Monday, February 28, 2005

Q: How to I configure DHCP broadcast forwarding?

A:
A host can either be configured with its own IP address information, or it can be set to use DHCP. With DHCP, it will send out an IP broadcast message on the local network asking for a IP address. Of course, broadcasts do not traverse routers, so if the DHCP server is not on the local network with the DHCP client it will never hear the broadcast, and the DHCP client will never get an IP address. Cisco's solution to this is the ip helper command, which is applied to an interface. If an interface has, say, ip helper 192.168.2.4 in its config, then any DHCP broadcast the router hears on that interface will be changed to a unicast and sent directly to 192.168.2.4, wherever that might be. If the host at that address is a DHCP server, and it is configured to hand out addresses for 192.168.2.0, it will do so; it knows from the source address that the router put on the packet that the address it gives out needs to be for that network. The DHCP server then sends the DHCP response back to the 192.168.2.0 network as a directed broadcast; the routers put it on that network and the client gets its address. The problem is that there are many different types IP broadcasts other than DHCP, and once ip helper is configured, Cisco passes about 7 of them by default. (The various brodcast types can be distinguished by their destination ports.) This includes not only DHCP but also a couple of types of Microsoft netbios broadcasts; passing the netbios broadcasts will screw up the Microsoft "browser" and cause lots of error messages in the Windows server event logs, complaining about duplicate names found on the network or msbrowse errors. Cisco recommends the following commands be entered in global config mode on all routers which have "ip helper" configured on one or more interfaces. They prevent the forwarding of certain broadcasts. Only the DHCP broadcasts need be forwarded. Here are the commands. The bootp directive is the one which allows DHCP broadcasts to be forwarded.
no ip forward-protocol udp tftp
no ip forward-protocol udp dns
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
I don't know why Cisco Inc. makes forwarding of all the above protocols the default, only to say that most or the protocols need to be disabled for the network to work properly, but that's what they do. Implementation of the filters which mention "netbios" is the significant change here. It should prevent most of the msbrowse errors and duplicate name errors we are seeing on our server event logs.