One of our client network has been audited and one of the audit measures suggested is to turn off unnecessary broadcasts caused due to the ip helper-address command on every L3 interface or SVI.
I am now planning to apply the following commands:
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
However, my fear is that the IP address mentioned in the ip helper-address command is not only a DHCP server but also a DNS, WINS and NTP server.
So, will i be stopping communication by putting in the above commands.
Request for your clarification on this.
I believe you can disable the NetBIOS broadcast as well. Actually, the two NetBIOS services are the name service which is superseded by the WINS server that should be discovered by DHCP assignment, and the NetBIOS datagram service that is used for certain connectionless NetBIOS applications. None of these services needs to be forwarded beyond the local segment. Also note that if you are running the Active Directory domain, these services are largely obsolete. They were necessary in NT-style domains.
Try to see it from the other end: if we are talking about IP Helper and services to permit or deny, we are talking about services that use broadcasts for their normal work. Of all services that the IP Helper supports, only the DHCP requires forwarding the broadcasts to a central server if it is not on the same segment. All other services were originally designed to run per-segment and they did not assume that something ever forwarded the broadcasts to a central server. Therefore, turning off this broadcasting should not do any harm. Once again, the IP Helper absolutely does not influence any other traffic except the UDP broadcasts (and only selected services among those broadcasts).