cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2304
Views
0
Helpful
10
Replies

ip directed-broadcast over GRE?

Thomas Winther
Level 1
Level 1

Hello

Is it possible in the above setup, to let Server A in site A send a directed broadcast to vlan 20 subnet in site B ?

What is the configuration needed to let this happen?

I've tried to enable the ip directed-broadcast command on all the L3 interfaces involved, with no success.
And adding the specific destination UDP port to ip forward-protocol udp xxx was not enough either.

What do I need? Can I accomplish this?

Rgds Thomas

10 Replies 10

Rolf Fischer
Level 9
Level 9

Hello,

I've tried to enable the ip directed-broadcast command on all the L3 interfaces involved

That's only necessary on VLAN20's SVI, you should disable it on the other interfaces and I'd also recommend to use an (optional) ACL to accept directed broadcasts only from Server A:

interface vlan 20
 ip directed-broadcast <ACL>
!

The directed broadcast address belongs to VLAN20's prefix, so it is a routable address and should be reachable from Site A.

And adding the specific destination UDP port to ip forward-protocol udp xxx was not enough either.

Does the application on Server A use VLAN20's directed broadcast IP-address directly as the destination or does it send traffic via local UDP broadcast? In the latter case you'll need some additional configuration on Switch A:

ip forward-protocol udp <Port>
!
interface Vlan10
 ip helper-address 192.168.20.255
!

HTH
Rolf

I agree with Rolf's points, especially that there is not anything special about GRE tunnels and directed broadcast. As long as the routing logic is correct and sends traffic over the GRE tunnel to get to 192.168.20.0/24. But I notice in the drawing that the GRE tunnel is part of an IPsec VPN so there is also the need to check the VPN config to make sure that it is passing this traffic as well as the routing logic.

Rolf asks a very good question about whether the server can send the directed broadcast itself or whether the server sends a local broadcast which would need ip helper-address and possibly ip forward-protocol configuration to support sending the directed broadcast. And I agree that his suggestion about using the access list possibility in the ip directed-broadcast is a Best Practice.

HTH

Rick

HTH

Rick

Thank you Richard!

I've replied to Rolf's answer above.

If our understanding is correct that the server is sending the packet to destination address 192.168.20.255 then you do not need ip forward-protocol or ip helper-address. And the only place that you need ip directed-broadcast is the SVI for vlan 20.

If that is configured and the directed broadcast packets are not getting to the server in vlan 20 then we need to look for something else that is preventing them from working. I believe that Rolf's suggestion about ping from the server at site A to the switch and the server at site B are a good place to start. I would also be interested if you could provide some details about how the IPsec VPN is configured.

HTH

Rick

HTH

Rick

Thank you for taking the time Rolf.

I thought it should be only SVI vlan20 having the ip directed-broadcast. Then that SVI is "responsible" for broadcasting. So that's what I'm testing with now.

The application is sending to the directed broadcast-IP directly as destination(192.168.20.255).
And that makes ip forward-protocol and ip helper-address unnecessary, as I understand it?

What I've been trying for testing, is to send an udp probe to the directed bcast IP, using a workstation in site A, vlan10:

C:\Program Files (x86)\Nmap>nping --udp --source-port 1000 --dest-port 1000 192.168.20.255

Starting Nping 0.7.01 ( https://nmap.org/nping ) at 2016-05-30 09:44 Greenwich Standard Time
SENT (0.0780s) UDP 192.168.10.10:1000 > 192.168.20.255:1000 ttl=64 id=41219 iplen=28
SENT (1.0940s) UDP 192.168.10.10:1000 > 192.168.20.255:1000 ttl=64 id=41219 iplen=28
SENT (2.0940s) UDP 192.168.10.10:1000 > 192.168.20.255:1000 ttl=64 id=41219 iplen=28
SENT (3.0940s) UDP 192.168.10.10:1000 > 192.168.20.255:1000 ttl=64 id=41219 iplen=28
SENT (4.0940s) UDP 192.168.10.10:1000 > 192.168.20.255:1000 ttl=64 id=41219 iplen=28

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 5 (210B) | Rcvd: 0 (0B) | Lost: 5 (100.00%)
Nping done: 1 IP address pinged in 5.09 seconds

And I try to capture the broadcast reaching vlan20, with Wireshark running on Server B.

But I never see the broadcast packages arrive.

Is it my way of testing? 

Routing-wise the L3 switches have a static /32 route to the partners Loopback for the tunnel destination address.

And the IPsec only has the tunnel destinations in interesting traffic ACL.

i/eBGP is taking care of routing in the network.

Thomas, you're welcome.

The application is sending to the directed broadcast-IP directly as destination(192.168.20.255).
And that makes ip forward-protocol and ip helper-address unnecessary, as I understand it?

That's correct.

And I try to capture the broadcast reaching vlan20, with Wireshark running on Server B.

But I never see the broadcast packages arrive.

From Server A, can you ping Switch B's VLAN20-SVI and Server B's IP address as well?

And from Switch B, does Server B reply when you ping 192.168.20.255?

Thomas Winther
Level 1
Level 1

From Server A, can you ping Switch B's VLAN20-SVI and Server B's IP address as well?

Yes I can ping Switch B's vlan20-SVI from Server A with success. And Server B's IP as well.

And from Switch B, does Server B reply when you ping 192.168.20.255?

No Server B does not reply!
I've struggling to ensure that Windows Firewall is disabled and the option "Allow unicast response to broadcast network traffic" is set to true.

Still no reply.

If I capture(Wireshark) the traffic on server B, the broadcast from Switch B:

ping 192.168.20.255 rep 1 source vlan20

..is destined for 255.255.255.255. Is that expected?

A few other linux servers on the same vlan is actually replying to the ping.

Is this a Windows behaviour, I'm seeing? Server B is Windows Server 2012 R2.

Thanks!

//Thomas 

The vlan20-SVI has all 1's in broadcast address(default):

sh ip int vlan20
Vlan20 is up, line protocol is up
Internet address is 192.168.20.240/24
Broadcast address is 255.255.255.255
...

Should I set this to 192.168.20.255 ?

Thomas

We are making significant progress. You have established that the directed broadcast is propagated onto vlan 20. And it looks like you have established that server B does not reply which is almost certainly a Windows issue. So from the networking and routing perspective things are working as they should.

When the switch/router receives a packet destination address of 192.168.20.255 and where 192.168.20.0/24 is a locally connected subnet then what the switch/router sends out its interface is to 255.255.255.255 as a local broadcast. This is normal behavior. You do not need to change the interface configuration.

HTH

Rick

HTH

Rick

you have established that the directed broadcast is propagated onto vlan 20

I'm not sure...
I'm not able to capture any broadcasts in Server B, when pinging or probing the Site B directed broadcast address from server A.

Server A is getting sporadic ICMP replies though. From the GRE tunnels IP address in Site B! Weird.

And the directed broadcast is successful if I ping from switch A, sourcing SVI-vlan10. My wireshark capture in Server B sees it fine(as local 255.255.255.255 bcast).

//Thomas

Review Cisco Networking for a $25 gift card