Priscilla Oppenheimer wrote: > Thank-you very much for your research and testing, Ben. > > The person who started this discussion (offline) also wrote back and > confirmed that the subnet broadcasts are indeed forwarded to the address in > his IP helper address command. I agree that it makes sense from the point > of view that the subnet broadcast (10.10.255.255) is no different from an > ordinary broadcast (255.255.255.255) at the MAC layer. They both go to > FF:FF:FF:FF:FF:FF. > > There are concerns about this behavior however. In his case the DHCP server > is the helper address. It is receiving all sorts of junk that it shouldn't > receive, including WINS and BROWSE stuff. The IP Helper Address > configuration is causing these packets to be sent as unicast packets to the > DHCP server. It's probably just a minor performance issue, but worth fixing. > > I don't know enough about his network to recommend this definitely, but he > may be able to configure "no ip forward-protocol 137" and "no ip > forward-protocol 138" to ensure that the WINS and BROWSE stuff is not > forwarded. I believe he has an actual WINS server also that can handle the > WINS service and the nodes are configured as H-Nodes so they are unicasting > to the WINS server in addition to sending their broadcasts. > > I thought this was interesting! I wonder how many people have thought about > how much junk by default gets forwarded with IP helper address. And > offline, some experts asked me why would a router forward a subnet > broadcast, so they all agreed that this was not completely expected behavior. > > Thanks again, > > Priscilla > > At 10:00 AM 11/7/01, R. Benjamin Kessler wrote: > >I setup a remote unix box running nmap and had it send packets to the subnet > >broadcast address (in my case 192.168.72.255). I configured my router with > >an ip helper command (sending to a single host). I executed the nmap > >command with and without IP directed broadcast configured on the router > >interface and didn't see any difference. > > > >Running a sniffer-like device on the target (of the ip helper command) I was > >able to verify the receipt of the packets sent via nmap. > > > >Given a network similar to the following: > > > > +-------+ +-------+ > >-----| rtr a |--------| rtr b |----- > > e0 +-------+ e1 e1 +-------+ e0 > > > >My understanding of directed-broadcast is that if a packet sourced from rtr > >a's e0 network is sent to the broadcast address of rtr b's e0; rtr b will > >forward it if directed-broadcast is enabled and drop if not. > > > >IP helper impacts packets heading out (from the router) to the interface in > >question not packets inbound. > > > >To take this discussion a step further, the IP helper function processes > >packets sent to the MAC-layer broadcast address for the specified protocols. > >A packet sent to the local IP broadcast address (10.10.255.255 in > >Priscilla's example) will have the same MAC-layer destination address as a > >packet sent to 255.255.255.255. > > > >Comments, questions? Anyone think my logic is all wet? > > > >-----Original Message----- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Priscilla Oppenheimer > >Sent: Tuesday, November 06, 2001 9:43 PM > >To: [EMAIL PROTECTED] > >Subject: Re: IP helper address and subnet broadcast [7:25485] > > > > > >I know how IP helper address, directed broadcasts, NetBIOS, etc. work. > >(NetBIOS session service doesn't broadcast, by the way, and in fact uses > >TCP not UDP, so I doubt that it needs to be added to the list. It's used > >between a client and server after the client has mapped the NetBIOS name to > >the server's address.) > > > >The question is: will the router (with IP helper address) forward if the > >source sends to a subnet broadcast such as 10.10.255.255 instead of sending > >to 255.255.255.255? Nowhere does the documentation say that it won't, so I > >guess it will. > > > >Note that I am not asking about the forwarding of directed broadcasts. The > >IP helper address is configured with an actual server's address, not a > >directed broadcast address. > > > >I'm not looking for the boring answers to the boring questions. The > >question is not the same one that you have seen many times. ;-) > > > >Priscilla > > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com Many of the big corporations have been aware of it for some time. When I had to set up DHCP at a certain Silicon Valley giant corporation in 1996, I came across their white paper on setting up DHCP relay via Cisco's ip helper-address, with specific instructions to do a "no ip forward" on UDP 137 and 138.
Jonathan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25734&t=25485 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]