IP helper with ACL on SVI
Just another short post about IP helpers:
It took me last week a few minutes to figure out why my new configured IP helpers were not working.
The starting config was like:
interface Vlan6 description Voice VLAN ip address 192.168.1.251 255.255.255.0 ip access-group Voice in ip helper-address 192.168.15.1 ip helper-address 192.168.15.3 no ip redirects no ip unreachables standby 6 ip 192.168.1.254 standby 6 timers 1 2 standby 6 priority 110 standby 6 preempt
ip access-list extended Voice permit ip host 192.168.1.9 192.168.254.0 0.0.0.255 permit ip host 192.168.1.2 192.168.254.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255 permit ip any host 220.127.116.11
At this point, clients in Vlan 6 are not receiving a IP address from the DHCP server.
As we all know, a DHCP request starts with a broadcast on IP 255.255.255.255. These packets are being blocked by the incoming ACL at this moment! You can check this with debugging the ACL. The problem is clear: we have to edit the ACL.
Adding the following ACL rule, will allow these DHCP request packets to get to the IP helper address:
permit udp any host 255.255.255.255 eq bootps
Problem solved 🙂