05-09-2012 09:55 AM - edited 03-07-2019 06:36 AM
We are having an issue where LDAP is not being forwarded via our router. Our workstations are connected to VLAN 2 and our servers are connected to VLAN 1 (where are domain controllers are located).
While users are able to logon, administrators are not able to add computers on VLAN 2 to the domain and access AD tools from their workstations.
I ran a port sniffer and noticed that LDAP protocols and other AD-DC protocols are not being forwarded on the router. Are we missing a configuration on the router?
I know we are not the only organization to have Domain Controllers on a separate VLAN than the admin workstations. I look foward to responses. Thank you.
Router Config
<output omitted>
interface GigabitEthernet0/1
description Internal Networks
no ip address
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.8.1 255.255.255.0
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.5.129 255.255.255.0
ip helper-address 192.168.8.38
ip helper-address 192.168.8.39
ip helper-address 192.168.8.91
<output omitted>
05-09-2012 10:07 AM
Hello Paul,
the router forwards = converts packets on some default ports.
there is a global command that allows you to specify what ports should be forwarded
ip forward-protocol udp
see
LDAP should require an explicit configuration as it uses a port not forwarded by default
389 389 Lightweight Directory Access Protocol *
Hope to help
Giuseppe
05-09-2012 10:48 AM
Thanks for the quick response. I added the following to our router config file. We haven't seen any change, the admin workstations are still unable to use active directory tools.
ip forward-protocol udp 389
ip forward-protocol udp 88
ip forward-protocol udp 445
ip forward-protocol udp 464
ip forward-protocol udp 2535
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 192.162.8.129 255.255.255.192
ip helper-address 192.162.8.38
ip helper-address 192.1621.8.19
ip helper-address 192.1621.8.39
ip helper-address 192.1621.8.91
05-10-2012 02:03 AM
Hello Paul,
at this point if there are no ACLs on the subinterfaces I would look at the AD, DC configuration it might be possible that IP subnets of administrators have to be declared, defined on them (they may have a built in embedded firewall or other security feature).
I remember in a previous job that AD managers people asked us to classify all the IP subnets in the intranet providing a brief comment for each.
Hope to help
Giuseppe
05-10-2012 12:52 PM
Thank you for your replies as it did help us eliminate some theories. We had a routing loop which caused the domain controllers to not communicate with the workstation. We connected the 6500 to a direct path to the router with sub-interfaces. This corrected the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide