Passing Broadcast from 1 VLAN to another

Answered Question
Apr 22nd, 2007
User Badges:

Hi all,


Our sys admin is using a Sw delivery pkg; the pkg works by sending wake on lan packets using broadcast before delivering the pkgs; naturally, these broadcast pkts are not reaching other vlans. What can i do to make them do this?


thank you.

Correct Answer by Richard Burts about 10 years 1 week ago

Mohamad


Yes it is a combination of the 3 commands and of knowing which command needs to go on which interface.


I am glad that we were able to help you solve your problem. Thanks for the rating.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
vettiyattil.par... Sun, 04/22/2007 - 23:02
User Badges:

Hi,

You can think of using ip helper-address command under VLAN interface to acheive forwarding of broadcasts

eg. int VLAN2

ip address 10.1.1.1 255.255.255.0

ip helper-address 10.1.2.255

ip helper-address 10.1.3.255


you may have to use proper filtering/access list to allow broadcast only from the specified server.


HTH



Queston to Parameshwaram-

ip helper-address command is for directing the brodcast to a server which on other VLAN but here requirement is different ? User wanna have bradcast from a server in a VLAN to be reached to other VLANs also.


Question to Amit-


Can you please explain how ip directed brodcast command will broadcast traffic from that particular server to other VLANs, not all the broadcast ?

vettiyattil.par... Sun, 04/22/2007 - 23:39
User Badges:

Hi,

Basically ip helper-address is used to forward udp broadcast (eg. DHCP BOOTP Packets) to Specific address mentioned in the command. The command syntax is

ip helper-address address

where address is Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.

so if the address is ip broadcast address for a LAN segment, all machines in that segment will receive the particular broadcast information

Incase of DHCP, 255.255.255.255 is generated by Client and is forwarded to DHCP Server ( i.e. in helper-address command) as unicast packet. In the present scenario, 255.255.255.255 is generated by Server and is forwarded to respective different VLANs as ip broadcasts which configured in helper address.


HTH

regards

Param



mohammedmahmoud Mon, 04/23/2007 - 00:05
User Badges:
  • Green, 3000 points or more

Hi all,


The ip helper-address doesn't forward all broadcasts:


All of the following conditions must be met in order for a UDP or IP packet to be helpered by the ip helper-address command:


?The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).


?The IP destination address must be one of the following: all-ones broadcast (255.255.255.255), subnet broadcast for the receiving interface; or major-net broadcast for the receiving interface if the no ip classless command is also configured.


?The IP time-to-live (TTL) value must be at least 2.


?The IP protocol must be UDP (17).


?The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp global configuration command.


http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ip_r/iprprt1/1rdipadr.htm#wp1018606


If these are the protocols that you wish to pass between VLANs then fine, if not try to define your protocol via the "ip forward-protocol" command.


HTH, please rate if it does,

Mohammed Mahmoud.

m-mneimneh Mon, 04/23/2007 - 00:48
User Badges:

Guys,


please correct me if i'm wrong; the helper-address handles the problem from a reverse point of view; i.e. if i plug in a dhcp client, it will bcst a dhcp request, which gets directed by the helper-address to a specific host. in my case, the server itself is sending bcsts to, say, 500 machines.


so i configured ip forward-protocol to enable wake on lan pkts {which use UDP port 3674 in my case} and applied ip directed-broacast on vlan 1 {where my server is}. this did not solve the problem.


what do you think?

mohammedmahmoud Mon, 04/23/2007 - 01:12
User Badges:
  • Green, 3000 points or more


Hi there,


IP helper should solve broadcast issues either ways. Have you tried it like this:


"ip helper-address 255.255.255.255"


HTH,

Mohammed Mahmoud.

mohammedmahmoud Mon, 04/23/2007 - 00:44
User Badges:
  • Green, 3000 points or more


Hi Amit,


An IP directed broadcast is a datagram which is sent to the broadcast address of a subnet to which the sending machine is not directly attached, do u think that this apply to this case ?


BR,

Mohammed Mahmoud.

m-mneimneh Mon, 04/23/2007 - 02:20
User Badges:

Guys,


i added ip forward-protocol udp 3674, used by wkae on pkts. I then added an inbound acl to vlan1 {where the server is located}, with src = server ip, dst = any, prot = udp port 3674; as i send wake on pkts from the server, i see hits on the acl entry.

i then applied the same acl, in the inbound and outbound directions of the subnet where the test machine is located. It did not record any hits.

Obviously, wake on pkts are reaching VLAN1, but not going through the destination subnet VLAN111.

any ideas? is it smtg on the vlan config level?

vettiyattil.par... Mon, 04/23/2007 - 02:51
User Badges:

Hi

Did you configure ip helper-address under VLAN interface ?

can you post the config ?

Regards

Param

m-mneimneh Mon, 04/23/2007 - 03:27
User Badges:

Hi again,


no i did not set ip helper-address. i have the following config under vlan 1:


int vlan1

ip address 172.16.16.200 255.255.192.0

ip access-group SUS1 in

ip access-group SUS1 out

no ip redirects

ip directed-broadcast 101

no ip proxy-arp


interface Vlan111

ip address 172.16.111.1 255.255.255.0

ip access-group NACHI in

ip access-group NACHI out

ip helper-address 172.16.16.45

ip helper-address 172.16.16.47

no ip redirects

ip directed-broadcast 101

no ip proxy-arp


ip access-list extended NACHI

deny udp any any eq tftp

deny tcp any any eq 707

permit ip any any


ip access-list extended SUS1

deny udp any any eq tftp

deny tcp any any eq 707

deny ip host 172.16.16.8 172.19.0.0 0.0.255.255

deny ip host 172.16.16.8 192.168.0.0 0.0.255.255

deny tcp host 172.16.16.41 172.19.0.0 0.0.255.255 eq www

deny tcp host 172.16.16.41 192.168.0.0 0.0.255.255 eq www

deny tcp 192.168.0.0 0.0.255.255 172.16.16.0 0.0.0.255 eq 3389

deny tcp 172.19.0.0 0.0.255.255 172.16.16.0 0.0.0.255 eq 3389

permit udp host 172.16.16.220 any eq 3674

permit ip any any


access-list 101 permit udp host 172.16.16.47 any eq echo

access-list 101 permit udp host 172.16.16.46 any eq echo

access-list 101 permit udp host 172.16.16.45 any eq echo

access-list 101 permit udp host 172.16.16.220 any eq 3674

access-list 101 permit udp host 172.16.16.220 any


.45 & .47 are my dhcp servers.


does this help?


thanks.

m-mneimneh Mon, 04/23/2007 - 05:44
User Badges:

no man, i removed all ACLs & tried, with the same results.


on the other hand, i just found out that the magic packets go to 255.255.255.255, and not to say 172.16.111.255 {where the dst machine is}. i traced it using an ACL on the in direction of Vlan1 {where the server is}. after that point, nothing is showing up.


i found the following url: http://tcpmag.com/qanda/article.asp?EditorialsID=320


does this make sense?


-Mohamad.

Richard Burts Mon, 04/23/2007 - 06:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mohamad


I believe that to solve your issue you will need both ip forward-protocol, ip helper-address and ip directed-broadcast commands. You will need the ip forward-protocol (which you seem to already have done), and the ip helper-address on the interface where the server is located. You will need to configure the helper address to point to the subnet broadcast of the remote VLAN (for example if the remote VLAN is subnet 172.16.4.0/24 then you would configure ip helper-address 172.16.4.255). And you need ip directed-broadcast on the remote VLAN interface.


You need the forward-protocol command to identify wake on LAN as a protocol to forward, and you need the helper-address to specify that it gets forwarded to the remote subnet as a subnet broadcast. You need the directed-broadcast on the remote VLAN interface because otherwise the interface will receive the forwarded packet but will not forward it onto the subnet.


HTH


Rick

m-mneimneh Mon, 04/23/2007 - 06:41
User Badges:

Hi Rick,


indeed you are right! it's a combination of ip forward-protocol, ip directed-broadcasts & ip helper-address on the remote vlan. when i added the helper address, the machines woke up :)


thanks to all of you guys for your support.


-Mohamad.

Correct Answer
Richard Burts Mon, 04/23/2007 - 06:51
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mohamad


Yes it is a combination of the 3 commands and of knowing which command needs to go on which interface.


I am glad that we were able to help you solve your problem. Thanks for the rating.


HTH


Rick

Amit Singh Mon, 04/23/2007 - 08:29
User Badges:
  • Cisco Employee,

Rick,


Well done, great answer.


Appreciate your knowledge and experience sharing with such wonderful posts.


Rated you Sir :-)


-amit singh

Richard Burts Mon, 04/23/2007 - 09:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Amit


Thank you for the kind words - and thanks for the rating. It means a lot to me to be able to help others by posting to the forum. And I appreciate having you as a long time active poster in the forum.


HTH


Rick

mohammedmahmoud Mon, 04/23/2007 - 10:51
User Badges:
  • Green, 3000 points or more


Hi Rick,


Its great learning from experts like your self.


BR,

Mohammed Mahmoud.

Richard Burts Mon, 04/23/2007 - 11:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mohammed


Thank you for the kind words. I have spent a lot of time studying and gaining experience with many aspects of networking. I am happy to share with people through the forum. I am glad to see that you have become an active contributing member of the forum and I encourage you to continue your participation in the forum.


HTH


Rick

tzverina Wed, 04/25/2007 - 09:43
User Badges:

Mohamad.


For the benefit of all involved, could you please post the completed final configs of the involved interfaces on both ends of the broadcast.


Thanks.

Thomas.


Actions

This Discussion