can you get around broadcasting between vlans?

[cyr0n_k0r]

We have a piece of security software that requires itself to be on the same vlan as the devices in order to communicate with them. After researching it seems that really all they do is send out a UDP broadcast on ports 31500 and 31501. Is there a way to enable UDP broadcasts on these two ports between 2 vlans?
Normally broadcasts are not permitted across vlans, but wondering if there is a way to selectively get around this.

 

[tangoseal]

Router using ACL's?

 

[cyr0n_k0r]

The device in question is a Cisco 4500. So it is doing layer 3.

I've been looking and it looks like I can use the ip forward-protocol command but not sure how.

 

[devin_m]

The device in question is a Cisco 4500. So it is doing layer 3.

I've been looking and it looks like I can use the ip forward-protocol command but not sure how.

Is this what you're looking for? How To Configure InterVLAN Routing on Layer 3 Switches

 

[cyr0n_k0r]

Is this what you're looking for? How To Configure InterVLAN Routing on Layer 3 Switches

ummm. no.

any real cisco people in here?

Looking more deeply at it, I think I can get it done with the following config. just need someone to check my work.

vlan2 = source vlan (10.128.2.x/24)
vlan11 = destination vlan (10.128.12.x/24)

router#conf t
router(config)#ip forward-protocol udp 31500
router(config)#ip forward-protocol udp 31501
router(config)#interface vlan 2
router(config-if)#ip helper-address 10.128.12.255
router(config-if)#exit
router(config)#interface vlan 11
router(config-if)#ip directed-broadcast
router(config-if)#end
router#

 

[Berg0]

ummm. no.

any real cisco people in here?

Looking more deeply at it, I think I can get it done with the following config. just need someone to check my work.

vlan2 = source vlan (10.128.2.x/24)
vlan11 = destination vlan (10.128.12.x/24)

router#conf t
router(config)#ip forward-protocol udp 31500
router(config)#ip forward-protocol udp 31501
router(config)#interface vlan 2
router(config-if)#ip helper-address 10.128.12.255
router(config-if)#exit
router(config)#interface vlan 11
router(config-if)#ip directed-broadcast
router(config-if)#end
router#

you're on the right track, this will explain it better than would:

http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=9

 

[tangoseal]

Put in a TAC case with Cisco. They can help you with a full answer in about 5 mins. Your company can purchase time for a TAC ticket. If your business can afford a 4500 series blade switch then you can certainly "probably" afford a little TAC expenses. I know CCNP's who would still be a little confused when it comes to these big distro/core switches sometimes because the feature set is immense.

Also your command line looks legit, you 100% need a router for the IP HELPER-ADDRESS command however that 4500 is layer 3. Not sure if it has that command as a true router would have but I would still bounce that off a few more sources. I do not have a lot of experience with the 4500 series although I am installing one this weekend for a business but I have 1 CCIE engineer and myself doing all the work so it will go smoothly.

Oh and what you are referring to is what I believe is called - Relay Device. I would search Cisco documentation for Relay device. I have used it before on 3750's / 1841's

LOL dont forget wr mem or you will hate your self after it reboots haha. Just didnt see it in your CLI pastie above.

 

[just2cool]

ummm. no.

any real cisco people in here?

Looking more deeply at it, I think I can get it done with the following config. just need someone to check my work.

vlan2 = source vlan (10.128.2.x/24)
vlan11 = destination vlan (10.128.12.x/24)

router#conf t
router(config)#ip forward-protocol udp 31500
router(config)#ip forward-protocol udp 31501
router(config)#interface vlan 2
router(config-if)#ip helper-address 10.128.12.255
router(config-if)#exit
router(config)#interface vlan 11
router(config-if)#ip directed-broadcast
router(config-if)#end
router#

Yes, that's correct. I've used this once in a lab before. Just be careful with ip directed-broadcast ... that does more than you think. Aside from your helper statement with those ports, any packet destined for 10.128.12.255 sourced from anywhere in your network will be flooded on that vlan. Further, all directed broadcasts get punted to the CPU (by design -- so the packet can be rewriten as a local broadcast), so if this UDP stream is bandwidth intensive then you're better of using PIM/multicast for this (technically, that's the correct workaround for broadcasts outside of a vlan). Otherwise, your router is guaranteed to melt.

Oh, and I just found out that you can put an ACL after the ip directed-broadcast ... which would solve problem #1 (any source broadcasting and killing your router -- you would only permit vlan2's SVI IP). Still wouldn't solve the bandwidth problem if that applies to you, though.

Put in a TAC case with Cisco. They can help you with a full answer in about 5 mins. Your company can purchase time for a TAC ticket. If your business can afford a 4500 series blade switch then you can certainly "probably" afford a little TAC expenses. I know CCNP's who would still be a little confused when it comes to these big distro/core switches sometimes because the feature set is immense.

Honestly, TAC is not what it used to be. If they're not from San Jose, they usually suck. More often than not, I usually get nothing out of the case. Then again, most of my cases are bugs.

 

[cyr0n_k0r]

Thanks guys.

@just2cool, if I implemented an ACL after that directed-broadcast would might my ACL look like for my permits? If I used an ACL would I still need to use the forward-protocol globals? or would I implement those in the ACL?
So the source address for the ACL would be vlan 2, so I would make it the vlan 2 SVI.. makes sense.

@tangoseal, TAC doesn't like when you call and there isn't an actual problem (from my experience) I usually get pawned off to the cisco forums if I ask them questions like that and nothing is actually broken.

 

[damacus]

If I used an ACL would I still need to use the forward-protocol globals?

You still need the forward-protocol stuff for your 2 UDP ports, otherwise helper-address just passes the other broadcast stuff like DHCP, netbios, yadda yadda. In fact, I had no idea helper-address could be used to forward other types of broadcast traffic. Useful!

 

[just2cool]

Thanks guys.

@just2cool, if I implemented an ACL after that directed-broadcast would might my ACL look like for my permits? If I used an ACL would I still need to use the forward-protocol globals? or would I implement those in the ACL?
So the source address for the ACL would be vlan 2, so I would make it the vlan 2 SVI.. makes sense.

@tangoseal, TAC doesn't like when you call and there isn't an actual problem (from my experience) I usually get pawned off to the cisco forums if I ask them questions like that and nothing is actually broken.

As damacus said, you still need the forward-protocol commands as well.

The forward-protocol commands tell the router to map UDP ports to the helper address anytime a broadcast message comes in. The ip directed-broadcast command is completely separate -- the only thing it knows is that it has a broadcast to forward if a packet hits 10.128.12.255. Some people use this feature differently. Your ACL could be standard and just include "permit vlan2-SVI"

I'll say it one more time for the sake of caution -- you should be entirely sure that this is true broadcast traffic and not heavy traffic. If it is heavy traffic, you will destroy your router. I recommend doing "sh proc cpu hi" frequently once you start testing this.

 

[cyr0n_k0r]

I'll say it one more time for the sake of caution -- you should be entirely sure that this is true broadcast traffic and not heavy traffic. If it is heavy traffic, you will destroy your router. I recommend doing "sh proc cpu hi" frequently once you start testing this.

I'm sure. The security software sends out a broadcast beacon every 5 minutes on those 2 ports looking to see if any security devices have any new video footage to download. I need to get more info but I assume the security devices reply back via a unicast packet. I need to confirm with them though. Either way, I'm 99.9% sure that once the beacon has been received and replied to a unicast transfer session is created to actually get the video footage from the device over to the server.

 

[cyr0n_k0r]

I think this is right.

router# conf t
router(config)# ip forward-protocol udp 31500
router(config)# ip forward-protocol udp 31501
router(config)# interface vlan 2
router(config-if)# ip helper-address 10.128.12.255
router(config-if)# exit
router(config)# access-list 100 permit udp host 10.128.2.129 any eq 31500
router(config)# access-list 100 permit udp host 10.128.2.129 any eq 31501
router(config-ext-nacl)# end
router(config)# interface vlan 11
router(config-if)# ip directed-broadcast 100
router(config-if)# end


vlan 2 = source vlan (10.128.2.x / 24)
vlan 11 = destination vlan (10.128.12.x / 24)
server that is broadcasting = 10.128.2.129

 

[just2cool]

Looks right to me.

Can't tell from the output there, but make sure your SVI address is the physical address, not HSRP VIP or any of that crap.

 

[cyr0n_k0r]

Looks right to me.

Can't tell from the output there, but make sure your SVI address is the physical address, not HSRP VIP or any of that crap.

The broadcasting server is 10.128.2.129
The subnet that server is on is a /24. So the .129 is just a coincidence.
Should the source address in the access map be the actual servers IP.. or the gateway IP of the vlan? IE 10.128.2.1 ?

 

[just2cool]

I'm not too sure.

ip helper-address makes the DHCP request the source of the vlan gateway (makes sense right? because the DHCP client has no IP).

But this is different because it's forward-protocol. Try both and see what happens. It's going to be one IP or the other. I'm going to guess it will be your server now actually.

 

[cyr0n_k0r]

I talked to TAC and they said server IP address. I'll try it both ways though once I get the software installed.