We currently have a layer 3 switch/3750g with various vlans/svi's. All appears to be working fine. We have a device which requires port 4000 UDP to be forwarded across vlans. We already have ip helper; however, this opens 8 default ports. (DHCP is working fine). I used the ip forward-protocol udp 4000 global command; however, the installer still can't find its device located in another vlan during its install. Long as both are in same vlan, installer is happy/works fine. Wireshark shows destination port 4000 and source increments, such as 1271, 1272, etc. I don't believe the source is important, only since destination is 4000 and dealing with UDP. Any idea's on how to get port 4000 UDP to traverse vlans?
With no access lists applied to any of the SVIs, all traffic should be passing unimpeded between vlans.
Not sure I am understanding your situation...
[EDIT] OK, now I get it. You are involved with an application that requires UDP directed broadcasts across vlans.
Can you post the configs? You may need to configure bridging on th einterfaces that are going to forward the UDP broadcasts. [EDIT]
I can not tell from your original post whether you are trying to forward UDP broadcasts on port 4000 to a unicast destination or whether you are trying to forward to a broadcast destination.
From the context of the question I wonder if you are attempting to forward to a broadcast destination address. If that is the case then in addition to the forward-protocol and helper-address, which you certainly need, you would need to configure ip directed-broadcast on the VLAN interface that you are forwarding to.
I dont have too much experience with UDP forwarding, so can I pick your brain a bit?
I thought that one had two choices:
1.) Configure helper addreses on the vlan interfaces that will forward broadcast traffic, which doesnt scale too well in a redundant environment, or
2.) Use the ip UDP forwarding-protocol command to enable UDP port forwarding, whether unicast or directed broadcast.
I didnt know you had to configure both.
Also, do you use the "ip directed broadcast" command on the vlan interface or is it "ip broadcast-address [subnet directed broadcast address]
I am glad that you are interested in this and am glad to help you figure out some more about how this works. The ip forward-protocol works with the ip helper-address command. By itself forward-protocol does not do anything. What forward-protocol does is to add additional UDP ports to the list of ports forwarded by helper-address.
So to be able to forward UDP port 4000 you need to specify ip forward-protocol for port 4000. And then you have to configure ip helper-address to do the forwarding.
Note that you can only forward broadcasts. There is not anything in IOS that would take a unicast and automatically make a copy and send it somewhere else.
The command is ip directed-broadcast no ip broadcast-address. And it is not configured on the interface that does the forwarding. It is configured on the interface that will receive the forwarded broadcast and send it out onto the local LAN. By default IOS disables forwarding of received broadcast packets. So if you want to send received broadcasts out onto the local LAN you must enable it. (note that there are several Denial Of Service attacks that use directed broadcast as part of their attack. this is why IOS disables the function by default)
Thanks for the response.
"The ip forward-protocol works with the ip helper-address command. By itself forward-protocol does not do anything. What forward-protocol does is to add additional UDP ports to the list of ports forwarded by helper-address."
Thats what I always thought until I read this document this morning.
"The command is ip directed-broadcast no ip broadcast-address. And it is not configured on the interface that does the forwarding. It is configured on the interface that will receive the forwarded broadcast and send it out onto the local LAN."
Again, that document...
"By default IOS disables forwarding of received broadcast packets. So if you want to send received broadcasts out onto the local LAN you must enable it."
Now, Im really confused. :-) I always interpreted the concept of a router not forwarding broadcasts to mean that it will not forward broadcasts that is receives from a host on its LAN segment, not the other way around.
OK, Im having a crisis now... :-)
Avert the crisis :)
First lets clear up some terminology: the link that you sent discusses two different ways to propagate broadcasts: there is a forwarding solution (implemented at layer 3 using helper-address) and there is a flooding solution (implemented at layer 2 and using bridging). And the link that you posted points to the flooding/layer 2 bridging solution, so I suspect that this is where your confusion starts.
The current post is dealing with the layer 3 solution. If you want to have a thread to discuss the layer 2 solution we can certainly do that. But lets confine this thread to the layer 3 solution.
And then I think it would help to clarify some terminology about broadcasts. First lets consider local broadcasts. Local broadcasts are generated by some machine on the local subnet. A local broadcast is received and processed by every host on the local subnet. It is one of the basic behaviors of layer 3 routers that they do not forward local broadcasts off of the local subnet. Sometimes we have a reason why we want to forward a local broadcast off of the local subnet (like the post that started this thread). So how can we change the basic behavior of layer 3 routers to not forward local broadcasts. That is where ip helper-address and ip forward-protocol come in. Using these features we create an exception where the local broadcast can be forwarded to remote subnets.
Usually ip helper-address is configured to forward local broadcasts to a remote unicast address. But there is the possibility that the helper-address configuration would forward to a remote broadcast address. This is an example of what is called a directed broadcast. (another example of directed broadcast might be: ping 172.20.5.255 which is a ping to the broadcast address of subnet 172.20.5). As I mentioned in my previous post the directed broadcast is considered by some to be a security threat (since it is used in some DoS attackes). And the default behavior of IOS routers is that if they receive a directed broadcast whose destination is on their local LAN that the router will not forward the directed broadcast.
So if we have configured the helper-address to forward to a remote broadcast and if we want that broadcast to be delivered then the remote router interface must be configured to accept and deliver the directed broadcast using the ip directed-broadcast command.
So important things to remember are the difference between the layer 2 solution for flooding broadcasts and the layer 3 solution of forwarding broadcasts using helper-address. And the difference in treatment of a local broadcst and of a directed broadcast.
Or should I say "maestro"? That was beautiful, man. It almost brought me to tears, especially the way you cleared up my confusion about local and directed broadcasts! :-)
Seriously, though, that was excellent and very informative. Please allow me to digest it and if I have further questions, Id like to know that you will be receptive to them. :-)