Solved: Solve Netbios issue with helper-address ?

netadmincsm · ‎06-28-2011

Hi All

I need to move around 4 PC from a flat network to a particular subnet (VLAN) into our router.

When all the PC was into the flat network everything was fine regarding Netbios broadcast (ex.: when PC1 wanted to talk with PC3 with the PC's name, PC1 did a netbios broadcast asking for the ip address of PC3)

NOTE : There's no domain server into that network.

But now, with a couple a PCs into a new VLAN, the broadcast wont work anymore.

VLAN10

PC1, PC2,

VLAN20

PC3, PC4, PC5, PC6

I put an "ip helper-address" for PC3-6 into the vlan10 and I put an "ip helper-address" for PC1, 2 into VLAN20. Everything is nor working fine but...

Does it a good solution to add ip helper-address to solve this problem ?

Thank you very much.

Thotsaphon Lueangwattanaphong · ‎06-28-2011

Hi,

If we can do internal dns, we should. In your case,you can do something like this.

Let's say we only need to forward udp/137 and udp/138 from VLAN10 to VLAN20. Lets say VLAN 20 is 192.168.20.0/24.

!

Switch(conf)#no ip forward protocol udp 37

Switch(conf)#no ip forward protocol udp 49

Switch(conf)#no ip forward protocol udp 53

Switch(conf)#no ip forward protocol udp 67

Switch(conf)#no ip forward protocol udp 68

Switch(conf)#no ip forward protocol udp 69

Switch(conf)#interface vlan 10

Switch(conf-if)#ip helper-address 192.168.20.255

Switch(conf-if)interface vlan 20

Switch(conf-if)#ip directed-broadcast

!

If you don't want to add each host,you can do this. And let us know how things work out.

HTH,

Toshi

View solution in original post

vmiller · ‎06-28-2011

Asked and answered. you fixed it, by definition thats good.

As long as you understand what the helper is doing. I trust you are doing the helper for port 137 ?

There are some broadcasts that do need to be forwarded, This is one of them.

netadmincsm · ‎06-28-2011

Yes it's for 137 or 138 maybe

Is it normal that I have to use a helper-address line for each PC on each vlan ?

Thanks for the answer

Thotsaphon Lueangwattanaphong · ‎06-28-2011

Hi,

If we can do internal dns, we should. In your case,you can do something like this.

Let's say we only need to forward udp/137 and udp/138 from VLAN10 to VLAN20. Lets say VLAN 20 is 192.168.20.0/24.

!

Switch(conf)#no ip forward protocol udp 37

Switch(conf)#no ip forward protocol udp 49

Switch(conf)#no ip forward protocol udp 53

Switch(conf)#no ip forward protocol udp 67

Switch(conf)#no ip forward protocol udp 68

Switch(conf)#no ip forward protocol udp 69

Switch(conf)#interface vlan 10

Switch(conf-if)#ip helper-address 192.168.20.255

Switch(conf-if)interface vlan 20

Switch(conf-if)#ip directed-broadcast

!

If you don't want to add each host,you can do this. And let us know how things work out.

HTH,

Toshi

cadet alain · ‎06-29-2011

Hi Toshi,

ip directed broadcast is not for all 255s, ain't it? so it will not solve the problem as Netbios is broadcasting to all 255s.

Can you confirm/infirm my thought.

Regards.

Alain.

Don't forget to rate helpful posts.

Thotsaphon Lueangwattanaphong · ‎06-29-2011

Hi Alain,

In this case,"ip directed-broadcast" is actually used to convert 192.168.20.255 to FF-FF-FF-FF-FF-FF to allow all nodes in VLAN20 to receive udp/137 and udp/138. Its disabled by default. You can check it by using "show ip interface "

HTH,

Toshi

cadet alain · ‎06-29-2011

Hi Toshi,

ok I agree with what you said but the netbios layer 3 broadcast is 255.255.255.255 so when it comes into router it will be blocked and the only way to solve this issue is using ip helper-adress or a WINS server

I think the ip directed broadcast which by the way is disabled by default for security measures is another feature.

Again correct me if I'm wrong.

Regards.

Alain.

Don't forget to rate helpful posts.

Thotsaphon Lueangwattanaphong · ‎06-29-2011

Hi Alian,

Well, I already posted this requirement.

Let's say we only need to forward udp/137 and udp/138 from VLAN10 to VLAN20. Lets say VLAN 20 is 192.168.20.0/24.

Let's see what is going on.

1. Hosts on VLAN-10 uses NetBios to solve the names of PCs on VLAN-20.

2. Switch takes care of Dst Addr:255.255.255.255 and Dst port:UDP/137 and then convert it to 192.168.20.255 because of "ip helper-address 192.168.20.255" configured on VLAN-10 inteface.

3. Switch converts 192.168.20.255 to FF-FF-FF-FF-FF-FF and send it to VLAN-20 segmant because of "ip directed-broadcast" configured on VLAN-20 interface.

If you want to see the detailed packets,you can lab it up and use "debug ip packet detail". It should work like a charm. Why do I do this? Because you don't need to use multiple statements of "ip helper-address" commands to define hosts. As you know, ip helper-address forwards many udp ports by default. you can select or define new udp ports you want.

HTH,

Toshi

cadet alain · ‎06-29-2011

Hi Toshi,

2. Switch takes care of Dst Addr:255.255.255.255 and Dst port:UDP/137 and then convert it to

192.168.20.255

because of "

ip helper-address 192.168.20.255

" configured on VLAN-10 inteface.

ok I had overlooked this helper-address towards a directed broadcast I hadn't used this feature as of yet.

But wouldn't it be more secure to configure a wins server rather than this trick which is great but reenables ip directed-broadcast on the interface.

This way he would also get rid of those horrendous netbios broadcasts name resolutions.

Regards.

Alain.

Don't forget to rate helpful posts.

Thotsaphon Lueangwattanaphong · ‎06-29-2011

Hi Alian

You are right. Its a security concern. Thats why I told him that if we can do internal dns,we should.

Sent from Cisco Technical Support iPhone App

netadmincsm · ‎06-29-2011

Thank you veru much for all your questions and answers. It really helps me too figure out what I will doing.

Your help was very appreciated.