 10.10.10.52
no ip redirects
ip directed-broadcastHi,
I don't agree.
AFAIK, using two ip helper-address entries in a router config will cause the dhcp request being sent to BOTH dhcp servers.
So both the primary and secondary dhcp server will send a dhcp offer to the workstation. The workstation will choose one of the offers and confirm it to the server.
So ip helper-address command will not help you to choose if dhcp server is primary or secondary.
You can either use different dynamic address pools on primary and secondary dhcp server (and the same static entries) or to arrange some kind of dhcp server failover:
See
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_DHCP_imp_ClusteringSupport.htm
There is also RFC 2131 describing DHCP Failover Protocol.
Regards,
Milan -
I have learned that by default the ip helper-address will forward the following 8 udp ports
UDP PORT
Common Name.
69
TFTP
67
BOOTP Client
68
BOOTP Server
37
Time Protocol
49
TACACS
53
DNS
137
NetBios
138
NetBios Datagram
But when I check in cisco SG300-28, only port 37, 42, 49, 53,137 and 138 are in the forwarded list. Does it mean we cannot use ip helper-address to relay DHCP request? Please adviseHi Blue, you cannot. The DHCP relay function is designed for that. Therefore it is reserved for that function of the switch.
-Tom
Please mark answered for helpful posts -
Best Practice for ip helper-address
I have 2 dhcp servers on same subnet 192.168.1.0
I'm trying to setup my SVI
Gateway 192.168.6.1
How should the ip helper-address be setup?
ip helper-address 192.168.1.0
or
ip helper-address 192.168.1.1 <- dhcp 1
ip helper-address 192.168.1.2 <- dhcp 2
2 Dhcp servers setup each to handle half the scope of a given subnet.Sparky
Generally I believe that the best practice for this is to use two helper address statements. This will send two unicaast packets, one to each server. The other alternative is to send a directed broadcast (which would actually be ip helper-address 192.168.1.255). To do this you would also have to be sure that ip directed-broadcast was enabled on the router interface connecting to the 192.168.1.0 subnet. Many people reguard ip directed-broadcast as a security vulnerability and do not want it enabled. If your environment is comfortable with enabling this function then both alternatives would work. The advantage of the directed broadcast is that it transmits one packet rather than transmitting two packets. If it were me I would use two helper address statements.
HTH
Rick -
Hi
Everyone I have a doubt about the configuration for the helper address on ASR9000, mainly I try to configure the helper address in this way:
configure
interface type number
ipv4 helper-address vrf vrf_name address
However it doesnt work.
What is the correct way to apply an helper address on my ASR9000 ???
Regards !!!!Hi,
Correct configuration is:
dhcp ipv4
profile DHCP-HELP relay
helper-address vrf <VRF> <IP address>
interface <interface> relay profile DHCP-HELP
Florian -
Need a bit of guidance with ip helper-address on a L3 switch
Hi All,
Happy New Year!
Could some one be kind enough to have a look at a PT file for me and tell me where I am going wrong please?.
It's a practice one for a college assignment I am working on, for which I have to submit an original network, and then suggest some possible improvements. My first PT file consists of 3 LANs, all using L2 switches configured with VLANs and routing on a stick, with ip helper-address pointing to a DHCP server on one of the LANs. That all works fine.
Now I am trying to create a test network that uses a L3 switch that has VLANs, I want the end user devices to obtain addressing from a DHCP server on a separate network, I have configured the VLANs, gave them IP addresses, entered the ip helper-address, the link between the switch and router has had the "no switchport" command executed on the switch, I given the connected port on the switch a relevant IP address to the router interface it is connected to, both router and switch have OSPF configured with network statements, but DHCP requests are failing.
In simulation mode the packets are reaching the DHCP server but are not returning, and I'm a little confused as to what I have done wrong.
Attached is the PT file, please bear in mind this is just a test PT file that I have been practicing with before creating the final PT file for submission.
Any advice would be greatly appreciated.
Kind regards
JonHello Haihua,
Thank you very much for that, I do feel a little stupid now..., I completely forgot about the DG on the server.
Thanks again.
Jon -
PXE Boot/Ip helper address for staging OS-es
Hi,
In our production environment there is already a PXE-server SCCM 2007. Now, we're setting up an SCCM 2012-server which we would like to test staging/OS-deployment also.
Is it safe to say we need to add the ip of the SCCM 2012 "066 Boot Server Host Name" to stage. Note: on switches (Cisco) this is ip helper address, correct?
Please clarify.
NOTE: is there an option to make it work WITHOUT needing a new VLAN?
J.
Jan HoedtDHCP options and IP helper addresses have the same end goal but are completely different things.
IP Helpers automatically forward broadcast requests to a destination system thus "bridging" subnets for services like DHCP and PXE.
DHCP scope options directly instruct the NIC to boot from a specific PXE server.
So, yes, it is possible to manipulate where a client PXE boots from, but it takes an integral understanding of how PXE works, of how IP Helpers work, and of how NICs initiate a PXE boot when either IP Helpers or DHCP scope options are in place (and
thus DHCP also). Because *none* of this really has anything to do with ConfigMgr or even Microsoft itself, there really is no Microsoft guidance except that IP Helpers are preferred and are the Microsoft supported solution. A great starting reference
is at http://en.wikipedia.org/wiki/Preboot_Execution_Environment
Jason | http://blog.configmgrftw.com
Is there any official Microsoft documentation that outlines why IP Helpers are preferred over scope options? -
CCP doesn't show ip helper-address
I am running CCP 2.1 on both a Vista and Server 2008 machine. I am connected to an 1841 router. If I telnet into router, and show run, it says I have an ip helper-address. If I open CCP and view that same interface, it doesn't show an ip helper-address. If I then click OK, it wants to send a command to the router to remove the ip helper-address. Any ideas would be appreciated.
Hi Joe,
Please pickup the latest CCP version (v2.5 posted on 29th June 2011). Let me know if the problem is resolved. CCP supports configuration of single helper address. If multiple addresses are configured, then they are read in, but shall not be editable.
Thanks,
Chaitra
Maybe you are looking for
-
Error in File Adapter: no alert generated
Hi folks, I have a problem with monitoring our file adapters. In one scenario we occasionally get the following error: Fehler bei der Konvertierung des Dateiinhalts in XML an Position 0: java.lang.Exception: ERROR converting document line no. 2 accor
-
[Solved] ALSA Wont Play If More Than One Device Has Access To It
This just started happening about two weeks ago and its really annoying. It seems that whenever one program has previously used the sound system no other applications can use the sound system until that initial program is closed. For example, lets sa
-
ITunes converts all my GIF images to JPG when I sync my iPhone.
I have an iPhone and a Mac, and on my iPhone I have noticed that whenever I preview my images, GIF images won't play. They will just sit there, and I can only see one frame of them. I have to send the GIFs to myself through text to see them play, but
-
ERROR ITMS-9000:"Redundant Binary Upload. There already exists a binary upload with build version '1.1' for ipa '1.1'". I need to change the build number, but not the version number. So I can upload a new build for same version to ITC. What step shou
-
PartII Registers are not updated for J1IS
Hi All, Please help me to know, why there is no update for part II registers for Invoice for MRDY type , which was done through J1IS.Please help to configure these things Example: Returns PO Created ME21N Goods posted :MIGO with Movt 161 Part I upda