Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
953
Views
0
Helpful
4
Replies

LDAP and AD-DC protocols not forwarding

paul.rising
Level 1
Level 1

‎05-09-2012 09:55 AM - edited ‎03-07-2019 06:36 AM

We are having an issue where LDAP is not being forwarded via our router.  Our workstations are connected to VLAN 2 and our servers are connected to VLAN 1 (where are domain controllers are located). 

While users are able to logon, administrators are not able to add computers on VLAN 2 to the domain and access AD tools from their workstations.

I ran a port sniffer and noticed that LDAP protocols and other AD-DC protocols are not being forwarded on the router.  Are we missing a configuration on the router?

I know we are not the only organization to have Domain Controllers on a separate VLAN than the admin workstations. I look foward to responses.  Thank you.

Router Config

<output omitted>

interface GigabitEthernet0/1

description Internal Networks

no ip address

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.8.1 255.255.255.0

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 2

ip address 192.168.5.129 255.255.255.0

ip helper-address 192.168.8.38

ip helper-address 192.168.8.39

ip helper-address 192.168.8.91

<output omitted>

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-09-2012 10:07 AM

Hello Paul,

the router forwards = converts packets on some default ports.

there is a global command that allows you to specify what ports should be forwarded

ip forward-protocol udp

see

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/command/iap-i1.html#GUID-54968D7A-FF87-4424-91DC-3AEC284385A0

LDAP should require an explicit configuration as it uses a port not forwarded by default

LDAP

389 389 Lightweight Directory Access Protocol * 

Hope to help

Giuseppe

0 Helpful

paul.rising
Level 1
Level 1
In response to Giuseppe Larosa

‎05-09-2012 10:48 AM

Thanks for the quick response.  I added the following to our router config file.  We haven't seen any change, the admin workstations are still unable to use active directory tools.

ip forward-protocol udp 389

ip forward-protocol udp 88

ip forward-protocol udp 445

ip forward-protocol udp 464

ip forward-protocol udp 2535

interface GigabitEthernet0/1.2

encapsulation dot1Q 2

ip address 192.162.8.129 255.255.255.192

ip helper-address 192.162.8.38

ip helper-address 192.1621.8.19

ip helper-address 192.1621.8.39

ip helper-address 192.1621.8.91

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to paul.rising

‎05-10-2012 02:03 AM

Hello Paul,

at this point if there are no ACLs on the subinterfaces I would look at the AD, DC configuration it might be possible that IP subnets of administrators have to be declared, defined on them (they may have a built in embedded firewall or other security feature).

I remember in a previous job that AD managers people asked us to classify all the IP subnets in the intranet providing a brief comment for each.

Hope to help

Giuseppe

0 Helpful

paul.rising
Level 1
Level 1
In response to Giuseppe Larosa

‎05-10-2012 12:52 PM

Thank you for your replies as it did help us eliminate some theories.  We had a routing loop which caused the domain controllers to not communicate with the workstation.  We connected the 6500 to a direct path to the router with sub-interfaces. This corrected the issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card