Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Solution to Microsoft Browser Election Process

We have a significant and recurring issue in which PCs will become rogue master browsers. We don't have the human bandwidth to touch every desktop and perform the recommended registry hack to prevent PCs from iniating and winning browsing elections.

How can I prevent the propagation of these broadcast requests to other vlans????? The config of our core 6509 doen't have any ip helper address statements so I don't understand how the damn broadcasts are getting propogated beyond the vlan in which the rogue PC is on anyway????

I have used the no ip forward-protocol udp netbios-ns and no ip forward-protocol udp netbios-dgm statements in global config mode and that didn't help. As I stated earlier, I don't have a helper address configured anyway so why would I try to deny the udp port 137 and 138 broadcasts?????

21 REPLIES
New Member

Re: Cisco Solution to Microsoft Browser Election Process

It's been while since I've touched this, but doesn't the Master Browsers (per subnet) send directed NBT Datagrams to the Domain Master Browser as opposed to broadcast. Are you saying you have turned off ALL devices on the subnet from participating in Browser election process and broadcasts are still be recieved?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

I believe your statement about directed NBT datagrams is correct. Regarding your last question, the scenario is that we have a VLAN dedicated to wireless users. If I fire up my WLAN adapter on my WIN2K Pro notebook, I become the Domain Master Browser for the entire 3000 end-user NT domain. NOT GOOD... Because the first PC to jump on the wireless VLAN doesn't see a segment master browser, it forces an election and wins! What I don't understand is why/how that process gets through the wireless VLAN and into the VLAN in which the PDC/Domain Master Browser lives. I have sniffed the traffic and I see IP directed broadcast to the wireless VLAN with UDP source/destination port 138 ,Netbios source IP (my WLAN adapter) , source name (my WLAN adapter), source port 138 and destination name "our NT Domain".

I am a Cisco engineer and I frankly don't understand how Netbios traverses across a directed broadcast packet and makes it way out of our wireless VLAN and over to another VLAN where the PDC/Domain Master Browser lives...that is what that sniff trace is saying. The source IP is my WLAN adapter and the destination IP is a directed broadcast YET the Netbios destination name is the "NT domain name". Does the router bridge the Netbios traffic by default?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

A simpler and more effective method might be to run the registry hack as part of a network login script.

Hope this helps.

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Do you have any experience with this suggestion?

Gold

Re: Cisco Solution to Microsoft Browser Election Process

This is a dumb question, but do you have multiple protocols loaded on each PC? I have seen environments where the desktop technicians load everything -- TCP/IP, NWLink IPX/SPX, and NetBEUI -- on each PC. Within each broadcast domain/VLAN, there will be browser elections held for each of the protocols.

Are you routing some protocols, and bridging others? This can be a problem with the non-routed protocols because the browser elections will take place across VLANs, since those protocols are bridged.

I have had two customers who were routing IP and IPX, and bridging all others. Needed to bridge for DEC LAT enterprise-wide, but also got NetBEUI bridged as a side effect. Wasn't a problem until they each went above 250+ PCs across the enterprise with NetBEUI loaded. We put a stop to the NetBEUI browser wars by filtering bridged traffic based on protocol type (passed anything DEC, dropping the rest).

New Member

Re: Cisco Solution to Microsoft Browser Election Process

We do have IPX on the PDC, but not on the wireless PCs that are forcing browser elections and winning. So on the wireless VLAN, there would only be the IP browser election and what I don't understand is how that process is making it off the wireless VLAN and over to the VLAN in which the PDC lives. We don't have the IP helper address configured on the wireless VLAN...But we DHCP is configured on our CAT 6509 to hand out IP address to the wireless clients.

We are not bridging anything as far as I know. Is anthing bridged my default on a Cat6509? How can I tell what is being bridged? We have a Cat 6509 with dual soups / MSFCs. So it is a L3 switch.

We have tried to filter the Netbios 137,138 ports and that didn't stop the wireless VLAN clients from forcing and winning the browser election. How did your filter?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

how about "no ip directed broadcasts"?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Great suggestion. I will check it out. My trace showed a directed broadcast at the IP level and UDP 138 and Netbios source name (rogue PC) and destination name (our domain name). So if we prevent the directed broadcast, that might do it.

I will let you know.

Thanks

New Member

Re: Cisco Solution to Microsoft Browser Election Process

We are having the same exact issues on our network. We have done the following and it STILL does not fix the master browser issue.

Our vlans are configred as follows:

ip access-group 100 out

ip helper-address 172.19.1.1

ip helper-address 172.19.1.2

ip helper-address 172.19.1.3

no ip redirects

no ip directed-broadcast

And Access-Group 100 is as follows:

access-list 100 deny udp any any eq netbios-ns

access-list 100 deny udp any any eq netbios-dgm

access-list 100 permit ip any any

Any other suggestions?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Not expert on this... You can specify your Netbios node type. Does Netbios not just get encapsulated in and routed over the IP if the client has that particular 'feature' activated in their network client TCP/IP settings? That setting can be manually specified or Microsoft DHCP clients can be mandated to push this node type out by the DHCP scope setting.

New Member

Re: Cisco Solution to Microsoft Browser Election Process

why not use "no ip forwarding-protocol xxx"?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

I know your primary goal is to find out how the broadcast-based NetBIOS packets are traversing VLANs and to stop the disfunction from a network device approach...

However, "fixing" the problem from a Windows application level is another approach. It was touched upon briefly about stopping the computer-browser service with a logon script. It sounds like you are running a mixed NT4 Server/Win2000 Workstation environment since you mentioned PDCs. I have more experience with Win2000 servers than NT4 servers, but I did work in a 2000+ PC environment where a lot of daily changes were accoplished with NT logon scripts. Whenever any domain-based PC logs into its domain, it is forced domain policy, startup + logon scripts that override any local policies. In both NT + 2000 Domain controllers, there is a shared Sysvol folder that all workstations get their policies through. You can either change policies by running scripts that change registry settings, run executables, etc or you can "cleanly" target specific domain policy settings with a simple mouse click.

In Win2000's active directory User's + Computers, you locate the top of the domain hierarchy, which can be either the forest or domain level, choose properties, and view/edit the policy associted with the hierarchy level you desire. In the policy is pretty much every desirable workstation/security/windows/etc feature you could want... specifically, there is the computer browser service. You simply check to "enable" this policy and choose what you want to do with the policy. Disable would disable the service for every single workstation that logs into the domain. Of course if you don't have DNS or WINS services running, then your PCs with disabled computer browser services will not be able to "find" any other PCs int heir Windows Network Neighborhood... You should only disable browsing if you have some other non-broadcast based service running for name resolution. Since I run Win2000 servers with DNS in my home lab with my 15 PCs, I turn of the browser service on all domain controllers and workstations... and rely soly on unicast-based DNS for all name resolution functions.

If you have a Windows "specialist" that works with you (you being the network engineer/net device specialist), the two of you should be able to get the script/domain policy working with minimal time + trouble. To clarify how the scripting/policy propagation works, just checkout Microsoft's Technet web site. You should be able to test this change in a small test lab with a single PDC, a few VLANs, and a few workstations...

Then of course there is the issue with the Catalysts and why they are propagating those pesky NetBIOS packets...

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Hey, I got a sugestion - lets look at past posts for these same answers. This has been like the 6th thread on this same topic in two or three weeks. Here is a link to the post with the answer...

-Bo

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee91c21

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Hey, I got a sugestion - lets look at past posts for these same answers. This has been like the 6th thread on this same topic in two or three weeks. Here is a link to the post with the answer...

-Bo

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee91c21

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Thanks for the info BUT we are not using the ip helper address syntax and so when I use your recommended no ip forward-protocol udp 137 and 138 statements, I get UDP port 137 not found to delete....

One of my earlier responses stated that we are not using the helper statement. Any further thoughts?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Yes, that link to the previous topic solves the problem... Even though this is a network device-based LAN forum, it might be helpful to discuss further how to disable the NetBIOS broadcasts initiated by the computer browsing service...

By properly configuring the 6509, you have effectively stopped the propagation of the broadcasts between LANs... but you still have unneeded broadcasts occuring on each LAN (as long as DNS/WINS is cobfigured) that can be easily terminated.

If you feel that this discussion should end with the 6509's configuration, that's fine too.

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Discussing it is not a problem. I guess I came out kinda harsh on that last post. The basic deal is that Microsoft products, generally, were built to exist on a flat netork. Cisco propogated the use of different subnets/vlans. So, one would believe that these two industry magnates would converse on delivering solutions for the enterprise. Who knows? Maybe some day...

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Make Change On the Domain Master Browser.

HKEY_LOCAL_MACHINE\System\Current\Controlset\Services\Browser\Parameters

Change the

" IsDomainMaster:REG _SZ: FALSE"

statement TO

" IsDomainMaster:REG _SZ: True "

New Member

Re: Cisco Solution to Microsoft Browser Election Process

Guess what... Your not sending broadcasts... No surprise, huh. I finally understand your problem and you won't need to block any netbios datagrams, either :)))

Designate one MASTER BROWSER on each subnet and add LMHOST entries for the PDC and other MASTER BROWSERs.

Example:

###

192.168.1.100 PDC_NAME #PRE #DOM:Domain_NAME

192.168.2.100 MB-2_NAME #PRE

192.168.3.100 MB-3_NAME #PRE

###

Master browse elections are normal behavior... You just want to ensure you have at least one system on each subnet correctly configured. i.e. know who the PDC is. Ensure that this one system with the LMHOST entries is hardcoded to act an MASTER BROWSER.

This should fix your problem... Which I believe ultimately to lie w/ name resolution and not anything cisco related....

I hope this helps, the suspense will be terrible I assure you :)))

New Member

Re: Cisco Solution to Microsoft Browser Election Process

You wrote:

Designate one MASTER BROWSER on each subnet and add LMHOST entries for the PDC and other MASTER BROWSERs

Where do I place these particular LMHOST files? On each PC?

New Member

Re: Cisco Solution to Microsoft Browser Election Process

You will find the LMHOST file under the following path (NT example)

C:\WINNT\system32\drivers\etc

Please note that there may be a file named Lmhosts.sam which is a sample file to follow. The file you create must be named LMHOST with no extension. A restart of the workstation will load the LMHOST file.

463
Views
0
Helpful
21
Replies