Having problems with Netbios traffic. I have 2 msfc's at seperate
sites with different subnets configured, connection via a serial link.
I have "no udp forward-protocol udp netbios-ns" & no "udp forward-
protocol udp netbios-dgm" configured on the routers, however if i do a
nbtstat -an <ip address at the remote site> from my machine it
resolves the name to an ip address. Thus netbios is crossing the link.
Need help to prevent un-neccessary traffic crossing the serial link?
It would help us to give you better answers if we had some more details about your environment and probably some configurations. I am not quite clear what you are doing with no ip forward-protocol and therefore not clear whether it is mis-behaving or not. no ip forward-protocol is intended to work with the ip helper-address command and to control what protocol broadcasts it will forward. It is not clear whether you are using no ip forward-protocol with helper-address or using it by itself and expecting it to do something that it is not intended to do. Perhaps you can clarify your environment for us.
Thks for the reply Rick, firstly i didn't realise the no ip protocol was solely coupled with the ip-helper address which would explain why it is not preventing netbios crossing the link. Basically I understood routers don't forward broadcasts. But as I explained when I do a nbtstat -an 10.2.x.x ----MSFC SiteA (gateway 10.1.1.1) from a machine on subnet 10.1.x.x on MSFC SiteB (gateway 10.2.1.1) it resolves the 10.2.x.x which indicates to me that Netbios traffic is crossing our 34meg serial link between site A & Site B. I want to prevent Netbios traffic crossing between sites. There is 2 seperate Vlan domains configured, one at site A & one at site B. Will I have to prevent netbios using acls on the ingress to the Vlan interface at either site.
It is generally true that routers do not forward broadcasts from one subnet to another subnet. I am not convinced that what you are seeing is the result of broadcast traffic. I suspect that your request is getting to some Windows/NetBIOS box in your subnet which is getting the information from some box in the other subnet. If you really do not want NetBIOS getting over the serial link then I suspect that you will need to set up some filtering on ingress/egress interfaces.
Thks again Rick,
I can see from an ethereal trace that the boxes are communicating directly across the link using NBNS. I can also ping the broadcast 10.1.255.255 and get replies. Below is the interface configuration for site A with Site B the same only on subnet 10.2.x.x
description 34Mb Link to Leix
ip address 172.26.5.1 255.255.255.0
service-policy output QOS-to-Leix
dsu bandwidth 34010
ip address 10.1.1.1 255.255.0.0
no ip redirects
no ip unreachables
ip pim sparse-mode
ip route-cache flow
no ip mroute-cache
Can I assume that the NBNS in the ethereal trace is unicast traffic and not broadcast?
As for being able to ping 10.1.255.255 and get replies, that is not surprising. This is what is known as a directed broadcast (or sometimes called subnet broadcast). A directed broadcast is quite different from a local broadcast. Routers will forward directed broadcasts but not forward local broadcasts (unless helper-address is configured). It has been the behavior of IOS for a long time that if it receives a ping for the broadcast address of one of its interfaces that IOS will respond to the ping from its own address. But unless ip directed-broadcast is configured (which is not in what you posted) the IOS will not forward the directed broadcast onto the subnet. So you are getting a response from the router but no other device on the remote subnet is seeing the traffic.
There is a sort of interesting experiment that illustrates this. Use traceroute instead of ping so that you can see who is responding. Then traceroute to 10.1.255.255. You should receive a response only from the router. Then configure ip directed-broadcast on the remote router VLAN interface and try the traceroute again. This time you should receive responses from numerous hosts on the other subnet (subject, of course, to whether those hosts are running firewalls that permit response to ping or traceroute).
Thks again Rick, and indeed for your patience.
I enabled directed broadcast on the remote router Vlan and used tracert, however I still only get a response from 10.1.255.255. Hosts are not running local firewalls or being filtered in any way. I still don't understand how using nbtstat -an resolves a remote computer name considering we are not using wins and they are on seperate Vlans and subnets with routers in between.
WINS is just the next generation of name service for netbios. If you do not have a WINS server setup, then netbios defaults to electing a netbios name server. This happens everytime a windows machine comes online, as long as netbios is enabled. You can alleviate all this by disabling netbios on all machines. You would only want to do this, if you have Active Directory running.
Your problem with netbios crossing the routers may have to do with the network addressing that you are using. 10.0.0.0 255.0.0.0 is a Class A IP Address range. Just because you are using only 2 Class B size subnets out of that range, does not change the fact that it is still a Class A. I am not sure, how the windows TCP/IP stack deals with this.
Are you running a routing protocol? Do you have the ip classless command enabled in the router? If you are running a routing protocol, did you turn off auto summarization for the routing protocol?
Just some thoughts for you to consider. Netbios really sucks anyways. It would be better to turn it off, if you can live without it.