Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3544
Views
0
Helpful
6
Replies

IP Helper-Address and IP Forward-Protocol question

Go to solution
jclj
Level 1
Level 1

‎01-10-2014 09:58 AM - edited ‎03-07-2019 05:29 PM

Hi, I have a quick question on this. I am trying to forward UDP ports 1047, 1048, 1049 accross networks.  My understanding is that if I assign the IP Helper-Address on an interface this will forward all default UDP to the address specified. If I don't want this (which I don't) I have to go into global mode and specifically so no IP Forward-Protocol on all UDP ports I don't want forwarded, and then forward the ones I want.

Is this correct? What if I have multiple interfaces with IP Helper-Address, but want to forward some UDP ports to a network, but not the other network? Is it correct that IP Forward-Protocol only looks at interfaces with the IP Helper-Address configured?

Thanks for the help!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-10-2014 01:41 PM

Your understanding is pretty much correct.

There is a standard set of UDP ports that are forwarded by ip helper-address. If you do not want these ports forwarded then you would use the no ip forward-protocol command to disable forwarding these ports.

If you want to forward non standard UDP ports (1047, 1048, 1049) then you use ip forward-protocol to enable forwarding of these ports.

I am not clear what you are asking in the last paragraph. It is not really a case of Forward Protocol looking at interfaces with helper address. It really is the case that interfaces with helper address look at Forward Protocol. Probably the result is the same as your phrasing. I am not sure whether you are saying that you will have helper address on several interfaces and want one set of ports forwarded on some and a different set of ports forwarded on others (this does not work) or you are saying that some interfaces will have helper address and will forward the set of ports that you specified and other interfaces do not have helper address and will not forward any UDP ports (this is the way that it does work). If I did not get your question quite right then please provide some clarification.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to jclj

‎01-10-2014 07:07 PM

I am still not understanding very well your question about multiple interfaces. So let me try to answer it this way. If you have interfaces for vlan 101 and for vlan 102 and both interfaces have configured ip helper-address, and you want to forward UDP 1047 out vlan 101 and not out vlan 102, then this does not work. The same ports are forwarded out both interfaces. So if there is a broadcast packet for UDP 1047 received on vlan 101 then it will be forwarded. If there is no broadcast packet for UDP 1047 on vlan 102 then nothing is forwarded. But if a broadcast packet for UDP 1047 is received on vlan 102 then it will be forwarded.

I am not aware of any thing on ASA that does this forwarding of UDP broadcasts.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎01-10-2014 01:41 PM

Your understanding is pretty much correct.

There is a standard set of UDP ports that are forwarded by ip helper-address. If you do not want these ports forwarded then you would use the no ip forward-protocol command to disable forwarding these ports.

If you want to forward non standard UDP ports (1047, 1048, 1049) then you use ip forward-protocol to enable forwarding of these ports.

I am not clear what you are asking in the last paragraph. It is not really a case of Forward Protocol looking at interfaces with helper address. It really is the case that interfaces with helper address look at Forward Protocol. Probably the result is the same as your phrasing. I am not sure whether you are saying that you will have helper address on several interfaces and want one set of ports forwarded on some and a different set of ports forwarded on others (this does not work) or you are saying that some interfaces will have helper address and will forward the set of ports that you specified and other interfaces do not have helper address and will not forward any UDP ports (this is the way that it does work). If I did not get your question quite right then please provide some clarification.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
jclj
Level 1
Level 1
In response to Richard Burts

‎01-10-2014 01:54 PM

Thanks for the reply. The last paragraph question is this. If I have two separate vlan interfaces with ip helper-address and one interface I want to forward the UDP packets of 1047, but the other I don't...this is not possible, correct?

It's sounds like it wouldn't matter anyway because if it finds that port on the network already it wouldn't have to look at the ip helper-address to forward to another network.

Hopefully that makes sense. Thanks for the help.

0 Helpful

Go to solution
jclj
Level 1
Level 1
In response to jclj

‎01-10-2014 01:56 PM

Also, is there a way to do this same thing on an ASA? I have a network in the dmz that I need to forward those UDP packets across too.

Thanks

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jclj

‎01-10-2014 03:12 PM

Hi,

IP helper-address is transforming UDP broadcasts into UDP unicasts and I don't know of such a mechanism on the ASA except for DHCP packets.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to jclj

‎01-10-2014 07:07 PM

I am still not understanding very well your question about multiple interfaces. So let me try to answer it this way. If you have interfaces for vlan 101 and for vlan 102 and both interfaces have configured ip helper-address, and you want to forward UDP 1047 out vlan 101 and not out vlan 102, then this does not work. The same ports are forwarded out both interfaces. So if there is a broadcast packet for UDP 1047 received on vlan 101 then it will be forwarded. If there is no broadcast packet for UDP 1047 on vlan 102 then nothing is forwarded. But if a broadcast packet for UDP 1047 is received on vlan 102 then it will be forwarded.

I am not aware of any thing on ASA that does this forwarding of UDP broadcasts.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
jclj
Level 1
Level 1
In response to Richard Burts

‎01-13-2014 08:33 AM

Yes, thank you for the information. I was able to understand and configure the switch correctly. Still working on the vlan in the DMZ, but i'm thinking i can just add an addition access list to do this. Thanks for all the help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card