I need to forward UDP broadcast between two VLANs connected on on 4506. The broadcast is all net broadcast (255.255.255.255). The switch is doing interVLAN routing b/w these VLANs. I tried to do UDP flooding. bridge 1 protocol ieee command to specify the IEEE Ethernet protocol does not work neither does the bridge-group 1 command in the interface configuration mode. Can anyone help?
What kind of application are the broadcasts for ? You can configure an 'ip helper-address' on your L3 interfaces which will forward broadcasts for things such as DHCP to a specified IP address...
Hope that helps.
It is a proprietery application which uses UDP broadcast. I need to forward broadcast from client VLAN to server VLAN and vice versa. I tried ip helper-address and it works fine when I forward broadcast to particualr servers. Since there is a large number of client IP addresses, I cannot specify each client's address in helper address. As per the application requirements, the broadcast needs to be forwarded to whole subnet and not a particular host.
I tried UPD flooding, but 4506 does not accept "bridge group" command on interface VLAN. I tried same command on 6500 and it works.
You'll need to utilize ip helper and possible ip forward-protocol udp as well.
ip helper will forward TFTP, DNS, Time, NetBIOS, ND, BOOTP or DHCP UDP packets. If you need a UDP protocol other than those, you'll need to define it using the ip forward-protocl udp.
IP Helper reference:
IP Forward Protocol reference:
I tried ip helper address and it works fine when I forward braodcast to a particular host. However, it does not serve my purpose. I need to forward broadcast to whole subnet.
so your application requires clients and servers to be in the same broadcast domain. If this is a strict requirement, the best way to achieve this is to place them into the same broadcast domain, i.e. VLAN.
Bridging in a sense is doing the same thing ...
So that is what I would recommend: Place all clients in the server VLAN - unless there are further requirements contradicting this step. You did not mention any further obstacles, in case there are some let us know to find a suitable solution.
Hope this helps. Please rate all posts.
Due to security policies, we cannot place clients and servers in same VLAN. We only want to forward udp broadcast b/w these VLANs on particular port. Secondly, both VLANs are already in place and operational. Now there is a new application which requires broadcast forwarding and we cannot change running network topology due to this application only.
OK, so a common VLAN is not an option.
Did you try to use the command "ip broadcast-address" in combination with "ip forward-protocol udp"?
A flooded UDP datagram is given the destination address you specified with the ip broadcast-address command in the interface configuration mode on the output interface. The destination address can be set to any desired address.
This should finally do it.
Hope this helps! PLease rate all posts.
I did try ip broadcast-address in combination with ip forward-protocol udp and ip helper address. I set the ip broadcast and helper address to subnet broadcast address. But it did not work.
If it is possible, why not make all ports connected to both vlans members of the same vlan (i.e. the same broadcast domain) that would automaticall resolve the issue.
Please do mention design limitations if any on this kind of a solution
can you try to configure "IP broadcast-address 255.255.255.255" and ip forward-protocol udp" without ip helper-address?
255.255.255.255 is the default IP broadcast-address on VLAN interfaces and I did try it.
Secondly, if I configure ip forward-protocol udp without ip-helper address, how the switch will know where to forward the broadcast. I don't think it should work.
You can configure the subnet address of your server VLAN as ip helper-address on the client VLAN and vice versa. To make this work you should enable ip directed-broadcast on both server and client VLANs.
I did try configuring the subnet broadcast address as ip helper-address but it did not work. I am now going to try debug the packets and see how the switch is treating them. Will post the results.
thanks and regards,
Did you configure th ip directed-broadcast command? Nowadays it is disabled by default on an interface. Directed broadcasts could be used for smurf attacks. That is why it is disabled by default.
IP directed broadcasts are used in the popular "smurf" denial-of-service attack and derivatives thereof. An IP directed broadcast is a datagram that is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the financial services industry.
In a "smurf" attack, the attacker sends Internet Control Message Protocol (ICMP) echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose address is being falsified.
If a Cisco interface is configured with the no ip directed-broadcast command, directed broadcasts that would otherwise expand into link-layer broadcasts at that interface are dropped instead.