Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1933
Views
0
Helpful
3
Replies

ip directed-broadcast, ip helper-address, ip forward-protocol

mawalk2
Level 1
Level 1

‎02-05-2004 06:13 AM - edited ‎03-02-2019 01:23 PM

Hi. When I go through all conversations about directed-broadcast etc (see title), I'm a little bit confused. We use a Cat6000 MSFC2 with latest native IOS and following config:

interface Vlan1

ip address 172.16.1.1 255.255.255.0

no ip redirects

ip directed-broadcast

!

interface Vlan2

ip address 172.16.2.1 255.255.255.0

ip helper-address 172.16.1.2

ip helper-address 172.16.1.3

ip helper-address 172.16.1.4

ip helper-address 172.16.1.5

ip helper-address 172.16.1.6

no ip redirects

ip directed-broadcast

!

interface Vlan3

ip address 172.16.3.1 255.255.255.0

ip directed-broadcast

!

ip forward-protocol udp 10042

Can anybody tell me what is now possible and restricted (BOOTP, udp forwarding of what and from where to where, directed broadcast going from where to where, etc)?

Thanks for every hint,

Mario

Labels:
0 Helpful
3 Replies 3

CKBudrodeen
Level 1
Level 1

‎02-06-2004 08:07 AM

Hi Mario,

My interpretation of your config :

Broadcasts received on interface VLAN2 which are detected as udp 10042, will be forwarded as unicasts to the 5 172.16.1.x addresses listed as helper-addresses.

If you want other types of broadcast traffic received on vlan 2 to be forwarded, you must add them globally with the ip forward-protocol command - as you've done with udp 10042.

The ip directed-broadcast command is unrelated. For example on your VLAN1 interface, this cmd will allow a broadcast to 172.16.1.255 (directed b/c) to be sent to all nodes on that subnet, even if the b/c came from another subnet/interface.

This leaves you open to attacks, and it is disabled by default.

There are often b/c with a source address from the 172.16.1.0/24 network, but these still propagate within that network.

Hope this helps.

Regards,

Craig

0 Helpful

mawalk2
Level 1
Level 1
In response to CKBudrodeen

‎02-09-2004 02:08 AM

Hi Craig

Thank you for your explanation, it helped a lot! Just one last question:

As far as I understand, ip-helper is not only used in conjunction with udp forward. Per default, ip-helper also forwards bootp/dhcp requests to the specified addresses, correct?

Br Mario

0 Helpful

CKBudrodeen
Level 1
Level 1
In response to mawalk2

‎02-09-2004 05:24 AM

Hi Mario,

That is correct. By default, once you define a helper address, there are 8 protocol broadcasts that are forwarded (all UDP) :

TFTP (port 69)

DNS (port 53)

Time (port 37)

NetBIOS Name Service (port 137)

NetBIOS datagram service (port 138)

BOOTP server (port 67)

BOOTP client (port 68)

TACACs (port 49).

What is generally done, is that you decide which of these protocols you want to forward, and specify these with the 'ip forward-protocol' command, as you have done.

Those you don't wish to forward, (say NetBIOS 137), then you enter 'no ip forward-protocol udp 137'.

Best of luck.

Regards,

Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents