- Unifying Excellence with Strategic Partnerships: Cisco Black Belt Academy and VQ Communications
- Navigating the API Security Landscape: A CEO's Perspective on Embedding Zero Trust Principles
- Top 5 Global Cyber Security Trends of 2023, According to Google Report
- What is a virtual machine, and why are they so useful?
- U.K. and U.S. Warn of Pro-Russia Hacktivist Attacks on Operational Technology Systems
Cisco IOS- IP Helper Address Command
Original Link# http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9
Helper Addresses
This section describes how networks and routers use helper addresses to forward broadcasts to another server or router on another network. This section describes some of the purposes of and scenarios in which to use helper addresses.
Using Helper Addresses
DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices might use broadcasts to locate TFTP servers. Some clients might need to broadcast to locate a TACACS security server. In a complex hierarchical network, clients might not reside on the same subnet as key servers. Such remote clients broadcast to locate these servers, but routers, by default, do not forward client broadcasts beyond their subnet. Some clients are unable to make a connection without services such as DHCP. For this reason, the administrator must provide DHCP and DNS servers on all subnets or use the Cisco IOS software helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative problems, so the first option is not very appealing. When possible, administrators use the ip helper-address command to relay broadcast requests for these key User Datagram Protocol (UDP) services.
By using the ip helper-address command, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address, as shown in Figure 2-21. Alternatively, the router can forward these requests as directed broadcasts to a specific network or subnetwork.
Figure 2-21 Helper Addresses
Configuring IP Helper Addresses
To configure the helper address, identify the router interface that will receive the broadcasts for UDP services. In interface configuration mode, use the ip helper-address command to define the address to which UDP broadcasts for services should be forwarded.
By default, the ip helper-address command forwards the eight UDP services listed in Table 2-10.
Table 2-10 Default Forward UDP Services
| Service | Port |
| Time | 37 |
| TACACS | 49 |
| DNS | 53 |
| BOOTP/DHCP Server | 67 |
| BOOTP/DHCP Client | 68 |
| TFTP | 69 |
| NetBIOS name service | 137 |
| NetBIOS datagram service | 138 |
What if Company XYZ needs to forward requests for a service not on this list? The Cisco IOS software provides the global configuration command ip forward-protocol to allow an administrator to forward any UDP port in addition to the default eight. To forward UDP on port 517, use the global configuration command ip forward-protocol udp 517. This command is used not only to add a UDP port to the default eight, but also to subtract an unwanted service from the default group. When forwarding DHCP, TFTP, and DNS without forwarding Time, TACACS, and NetBIOS, the Cisco IOS software requires that the router be configured according to the syntax shown in Example 2-5.
Example 2-5 Forwarding UDP Services
RTA(config-if)#ip helper-address 192.168.1.254 RTA(config-if)#exit RTA(config)#ip forward-protocol udp 517 RTA(config)#no ip forward-protocol udp 37 RTA(config)#no ip forward-protocol udp 49 RTA(config)#no ip forward-protocol udp 137 RTA(config)#no ip forward-protocol udp 138
IP Helper Address Example
Consider the complex sample helper address configuration shown in Figure 2-22. You want Host A to automatically obtain its IP configuration from the DHCP server at 172.24.1.9. Because RTA will not forward the Host A DHCPDISCOVER broadcast, RTA must be configured to help Host A.
Figure 2-22 IP Helper Address Example
To configure RTA e0, the interface that receives the Host A broadcasts, to relay DHCP broadcasts as a unicast to the DHCP server, use the following commands:
RTA(config)#interface e0 RTA(config-if)#ip helper-address 172.24.1.9
With this simple configuration, Host A broadcasts using any of the eight default UDP ports that are relayed to the DHCP server’s IP address. However, what if Host A also needs to use the services of the NetBIOS server at 172.24.1.5? As configured, RTA forwards NetBIOS broadcasts from Host A to the DHCP server. Moreover, if Host A sends a broadcast TFTP packet, RTA also forwards this to the DHCP server at 172.24.1.9. What is needed in this example is a helper address configuration that relays broadcasts to all servers on the segment. The following commands configure a directed broadcast to the IP subnet that is being used as a server farm:
RTA(config)#interface e0 RTA(config-if)#ip helper-address 172.24.1.255
Configuring a directed broadcast to the server segment, 172.24.1.255, is more efficient than entering the IP address of every server that could potentially respond to the Host A UDP broadcasts.
Finally, some devices on the Host A segment need to broadcast to the TACACS server, which does not reside in the server farm. Configure the RTA e0 to make it work by adding the command ip helper-address 172.16.1.2.
Verify the correct helper configuration with the show ip interface command, as shown in Example 2-6.
Example 2-6 Verifying IP Helper Address Configuration
RTA#show ip interface e0
Ethernet0 is up, line protocol is up
Internet address is 10.1.1.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper addresses are 172.24.1.255
172.16.1.2
Directed broadcast forwarding is disabled
<output omitted>
Notice that the RTA interface e3 in Example 2-7, which connects to the server farm, is not configured with helper addresses. However, the output shows that for this interface, directed broadcast forwarding is disabled. This means that the router does not convert the logical broadcast 172.24.1.255 into a physical broadcast with a Layer 2 address of FF-FF-FF-FF-FF-FF.
Example 2-7 Verifying Directed Broadcast Forwarding
RTA#show ip interface e3 Ethernet3 is up, line protocol is up Internet address is 172.24.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper addresses is not set Directed broadcast forwarding is disabled <output omitted>
To allow all the nodes in the server farm to receive the broadcasts at Layer 2, configure e3 to forward directed broadcasts with the following commands:
RTA(config)#interface e3 RTA(config-if)#ip directed-broadcast
Lab 2.10.3 Using DHCP and IP Helper Addresses
In this lab, configure a Cisco router to act as a DHCP server for clients on two separate subnets and the IP helper address feature to forward DHCP requests from a remote subnet.
