Command precedence ip helper-address ip directed-broadcast

Similar Messages

• Command " no ip directed-broadcast" ?

  I configured a router interface E0 with command"ip address x.x.x.x y.y.y.y" only, but when I "show run", i found there's an extra command under E0(see below) which is "no ip directed-broadcast". I can't remove this line, not sure what this line is doing.
  interface Ethernet0
  description : connect to O6LXC29OOBC01(switch)
  ip address x.x.x.x y.y.y.y
  no ip directed-broadcast

  Wayne
  Jon has provided a good discussion of ip directed-broadcast and the reasons why many people want to disable this. I would like to add a small supplement to his explanation about why it is in the config.
  The command is added to the configuration by the IOS. As you comment you did not type it in but it is in the config automatically. A little background may help explain why IOS does automatically put this command into the config.
  In earlier versions of IOS the default was to enable directed broadcasts (and in general people thought that it was a good feature). But as networks grew and as we faced more threats and network attacks people began to recognize the security weakness of directed-broadcast and began to want to turn it off. And at some point Cisco changed the default. Now the default is no ip directed-broadcast. And Cisco now automatically adds that to the configuration to be clear about what the behavior of the router will be.
  Cisco has done this kind of thing for several commands where the default behavior has changed - to automatically insert into the config the command for the default that has changed (for example putting subnet-zero into the config).
  If you want to remove the command no ip directed-broadcast from the configuration you can put ip directed-broadcast into the interface configuration and it will remove the no ip directed-broadcast. (of course it will insert the ip directed-broadcast under the interface configuration)
  HTH
  Rick

• Problems working with ip helper-address command

  I have 2 switches L3 4507 working in HA with HSRP, so in the active switch I have the following interface configuration:
  interface Vlan2
  ip address 10.1.0.2 255.255.254.0
  standby 2 ip 10.1.0.1
  standby 2 priority 150
  standby 2 preempt
  interface Vlan4
  ip address 10.1.4.2 255.255.255.0
  ip helper-address 10.1.0.8
  standby 4 ip 10.1.4.1
  standby 4 priority 150
  standby 4 preempt
  interface Vlan15
  ip address 10.1.5.2 255.255.255.128
  ip helper-address 10.1.0.8
  standby 15 ip 10.1.5.1
  standby 15 priority 150
  standby 15 preempt!
  And, in my standby switch I have this configuration:
  interface Vlan2
  ip address 10.1.0.3 255.255.254.0
  standby 2 ip 10.1.0.1
  interface Vlan4
  ip address 10.1.4.3 255.255.255.0
  ip helper-address 10.1.0.8
  standby 4 ip 10.1.4.1
  standby 4 priority 50
  interface Vlan15
  ip address 10.1.5.3 255.255.255.128
  ip helper-address 10.1.0.8
  standby 15 ip 10.1.5.1
  standby 15 priority 50
  So, the problem is that in some ports belonging to a particular vlan, for example to the vlan 15 most to take an IP address form the network 10.1.5.0 /25, but that port are takenig an ip from the network 10.1.0.0 /23…
  I’ll apreciate your help, thank’s

  I guess the issue will be related to the DHCP server alone and its settings since you said your clients get an IP from the DHCP server. That confirms that your ip-helper is working fine and its routing the DHCP broadcasts and then assigns an IP from the DHCP server.
  So the only possible reason i can think of should be the settings of the DHCP scope.
  Do you have the same problem with all the scopes, i mean whether all the different vlans get incorrect IP or ???, is this issue is related to only one VLAN ??
  Also check whether you have any other DHCP servers other than the allowed since its some times possible in your network other DHCP servers unknowingly which you can find by shutting this DHCP :)

• Directed broadcasts on an interface

  Which command configures directed broadcasts on an interface?
  A. ip int broadcast
  B. ipv6 unicast routing
  C. ip helper address
  D. ip directed-broadcast
  any idea
  regards
  Neo

  The answer is D, but not so good practice to use this method.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cipadr.htm
  bye
  FCS
  Please rate me if I helped.

• Directed broadcast and unicast

  Hi all , 
  below is an excerpt from the link http://www.cisco.com/web/techdoc/dc/reference/cli/nxos/commands/l3/ip_directed-broadcast.html
  A device that is not directly connected to its destination subnet forwards an IP directed broadcast in the same way it would forward unicast IP packets destined to a host on that subnet. When a directed broadcast packet reaches a device that is directly connected to its destination subnet, that packet is broadcast on the destination subnet. The destination address in the IP header of the packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a link-layer broadcast.
  here is my question 
  When server on serverfarm switch sending a wol packet ( ip directed broadcast 10.0.7.255 ), it would forward like a unicast packet . 
  The unicast packet will be routed through the core to the distribution . So as i understand i don't need to do any configuration changes on the core .
  The  changes required only on distribution and serverfarm .
  Please correct me i am wrong . 
  My configurations are below 
  Serverfarm 
  Interface vlan 10
  Ip add 192.168.80.2 255.255.255.0
  host 
  Distribution
  Interface vlan 100
  Ip add 10.0.7.2 255.255.255.0
  Serverfarm switch
  interface vlan 10
  ip helper-address 10.0.7.255
  Distribution switch 
  access-list 102 permit udp host 192.168.80.10 any eq 7
  ip forward-protocol udp 7
  interface vlan 100 
  ip directed broadcast 102

  Most tools to generate WoL Magic Packets send them as UDP datagrams and set the destination IP to the limited broadcast address 255.255.255.255, thus those Magic Packets are never routed (Scope = local subnet).
  Thats why you need in this case the ip-helper command, which converts (local) UDP broadcasts of serveral well-known protocols (DHCP, TFTP, DNS, NetBIOS, TACACS) into unicasts and then forwards them to the helper address.
  Since the portnumbers typically used by WoL tools (7, 9) are different from those used by the well-known protocols, you'd also need the 'ip forward-protocol udp <number>' command to make it work.
  If I understand you correctly, your WoL tool allows you to set the destination IP to a directed broadcast IP. In this case you don't need any additional configuration because directed broadcast IPs are routable.
  HTH
  Rolf

• Ip helper-address with two dhcp server

  I have two dhcp server running on vlan1, which serving our workstation on vlan2. 10.10.10.51 is our primary and 10.10.10.52 is secondary server.
  My question is:
  - Which server would my workstation get the dhcp from?
  - If the primary server is down, could I reach the second dhcp server? and if the primary server back online.. Which server would be serving our dhcp client?
  interface Vlan1
  ip address 10.10.10.1 255.255.255.0
  no ip redirects
  ip directed-broadcast
  interface Vlan2
  ip address 10.10.20.1 255.255.255.0
  ip helper-address 10.10.10.51
  ip helper-address 10.10.10.52
  no ip redirects
  ip directed-broadcast

  Hi,
  I don't agree.
  AFAIK, using two ip helper-address entries in a router config will cause the dhcp request being sent to BOTH dhcp servers.
  So both the primary and secondary dhcp server will send a dhcp offer to the workstation. The workstation will choose one of the offers and confirm it to the server.
  So ip helper-address command will not help you to choose if dhcp server is primary or secondary.
  You can either use different dynamic address pools on primary and secondary dhcp server (and the same static entries) or to arrange some kind of dhcp server failover:
  See
  http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_DHCP_imp_ClusteringSupport.htm
  There is also RFC 2131 describing DHCP Failover Protocol.
  Regards,
  Milan

• Ip helper-address

  Hi All,
  Does ip helper-address work with 2 ip ranges in a VLAN in a catalyst 3750?
  ip forward-protocol udp 6112
  int vlan 1
  ip address 192.168.0.1 255.255.255.0
  int vlan 2
  ip helper-address 192.168.0.100
  ip address 192.168.1.100 255.255.255.0
  ip address 192.168.2.100 255.255.255.0 secondary

  Normally, you need an "IP-Helper" command in the interface that is away from the resource you are trying to reach.
  The broadcast request is received and if there's an IP-Helper established on that interface, the broadcast is passed toward that resource as a unicast ... so that it can pass through any other intermediate routers along the way.
  Since you set that interface up as a "secondary," I believe it will work, since that interface is going to receive the broadcast request from either LAN (primary or secondary).
  What I'm trying to figure out is why you are multi-netting ... it generally complicates things and is usually only used to accommodate transition from "the old address scheme" to "the new address scheme."
  Are you short on ports?
  Good Luck
  Scott
  Are you just short on ports?

• Helper Address on a ONLY Layer 2 aware Switch

  Hi, 
       Been scratching my head for a while now, i don't know why a switch even has the " Ip helper address" command, Dosent it need routing to acomplish this kind of a task? 
  I have a switch with 2 SVI's, fair enough, one for Vlan 10 and the other for Vlan 20,
  Vlan 10 = 192.168.10.0/24
  Vlan 20 = 192.168.20.0/24
  I have a DHCP server on vlan 10, with the IP address 192.168.10.1, Now it has scopes for vlan 20 as well, i go into vlan 20 and do this:
  # interface vlan 20
  # ip address 192.168.20.1 255.255.255.0
  #ip helper address 192.168.10.1 
  Now this should work right? but it dosen't !( Ive seen in Wireshark that it dosent even forward the DISCOVER Message on to SVI 10's Vlan 10 ports) ..But it does work when we configure a DEFAULT GATEWAY for the switch and the DHCP server is on a REMOTE Location where the switch does not have and interface directly connected to! what is this? its like blowing my mind! please elaborate

  If this is a Layer 2 only switch then I cannot see how a helper address would work.
  The SVI's you have created are going to be for management, they cannot be the Default Gateways of the Vlans IF the switch is Layer 2 only.
  When your clients send out a DHCPDISCOVER message, that frame will hit the SVI address because its a 'host' on that same vlan that the client is on.
  If this were a Layer 3 SVI (i.e on a Layer 3 switch) then it would forward that frame to the helper address configured. In order for the Layer 3 switch to forward the frame, it needs to do a lookup in its routing table for the destination subnet.
  This is a layer 2 switch, is has no routing table so will be unable to forward the DHCPDISCOVER message to the helper address.
  See here (Peters post) for an explanation of why the Layer 2 switch can act as a DHCP relay if the DHCP server is on a remote subnet:
  https://supportforums.cisco.com/discussion/11385901/does-ip-helper-address-work-layer-2-switch-2950

• Best Practice for ip helper-address

  I have 2 dhcp servers on same subnet 192.168.1.0
  I'm trying to setup my SVI
  Gateway 192.168.6.1
  How should the ip helper-address be setup?
  ip helper-address 192.168.1.0
  or
  ip helper-address 192.168.1.1 <- dhcp 1
  ip helper-address 192.168.1.2 <- dhcp 2
  2 Dhcp servers setup each to handle half the scope of a given subnet.

  Sparky
  Generally I believe that the best practice for this is to use two helper address statements. This will send two unicaast packets, one to each server. The other alternative is to send a directed broadcast (which would actually be ip helper-address 192.168.1.255). To do this you would also have to be sure that ip directed-broadcast was enabled on the router interface connecting to the 192.168.1.0 subnet. Many people reguard ip directed-broadcast as a security vulnerability and do not want it enabled. If your environment is comfortable with enabling this function then both alternatives would work. The advantage of the directed broadcast is that it transmits one packet rather than transmitting two packets. If it were me I would use two helper address statements.
  HTH
  Rick

• PXE Boot/Ip helper address for staging OS-es

  Hi,
  In our production environment there is already a PXE-server SCCM 2007. Now, we're setting up an SCCM 2012-server which we would like to test staging/OS-deployment also.
  Is it safe to say we need to add the ip  of the SCCM 2012 "066 Boot Server Host Name" to stage. Note: on switches (Cisco) this is ip helper address,  correct?
  Please clarify.
  NOTE: is there an option to make it work WITHOUT needing a new VLAN?
  J.
  Jan Hoedt

  DHCP options and IP helper addresses have the same end goal but are completely different things.
  IP Helpers automatically forward broadcast requests to a destination system thus "bridging" subnets for services like DHCP and PXE.
  DHCP scope options directly instruct the NIC to boot from a specific PXE server.
  So, yes, it is possible to manipulate where a client PXE boots from, but it takes an integral understanding of how PXE works, of how IP Helpers work, and of how NICs initiate a PXE boot when either IP Helpers or DHCP scope options are in place (and
  thus DHCP also). Because *none* of this really has anything to do with ConfigMgr or even Microsoft itself, there really is no Microsoft guidance except that IP Helpers are preferred and are the Microsoft supported solution. A great starting reference
  is at http://en.wikipedia.org/wiki/Preboot_Execution_Environment
  Jason | http://blog.configmgrftw.com
  Is there any official Microsoft documentation that outlines why IP Helpers are preferred over scope options?

• Wake on LAN - ip directed broadcast

  We're looking at deploying a Wake-on-LAN solution for software distribution. The first alternative to distribute the 'magic packet' is enabling 'ip directed-broadcast' in each router, which presents a security risk (man in the middle attack, ARP table poisoning), the second alternative is to extend ARP aging time in the routers which presents the same security risk.
  My question is, how can be this security risk reduced or minimized (options I've heard of: 'dynamic ARP inspection' in the switches, ACL on the router associated with the ip directed-broadcast command allowing only software distribution servers to convert directed-broadcast packets into unicast packets). I have a concern extending ARP aging time and its impact with current or future application.
  I'll appreciated any comment. Thanks.

  IP directed broadcasts are used in the popular "smurf" denial-of-service attack and derivatives thereof. An IP directed broadcast is a datagram that is sent to the broadcast address of a subnet to which the sending machine is not directly attached. The directed broadcast is routed through the network as a unicast packet until it arrives at the target subnet, where it is converted into a link-layer broadcast. Because of the nature of the IP addressing architecture, only the last router in the chain, the one that is connected directly to the target subnet, can conclusively identify a directed broadcast. Directed broadcasts are occasionally used for legitimate purposes, but such use is not common outside the financial services industry. In a "smurf" attack, the attacker sends Internet Control Message Protocol (ICMP) echo requests from a falsified source address to a directed broadcast address, causing all the hosts on the target subnet to send replies to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, which can completely inundate the host whose
  address is being falsified. If a Cisco interface is configured with the no ip directed-broadcast command, directed broadcasts
  that would otherwise expand into link-layer broadcasts at that interface are dropped instead.
  If you are behind a firewall and are confident in your security policy, then I don't see this as being a problem.

• PXE across subnets using IP Helper Address

  For 10 years I have been trying to get my network engineers to add an IP Helper address of our SCCM PXE Server in order to provide an Enterprise PXE service for our campus (Large University). And every year they keep telling me
  they won’t do it due to security concerns. I’m not exactly sure what they mean or what they are afraid of but I am looking for others who have been in this same situation and have been able to accomplish what has been a never ending exercise in futility for
  me. I am looking for a white paper or a case study that I can use to help build my case and hope that someday I can convince our engineers that the world won't come to an end by adding IP Helper addresses.

  .. they won’t do it due to security concerns. I’m not exactly sure what they mean or what they are afraid of..
  You need to get to the bottom of their specific concerns....
  PXE involves the use of TFTP (to download the NBP + boot.sdi + boot.wim).
  TFTP is neither robust/resilient nor particularly secure.
  But I'm guessing that the concern must surely be more related to the payload/content (i.e. what is within the boot image itself) that might be the worry?
  The boot image (potentially) contains licensed products (not directly a security concern), and certificates, accounts, passwords, scripts ?
  If you have the F8 debug feature enabled in your boot image, it could be used to "live boot" a computer, access the filesystem on that computer, and basically provide uncontrolled access to the files/documents/data on that computer (assuming that your computers
  are not using any form of disk encryption).
  For this last reason, F8-debug should not remain enabled for "normal" operation.
  In our organisation, we mitigate that risk with disk encryption. We also don't distribute boot media nor full media - PXE is the only way we deploy OS (well, outside of the datacentre, that is).
  Our networking team were initially concerned about PXE - but not from the security aspect, more from the capacity/bandwidth perspective. So we worked with them to plan/design/place the boot servers, and the DP's placement.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• How to see if an ip helper-address is configured on a VLAN

  Hi - I'm not exactly new to networking but this question will likely say otherwise :)
  I'm trying to figure out the command to show the running-config of a VLAN.  The goal is to see if an ip helper-address has been configured on a VLAN.
  This is both for a Cisco 6509 and Nexus 5k.
  I simply don't know all the commands for VLANs so I can't get this info presented to me.
  Thank You in advance

  Thanks for the prompt reply!  Still no bueno though.
  On the 6509 I get the following:
  6509#show ip interface vlan xxx
                                             ^
  % Invalid input detected at '^' marker.
  On the Nexus 5K I can't complete the command, stops down at show ip interface with the following listed as ? after interface:
  5K# show ip interface ?
    <CR>
    >                    Redirect it to a file
    >>                  Redirect it to a file in append mode
    A.B.C.D       Display interface for local IP address
    brief              Display summary of IP interface status and configuration
    ethernet        Ethernet IEEE 802.3z
    loopback      Loopback interface
    mgmt            Management interface
    operational   Display only interfaces that are administratively enabled
    port-channel  Port Channel interface
    vrf                   Display per-VRF information
    |                      Pipe command output to filter

• Speech command "Add sender to address book"

  Hi,
  This command 'add sender to address book' is recognized, but in the end, nothing new has been stored in my Address Book. What did I miss, or how could I fix it ?
  Thank you for your help.
  Gwendoline

  Keith,
  Since you have confirmed that the maintenance scripts have been used, then you may benefit from the troubleshooting procedures listed in Resolving Disk, Permission, and Cache Corruption.
  I would also suspect .plist corruption with com.apple.mail.plist and/or com.apple.AddressBook.plist.
  ;~)

• Ip helper address and WLC

  Hi Everyone,
  WLC  has IP 10.10.10.5
  AP has IP 10.10.10.6
  AP is connected to switch which has say vlan 10 IP  192.168.50.2
  AP manager interface has IP 192.168.50.1
  USer is getting IP from ASA which has pool in subnet 192.168.50.x
  Do i need to config ip helper command under the switch vlan 10?
  Regards
  MAhesh

  But WLC has interface called Wireless_visitor that has IP in the subnet 192.168.50.x.
  We want wireless user to have 192.168.50.x.
  Interface Wireless_visitor is dynamic interface with IP 192.168.50.1.
  Switch has vlan that also has IP in subnet 192.168.50.x.
  Uhhhh ... Your Wireless_Visitor dynamic interface has the same IP address subnet as your switch?   I don't think this is going to work well.  Your switch, ideally, should have the same management IP address as the WLC management IP address.  
  Your Dynamic Interface should have an IP Helper address in the configuration.