UDP broadcasts over router (e.g. DHCP) - only

[RJ]

Hi

A "basic" scenario:-

2 sites (A & B) with routed WAN with Cisco routers.

Window 2003AD DC's in each site. DHCP server in site A only, so
clients in site B go to the router which forwards DHCP requests to
DHCP server in site A.

All works well.

(Cisco config for this is:-

interface Ethernet0
ip address 10.3.30.1 255.255.0.0
ip helper-address 10.1.10.1
no cdp enable
)

However, the DCs are fighting over who is master browser and who
isn't, and the other servers end up joining in the scrap and we get
loads of errors everywhere. MS have an answer:-
http://support.microsoft.com/default.aspx?scid=kb;EN-US;190930

This blames UDP broadcasts between sites. (for us - clearly 1-way!)

So - can we have UDP helper for DHCP only (UDP ports 67,68) - and not
for other ports - esp not 137/138 etc.

Can this be done via the Cisco? (can't find appropriate commands - I
was hoping for "ip help-address 10.1.10.1 dhcponly" - alas!!)

Or is the better solution to install DHCP-Relay agent on DC in site B?

Thanks in advance

RJ

 

[News Account]

See the command "ip forward-protocol"

Don Woodward

 

[John Smith]

If you have two DCs, one in each site, why not create a DHCP server on each one?

 

[Illusion]

Hi

A "basic" scenario:-

2 sites (A & B) with routed WAN with Cisco routers.

Window 2003AD DC's in each site. DHCP server in site A only, so
clients in site B go to the router which forwards DHCP requests to
DHCP server in site A.

All works well.

(Cisco config for this is:-

interface Ethernet0
ip address 10.3.30.1 255.255.0.0
ip helper-address 10.1.10.1
no cdp enable
)

However, the DCs are fighting over who is master browser and who
isn't, and the other servers end up joining in the scrap and we get
loads of errors everywhere. MS have an answer:-
http://support.microsoft.com/default.aspx?scid=kb;EN-US;190930

This blames UDP broadcasts between sites. (for us - clearly 1-way!)

So - can we have UDP helper for DHCP only (UDP ports 67,68) - and not
for other ports - esp not 137/138 etc.

Can this be done via the Cisco? (can't find appropriate commands - I
was hoping for "ip help-address 10.1.10.1 dhcponly" - alas!!)

Or is the better solution to install DHCP-Relay agent on DC in site B?

Thanks in advance

RJ

Try these:

no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs


Cheers, Dan

 

[News Account]

"ip forward-protocol udp bootp"

That what he needs in addition to IP helper.

Don Woodward

 

[Martin Gallagher]

"ip forward-protocol udp bootp"

That what he needs in addition to IP helper.

Nope. ip helper-address forwards 8 (or 9) ports by default, bootpc and
bootps included. You have to turn those ones off if you don't want them,
like Dan said. Any others, you have to explicitly enable.

 

[RJ]

True enough - and that may suit most people. We just have a standard
approach and wish to adopt it for all sites. It may not suite
everyone though. Another option is (of course) DHCP Relay agent - but
again, we want the same approach for sites without any servers on.

 

[RJ]

Thanks - I will look up these commands and see what I can determine.
This is the information I was lacking.

Many thanks.

 

[News Account]

Nope!

In 12.3 documentation it says ...

Enabling a helper address or UDP flooding on an interface causes the Cisco
IOS software to forward particular broadcast packets. You can use the ip
forward-protocol command to specify exactly which types of broadcast packets
you would like to have forwarded.

There is no reason to use the "no" form of "ip forward-protocol" unless you
specifically enabled them individually previously.

 

[Martin Gallagher]

Nope!

In 12.3 documentation it says ...

Enabling a helper address or UDP flooding on an interface causes the
Cisco IOS software to forward particular broadcast packets. You can use
the ip forward-protocol command to specify exactly which types of
broadcast packets you would like to have forwarded.

There is no reason to use the "no" form of "ip forward-protocol" unless
you specifically enabled them individually previously.

Hmmm, you need to read a little further.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123tip1r/ip1_i1gt.htm#1081636
says;

Usage guidelines ( for ip forward-protocol)

"Enabling a helper address or UDP flooding on an interface causes the
Cisco IOS software to forward particular broadcast packets. You can use
the ip forward-protocol command to specify exactly which types of
broadcast packets you would like to have forwarded. A number of commonly
forwarded applications are enabled by default. Enabling forwarding for
some ports (for example, Routing Information Protocol (RIP) may be
hazardous to your network.

....

If an IP helper address is defined, UDP forwarding is enabled on default
ports. If UDP flooding is configured, UDP flooding is enabled on the
default ports.

If a helper address is specified and UDP forwarding is enabled, broadcast
packets destined to the following port numbers are forwarded by default:

Trivial File Transfer Protocol (TFTP) (port 69) Domain Naming System (port
53)
Time service (port 37)
NetBIOS Name Server (port 137)
NetBIOS Datagram Server (port 138)
Boot Protocol (BOOTP) client and server datagrams (ports 67 and 68) TACACS
service (port 49)
IEN-116 Name Service (port 42)"

So it seems to me that if an ip helper address is configured, bootp
broadcasts, as well as the others, will be forwarded without further
action.

 

[News Account]

The Cisco documentation on "ip forward-protocol" is confusing - normally
they would tell you to use the "no" form to turn off those services you
don't need which were enabled by default - here they don't. A quick check
on my router shows you _do_ need to turn off those services by using the
"no" form, that you don't need which were enabled by default, as Martin and
someone else suggested.

Don Woodward

 

[RJ]

Thanks guys - glad others can learn as well! Implemented and testing now....

 

[John Smith]

OK. I was thinking that your availability numbers might get better using a
distributed approach, depending on your WAN availability numbers of course.

 

[RJ]

FYI

SInce adding:-

no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

To remote router, all network errors have ceased.

Great result- many thanks.

RJ

 

[Alan J. McFarlane]

RJ wrote: [...]

However, the DCs are fighting over who is master browser and who
isn't, and the other servers end up joining in the scrap and we get
loads of errors everywhere. MS have an answer:-
http://support.microsoft.com/default.aspx?scid=kb;EN-US;190930

This blames UDP broadcasts between sites. (for us - clearly 1-way!)

[...]
Try these:

no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs

Why on earth does Cisco still keep those defaults? When was the last time
anyone wanted any of those protocols to be forwarded? In fact for some of
them when was the time that protocol was used?

Come on Cisco please change the defaults. At least stop the default
forwarding of netbios-ns/-dgm.