Netbios still crossing Link after disabling ip forward protocol udp

Unanswered Question
Apr 23rd, 2007

Hi Folks,

Having problems with Netbios traffic. I have 2 msfc's at seperate

sites with different subnets configured, connection via a serial link.

I have "no udp forward-protocol udp netbios-ns" & no "udp forward-

protocol udp netbios-dgm" configured on the routers, however if i do a

nbtstat -an <ip address at the remote site> from my machine it

resolves the name to an ip address. Thus netbios is crossing the link.

Need help to prevent un-neccessary traffic crossing the serial link?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 04/23/2007 - 07:32

It would help us to give you better answers if we had some more details about your environment and probably some configurations. I am not quite clear what you are doing with no ip forward-protocol and therefore not clear whether it is mis-behaving or not. no ip forward-protocol is intended to work with the ip helper-address command and to control what protocol broadcasts it will forward. It is not clear whether you are using no ip forward-protocol with helper-address or using it by itself and expecting it to do something that it is not intended to do. Perhaps you can clarify your environment for us.



scuzzlightyear Mon, 04/23/2007 - 07:49

Thks for the reply Rick, firstly i didn't realise the no ip protocol was solely coupled with the ip-helper address which would explain why it is not preventing netbios crossing the link. Basically I understood routers don't forward broadcasts. But as I explained when I do a nbtstat -an 10.2.x.x ----MSFC SiteA (gateway from a machine on subnet 10.1.x.x on MSFC SiteB (gateway it resolves the 10.2.x.x which indicates to me that Netbios traffic is crossing our 34meg serial link between site A & Site B. I want to prevent Netbios traffic crossing between sites. There is 2 seperate Vlan domains configured, one at site A & one at site B. Will I have to prevent netbios using acls on the ingress to the Vlan interface at either site.

Richard Burts Mon, 04/23/2007 - 08:13

It is generally true that routers do not forward broadcasts from one subnet to another subnet. I am not convinced that what you are seeing is the result of broadcast traffic. I suspect that your request is getting to some Windows/NetBIOS box in your subnet which is getting the information from some box in the other subnet. If you really do not want NetBIOS getting over the serial link then I suspect that you will need to set up some filtering on ingress/egress interfaces.



scuzzlightyear Mon, 04/23/2007 - 08:39

Thks again Rick,

I can see from an ethereal trace that the boxes are communicating directly across the link using NBNS. I can also ping the broadcast and get replies. Below is the interface configuration for site A with Site B the same only on subnet 10.2.x.x

interface Serial6/0/0

description 34Mb Link to Leix

bandwidth 34368

ip address

service-policy output QOS-to-Leix

framing bypass

dsu bandwidth 34010

interface Vlan10

ip address

no ip redirects

no ip unreachables

ip pim sparse-mode

ip route-cache flow

ip cgmp

no ip mroute-cache

Richard Burts Mon, 04/23/2007 - 09:08

Can I assume that the NBNS in the ethereal trace is unicast traffic and not broadcast?

As for being able to ping and get replies, that is not surprising. This is what is known as a directed broadcast (or sometimes called subnet broadcast). A directed broadcast is quite different from a local broadcast. Routers will forward directed broadcasts but not forward local broadcasts (unless helper-address is configured). It has been the behavior of IOS for a long time that if it receives a ping for the broadcast address of one of its interfaces that IOS will respond to the ping from its own address. But unless ip directed-broadcast is configured (which is not in what you posted) the IOS will not forward the directed broadcast onto the subnet. So you are getting a response from the router but no other device on the remote subnet is seeing the traffic.

There is a sort of interesting experiment that illustrates this. Use traceroute instead of ping so that you can see who is responding. Then traceroute to You should receive a response only from the router. Then configure ip directed-broadcast on the remote router VLAN interface and try the traceroute again. This time you should receive responses from numerous hosts on the other subnet (subject, of course, to whether those hosts are running firewalls that permit response to ping or traceroute).



scuzzlightyear Tue, 04/24/2007 - 01:40

Thks again Rick, and indeed for your patience.

I enabled directed broadcast on the remote router Vlan and used tracert, however I still only get a response from Hosts are not running local firewalls or being filtered in any way. I still don't understand how using nbtstat -an resolves a remote computer name considering we are not using wins and they are on seperate Vlans and subnets with routers in between.

genghiskhan Fri, 04/27/2007 - 07:26


WINS is just the next generation of name service for netbios. If you do not have a WINS server setup, then netbios defaults to electing a netbios name server. This happens everytime a windows machine comes online, as long as netbios is enabled. You can alleviate all this by disabling netbios on all machines. You would only want to do this, if you have Active Directory running.

Your problem with netbios crossing the routers may have to do with the network addressing that you are using. is a Class A IP Address range. Just because you are using only 2 Class B size subnets out of that range, does not change the fact that it is still a Class A. I am not sure, how the windows TCP/IP stack deals with this.

Are you running a routing protocol? Do you have the ip classless command enabled in the router? If you are running a routing protocol, did you turn off auto summarization for the routing protocol?

Just some thoughts for you to consider. Netbios really sucks anyways. It would be better to turn it off, if you can live without it.



rseiler Fri, 04/27/2007 - 07:51

'nbtstat -A ' sends a netbios directed request (i.e. IP unicast), does not use IP broadcast.


This Discussion