Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LDAP and AD-DC protocols not forwarding

We are having an issue where LDAP is not being forwarded via our router.  Our workstations are connected to VLAN 2 and our servers are connected to VLAN 1 (where are domain controllers are located). 

While users are able to logon, administrators are not able to add computers on VLAN 2 to the domain and access AD tools from their workstations.

I ran a port sniffer and noticed that LDAP protocols and other AD-DC protocols are not being forwarded on the router.  Are we missing a configuration on the router?

I know we are not the only organization to have Domain Controllers on a separate VLAN than the admin workstations. I look foward to responses.  Thank you.

Router Config

<output omitted>

interface GigabitEthernet0/1

description Internal Networks

no ip address

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 1 native

ip address 192.168.8.1 255.255.255.0

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 2

ip address 192.168.5.129 255.255.255.0

ip helper-address 192.168.8.38

ip helper-address 192.168.8.39

ip helper-address 192.168.8.91

<output omitted>

Everyone's tags (4)
4 REPLIES
Hall of Fame Super Silver

LDAP and AD-DC protocols not forwarding

Hello Paul,

the router forwards = converts packets on some default ports.

there is a global command that allows you to specify what ports should be forwarded

ip forward-protocol udp

see

http://www.cisco.com/en/US/docs/ios-xml/ios/ipapp/command/iap-i1.html#GUID-54968D7A-FF87-4424-91DC-3AEC284385A0

LDAP should require an explicit configuration as it uses a port not forwarded by default

LDAP

389 389 Lightweight Directory Access Protocol * 

Hope to help

Giuseppe

New Member

LDAP and AD-DC protocols not forwarding

Thanks for the quick response.  I added the following to our router config file.  We haven't seen any change, the admin workstations are still unable to use active directory tools.

ip forward-protocol udp 389

ip forward-protocol udp 88

ip forward-protocol udp 445

ip forward-protocol udp 464

ip forward-protocol udp 2535

interface GigabitEthernet0/1.2

encapsulation dot1Q 2

ip address 192.162.8.129 255.255.255.192

ip helper-address 192.162.8.38

ip helper-address 192.1621.8.19

ip helper-address 192.1621.8.39

ip helper-address 192.1621.8.91

Hall of Fame Super Silver

LDAP and AD-DC protocols not forwarding

Hello Paul,

at this point if there are no ACLs on the subinterfaces I would look at the AD, DC configuration it might be possible that IP subnets of administrators have to be declared, defined on them (they may have a built in embedded firewall or other security feature).

I remember in a previous job that AD managers people asked us to classify all the IP subnets in the intranet providing a brief comment for each.

Hope to help

Giuseppe

New Member

LDAP and AD-DC protocols not forwarding

Thank you for your replies as it did help us eliminate some theories.  We had a routing loop which caused the domain controllers to not communicate with the workstation.  We connected the 6500 to a direct path to the router with sub-interfaces. This corrected the issue.

622
Views
0
Helpful
4
Replies
CreatePlease login to create content