Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

MS Browser Serivce Problem over VLANs in 6509

Have multiple VLANs configured with ip helper address on all interfaces of the MSFC. Windows browser elections are passing over UDP 137/138 due to the helper address. When I use an acess group on the out interface of a VLAN to deny UDP 137/138, we no longer get complete browse lists in Windows Explorer.

We are currently an NT Domain with WINs servers. Clients are mostly Windows 2000 Pro or XP.

Any suggestions?

  • Other Network Infrastructure Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: MS Browser Serivce Problem over VLANs in 6509

JT, you don't actually even need to access lists for this. There is a command for ip helper to block this traffic. This is something I threw together a little over a year ago to address these same issues. I hope this helps...

-Bo

From: Bowen, Ron Sent: Mon 11/26/2001 2:54 PM

To: #Network Services

Cc:

Subject: IP Helper + NT Domains = BAD

Attachments:

View As Web Page

Ladies and Gentlemen,

Until recently, Enterprise's campus was one large, flat (single VLAN), network. With the addition of Enterprise Technology Center (ETC) at Weldon and E-Commerce Group (ECG) on North Rock Road, the network has outgrown it's original design. It was the installation of ETC and ECG that prompted a re-design of the campus network to better facilitate the needs of the users as a whole. As a part of this redesign, the flat network design was broken into several platform oriented VLANs and IP subnets. The addition of VLANs and IP subnets allows us to segment our network, better control data traffic, and improves scalability for future growth. However, this is not accomplished without a few growing pains.

Last week a problem using the IP Helper statement in router configurations was identified. The IP Helper statement forwards broadcast messages for workstations to a designated server. The IP Helper statement allows us the luxury of plugging PCs in anywhere in our network and they receive IP Addresses, domain information, WINS resolution and any other pertinent information. The IP Helper statement added to a router forwards all of these types of messages to a designated IP address, usually a DHCP server. This is normal operating procedure for any workstations on an NT Domain. This action has not been a problem in the past. With the new VLAN and IP scheme introduced earlier some interesting facts were identified. There are some known problems with multiple subnets in NT Domains using the IP Helper statement. One of these problems is described on Cisco's web site (www.cisco.com):

"Windows Networking was originally designed to run on a single LAN segment or a bridged (flat) network.

Microsoft developed the LAN Services Browser to enable the user to browse a list of all computers available on the network. Each Windows Networking client registered its NetBIOS name periodically by sending broadcasts.

Every computer also had to send broadcasts to elect a browse master for the network. The browse master (and several backup browse masters) maintained the list of computers and their addresses. When a user browsed the network, the client sent a broadcast request and one of the browse masters responded."

The browse master will then send out a broadcast every 12 minutes to make sure that it still is the master browser for the network which it is on. This is where we run into problems on our networks. The master browser will send a broadcast identifying itself as the master browser. The router, utilizing it's IP helper statement, will then forward that broadcast to the server's IP address identified in the IP Helper statement. Only one master browser can exist on any one network, so if a master browser receives notice that another master browser exists on it's network, an election is forced. An election generally occurs only when a new PC is added to the network segment. However, with the use of the IP Helper statement, these master browser broadcasts are forwarded to the network segment which hosts the DHCP server referenced in the IP Helper statement. This creates extra traffic on the networks and servers involved. If there are several networks that point to the same DHCP server via their router's IP Helper address, this amount of traffic multiplies.

If an IP helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default.

Time Service Port 37

TACACS Port 49

Domain Name Services Port 53

Trivial File Transfer Port 69

DHCP (BootP) Port 67 and Port 68

NetBIOS Name Server Port 137

NetBIOS Datagram Server Port 138

To resolve the issues of master browser elections disabling ip forwarding to ports 137 and 138 have been identified as a solution. This solution needs to be applied to every router that has an IP Helper statement. The commands are configured globally in every router, so it is not necessary to apply each command to an interface. The following commands will disable the forwarding of packets to the respective IP Ports:

no ip forward-protocol udp port 137

no ip forward-protocol udp port 138

These commands have been tested and do resolve the issues we have seen. These commands will need to be issued to every routing instance that contains an IP-Helper statement within the Enterprise Metropolitan Area Network (E-MAN). Although these commands should not negatively impact current production operations, the addition of these commands to router configs will be scheduled to be completed during a non-production window. These commands will also need to be added to the standard builds of any routing devices that utilize the IP Helper statement.

For more information on th IP Helper statement see:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550scg/swipaddr.htm

For more information on NT Networks and the Master Browser function see:

http://www.cisco.com/warp/customer/473/winnt_dg.htm

1 REPLY
New Member

Re: MS Browser Serivce Problem over VLANs in 6509

JT, you don't actually even need to access lists for this. There is a command for ip helper to block this traffic. This is something I threw together a little over a year ago to address these same issues. I hope this helps...

-Bo

From: Bowen, Ron Sent: Mon 11/26/2001 2:54 PM

To: #Network Services

Cc:

Subject: IP Helper + NT Domains = BAD

Attachments:

View As Web Page

Ladies and Gentlemen,

Until recently, Enterprise's campus was one large, flat (single VLAN), network. With the addition of Enterprise Technology Center (ETC) at Weldon and E-Commerce Group (ECG) on North Rock Road, the network has outgrown it's original design. It was the installation of ETC and ECG that prompted a re-design of the campus network to better facilitate the needs of the users as a whole. As a part of this redesign, the flat network design was broken into several platform oriented VLANs and IP subnets. The addition of VLANs and IP subnets allows us to segment our network, better control data traffic, and improves scalability for future growth. However, this is not accomplished without a few growing pains.

Last week a problem using the IP Helper statement in router configurations was identified. The IP Helper statement forwards broadcast messages for workstations to a designated server. The IP Helper statement allows us the luxury of plugging PCs in anywhere in our network and they receive IP Addresses, domain information, WINS resolution and any other pertinent information. The IP Helper statement added to a router forwards all of these types of messages to a designated IP address, usually a DHCP server. This is normal operating procedure for any workstations on an NT Domain. This action has not been a problem in the past. With the new VLAN and IP scheme introduced earlier some interesting facts were identified. There are some known problems with multiple subnets in NT Domains using the IP Helper statement. One of these problems is described on Cisco's web site (www.cisco.com):

"Windows Networking was originally designed to run on a single LAN segment or a bridged (flat) network.

Microsoft developed the LAN Services Browser to enable the user to browse a list of all computers available on the network. Each Windows Networking client registered its NetBIOS name periodically by sending broadcasts.

Every computer also had to send broadcasts to elect a browse master for the network. The browse master (and several backup browse masters) maintained the list of computers and their addresses. When a user browsed the network, the client sent a broadcast request and one of the browse masters responded."

The browse master will then send out a broadcast every 12 minutes to make sure that it still is the master browser for the network which it is on. This is where we run into problems on our networks. The master browser will send a broadcast identifying itself as the master browser. The router, utilizing it's IP helper statement, will then forward that broadcast to the server's IP address identified in the IP Helper statement. Only one master browser can exist on any one network, so if a master browser receives notice that another master browser exists on it's network, an election is forced. An election generally occurs only when a new PC is added to the network segment. However, with the use of the IP Helper statement, these master browser broadcasts are forwarded to the network segment which hosts the DHCP server referenced in the IP Helper statement. This creates extra traffic on the networks and servers involved. If there are several networks that point to the same DHCP server via their router's IP Helper address, this amount of traffic multiplies.

If an IP helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default.

Time Service Port 37

TACACS Port 49

Domain Name Services Port 53

Trivial File Transfer Port 69

DHCP (BootP) Port 67 and Port 68

NetBIOS Name Server Port 137

NetBIOS Datagram Server Port 138

To resolve the issues of master browser elections disabling ip forwarding to ports 137 and 138 have been identified as a solution. This solution needs to be applied to every router that has an IP Helper statement. The commands are configured globally in every router, so it is not necessary to apply each command to an interface. The following commands will disable the forwarding of packets to the respective IP Ports:

no ip forward-protocol udp port 137

no ip forward-protocol udp port 138

These commands have been tested and do resolve the issues we have seen. These commands will need to be issued to every routing instance that contains an IP-Helper statement within the Enterprise Metropolitan Area Network (E-MAN). Although these commands should not negatively impact current production operations, the addition of these commands to router configs will be scheduled to be completed during a non-production window. These commands will also need to be added to the standard builds of any routing devices that utilize the IP Helper statement.

For more information on th IP Helper statement see:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550scg/swipaddr.htm

For more information on NT Networks and the Master Browser function see:

http://www.cisco.com/warp/customer/473/winnt_dg.htm

100
Views
0
Helpful
1
Replies