I had a similar situation in the past where the DHCP servers were on *nix boxes and they got flooded with the NetBT stuff (from 3000+ workstations) needlessly. In this type of a situation "no ip forward protocol" is your friend.
To just foward the DHCP requests you need to do the following: no ip forward-protocol udp tftp no ip forward-protocol udp nameserver no ip forward-protocol udp domain no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs It would be nice if you could disable all and then specifically add the ones you want (i.e. the passive-interface default / no passive-interface method) but - at least on the versions I've tried - she's a no go. You can disable all udp flooding with the command: no ip forward-protocol udp But as soon as you enable a specific service this command gets 'un-done'...perhaps a it can be a feature request for the programmers @ Cisco watching this list (do any?). Hope this helps. Ben -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 07, 2001 2:44 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: IP helper address and subnet broadcast [7:25485] Thank-you very much for your research and testing, Ben. The person who started this discussion (offline) also wrote back and confirmed that the subnet broadcasts are indeed forwarded to the address in his IP helper address command. I agree that it makes sense from the point of view that the subnet broadcast (10.10.255.255) is no different from an ordinary broadcast (255.255.255.255) at the MAC layer. They both go to FF:FF:FF:FF:FF:FF. There are concerns about this behavior however. In his case the DHCP server is the helper address. It is receiving all sorts of junk that it shouldn't receive, including WINS and BROWSE stuff. The IP Helper Address configuration is causing these packets to be sent as unicast packets to the DHCP server. It's probably just a minor performance issue, but worth fixing. I don't know enough about his network to recommend this definitely, but he may be able to configure "no ip forward-protocol 137" and "no ip forward-protocol 138" to ensure that the WINS and BROWSE stuff is not forwarded. I believe he has an actual WINS server also that can handle the WINS service and the nodes are configured as H-Nodes so they are unicasting to the WINS server in addition to sending their broadcasts. I thought this was interesting! I wonder how many people have thought about how much junk by default gets forwarded with IP helper address. And offline, some experts asked me why would a router forward a subnet broadcast, so they all agreed that this was not completely expected behavior. Thanks again, Priscilla At 10:00 AM 11/7/01, R. Benjamin Kessler wrote: >I setup a remote unix box running nmap and had it send packets to the subnet >broadcast address (in my case 192.168.72.255). I configured my router with >an ip helper command (sending to a single host). I executed the nmap >command with and without IP directed broadcast configured on the router >interface and didn't see any difference. > >Running a sniffer-like device on the target (of the ip helper command) I was >able to verify the receipt of the packets sent via nmap. > >Given a network similar to the following: > > +-------+ +-------+ >-----| rtr a |--------| rtr b |----- > e0 +-------+ e1 e1 +-------+ e0 > >My understanding of directed-broadcast is that if a packet sourced from rtr >a's e0 network is sent to the broadcast address of rtr b's e0; rtr b will >forward it if directed-broadcast is enabled and drop if not. > >IP helper impacts packets heading out (from the router) to the interface in >question not packets inbound. > >To take this discussion a step further, the IP helper function processes >packets sent to the MAC-layer broadcast address for the specified protocols. >A packet sent to the local IP broadcast address (10.10.255.255 in >Priscilla's example) will have the same MAC-layer destination address as a >packet sent to 255.255.255.255. > >Comments, questions? Anyone think my logic is all wet? > >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Priscilla Oppenheimer >Sent: Tuesday, November 06, 2001 9:43 PM >To: [EMAIL PROTECTED] >Subject: Re: IP helper address and subnet broadcast [7:25485] > > >I know how IP helper address, directed broadcasts, NetBIOS, etc. work. >(NetBIOS session service doesn't broadcast, by the way, and in fact uses >TCP not UDP, so I doubt that it needs to be added to the list. It's used >between a client and server after the client has mapped the NetBIOS name to >the server's address.) > >The question is: will the router (with IP helper address) forward if the >source sends to a subnet broadcast such as 10.10.255.255 instead of sending >to 255.255.255.255? Nowhere does the documentation say that it won't, so I >guess it will. > >Note that I am not asking about the forwarding of directed broadcasts. The >IP helper address is configured with an actual server's address, not a >directed broadcast address. > >I'm not looking for the boring answers to the boring questions. The >question is not the same one that you have seen many times. ;-) > >Priscilla ________________________ Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25690&t=25485 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
