Why this step exists
Right now:
- DHCP server = HO-R1
- Clients = directly connected via ROAS
- DHCP works without relay
But this is NOT how real networks usually work.
CCNA expects you to understand why DHCP breaks and how ip helper-address fixes it.
🧠 The CORE problem (must understand)
DHCP is a broadcast
- DHCP Discover = broadcast
- Routers DO NOT forward broadcasts by default
So:
A DHCP server on another router will NOT work unless we relay the request.
🔹 Real-world scenario (CCNA favourite)
Imagine later we move DHCP to:
- A server VLAN
- Or a data centre
- Or another router
Clients will then fail to get IPs unless we configure DHCP relay.
That relay is:
ip helper-address
🔹 What ip helper-address actually does
On a router interface:
- Listens for broadcasts (DHCP, DNS, etc.)
- Converts them to unicast
- Forwards them to the DHCP server
🔑 CCNA GOLD RULE (remember this)
ip helper-addressis configured on the client-facing interface, not on the server.
🔹 STEP 29.1 — Simulate a real network (IMPORTANT)
We will pretend DHCP is on another device.
We already have:
- VLAN gateways on HO-R1
So we add helper-address to the subinterfaces
(even though DHCP is local — this is for learning).
🔹 STEP 29.2 — Configure helper-address (learning config)
On HO-R1:
VLAN 10
interface gigabitEthernet0/0.10
ip helper-address 10.10.10.1
VLAN 20
interface gigabitEthernet0/0.20
ip helper-address 10.10.20.1
VLAN 30
interface gigabitEthernet0/0.30
ip helper-address 10.10.30.1
⚠️ In real life, these IPs would be the DHCP server’s IP, not the gateway.
🔹 STEP 29.3 — Verify conceptually (no need to test now)
Key things you must know for CCNA:
- Why DHCP needs relay
- Where helper-address goes
- What problem it solves
🧠 Exam-style explanation (very important)
If you see this in CCNA:
“PCs in VLAN 10 cannot get IP addresses from a DHCP server in another network.”
Correct answer:
➡ Configure ip helper-address on the VLAN 10 gateway interface.
🚫 Common CCNA traps
❌ Putting helper-address on the DHCP server
❌ Putting it on the switch
❌ Thinking DHCP crosses routers automatically
One sentence to lock it in
DHCP broadcasts don’t cross routers, so
ip helper-addressconverts them to unicast.
✅ Where we are now in CCNA coverage
Covered:
- VLANs
- Trunks
- ROAS
- DHCP
- DHCP relay
Next high-value CCNA topic:
STEP 29 — Standard ACLs (CCNA Core Topic)
We’ll do this cleanly, slowly, and correctly.
🔹 What a Standard ACL does (very important)
A standard ACL:
- Filters traffic ONLY by SOURCE IP
- Cannot check destination, protocol, or port
- Is simple but limited
📌 CCNA rule:
Standard ACLs are placed CLOSE TO THE DESTINATION.
🔹 Our first ACL goal (simple + realistic)
Scenario
We want:
- ❌ VLAN 10 (Users) to access VLAN 20 (Servers)
- ✅ VLAN 10 to access everything else
This is a classic CCNA exam scenario.
🔹 Network recap (so you don’t guess)
| VLAN | Subnet |
|---|---|
| VLAN 10 (Users) | 10.10.10.0 /24 |
| VLAN 20 (Servers) | 10.10.20.0 /24 |
| VLAN 30 (Wi-Fi) | 10.10.30.0 /24 |
🔹 Where should the ACL go? (KEY THINKING)
- We are blocking access TO servers
- So we place the ACL:
➡ On the VLAN 20 gateway
➡ Inbound direction
Why?
- Traffic is checked before entering VLAN 20
✅ STEP 29.1 — Create the Standard ACL
On HO-R1:
enable
configure terminal
access-list 10 deny 10.10.10.0 0.0.0.255
access-list 10 permit any
🔎 Meaning:
- Deny traffic from VLAN 10
- Permit everyone else (VERY IMPORTANT)
🚨 CCNA TRAP (remember this)
ACLs have an implicit deny at the end.
If you forget permit any → everything breaks.
✅ STEP 29.2 — Apply the ACL (CORRECT PLACE)
Apply it INBOUND on VLAN 20 subinterface:
interface gigabitEthernet0/0.20
ip access-group 10 in
end
write memory
🔹 STEP 29.3 — Test (THIS IS IMPORTANT)
From VLAN 10 PC:
ping 10.10.20.10 ❌ should FAIL
From VLAN 10 PC:
ping 10.10.30.10 ✅ should WORK
From VLAN 30:
ping 10.10.20.10 ✅ should WORK
🧠 What you just learned (CCNA GOLD)
- Standard ACLs filter by source only
- Placement matters more than the command
- Direction matters
- Implicit deny is real
- Why we need extended ACLs later
🔒 One sentence to lock it in
Standard ACLs block traffic based on source IP and are placed close to the destination.
