In L3 routed networks, it’s very common to see the command ip helper-address x.x.x.x on the configuration of the SVI interfaces. In the 99% of the cases the command is in place only to allow equipment sitting in some VLAN to obtain IP address from a DHCP server sitting on a completely different VLAN.

As all know, DHCP request packets are sent in broadcast, so as a router/l3 device will drop broadcasts by default and we need broadcast traffic going back and forward through the network for DHCP services to work.

Point is that command ip helper-address behavior is to forward more protocols not only DHCP. By default this command will allow the following protocols through the router:

  • Port 37 - Time
  • Port 49 - TACACS
  • Port 53 - DNS
  • Port 67 - BOOTP/DHCP Server
  • Port 68 - BOOTP/DHCP Client
  • Port 69 - TFTP
  • Port 137 - NetBIOS Name Service
  • Port 138 - NetBIOS Datagram Service

So we need to be so careful because maybe we are allowing to go through something more that desired traffic.

By the way, recall that we can still allow more protocols with the help of the ip forward-protocol command:

R1(config)# ip forward-protocol ?
nd Sun's Network Disk protocol
sdns Network Security Protocol
spanning-tree Use transparent bridging to flood UDP broadcasts
turbo-flood Fast flooding of UDP broadcasts
udp Packets to a specific UDP port