Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1563
  • Last Modified:

why router is forwarding some broadcast !!

Dear All,

i have a simple network -as attached- . from my main head office, i am connecting to some branches. branches are sending some broadcast traffic between each other.

i want to know why it's doing that.

information:
- in each store, we are using cisco 815. it has only one L3 port. it's configured with two ip address. one for LAN and one for WAN.
- i removed the default route 0.0.0.0 0.0.0.0 in each branch router and just added my HO LAN IP 10.10.0.0. i dont want store to communicate.
- now, between stores i cannot ping or send file. BUT if i run a sniffer in any machine in any store. i am getting some UDP packets from other stores.

to clarify the picture more for you. i've attached a draft network diagram & the configuration of store router.

note: i afraid the reason is from the router because sharing the same port.
please advice
R815#sh run
Building configuration...

Current configuration : 980 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R815
!
boot-start-marker
boot-end-marker
!
enable password a
!
no aaa new-model
!
!
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
interface Cable-Modem0
 no ip address
 shutdown
!
interface FastEthernet0
 ip address 10.5.0.1 255.255.0.0 secondary
 ip address 192.168.101.105 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
no ip forward-protocol udp
ip route 10.10.0.0 255.255.0.0 192.168.101.150
!
!
no ip http server
no ip http secure-server
!
snmp-server community public a
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password a
 login
!
end

R815#

Open in new window

stores.jpg
0
KETTANEH
Asked:
KETTANEH
  • 5
  • 3
  • 2
  • +2
1 Solution
 
memo_tntCommented:
hi

try this
ip route 10.10.0.0 255.255.0.0 FastEthernet0

if doesn't solve your issue

make tracert from one side to other
and send results

0
 
srgilaniCommented:
show ip route and see what route info you get for 10.10 network.

Further you can run RIP for 10 network on all routers to eliminate this problem.

0
 
KETTANEHAuthor Commented:
thank you guys for corporation,

R815#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static rout
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/16 is subnetted, 2 subnets
C       10.5.0.0 is directly connected, FastEthernet0
S       10.10.0.0 [1/0] via 192.168.101.150
C    192.168.101.0/24 is directly connected, FastEthernet0
R815#
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
KETTANEHAuthor Commented:
memo_tnt:

i didnt try yet but i don't think it will work, because no routing protocol is enabled. how the packets will know to where it should go ?!
0
 
memo_tntCommented:
and how traffic goes between branches ..
who tells them how to go to other parties ??
does the router that has 192.168.101.150 do that ??
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
I can see that your router has ip forward-protocol enabled. This will cause the router to forward particular broadcast packets. Do you need it? Are you using a helper address for DHCP which needs broadcast forwarding? Try and remove it from your config and see what happens. Otherwise you can use acl to block all traffic sourced in one store going to other stores.
0
 
KETTANEHAuthor Commented:
memo_tnt:

i dont want any traffic between branches :).




mitrushi:
you mean "no ip forward-protocol nd"

what about other protocols ? i checked nd, it's for something related to Sun servers !!
0
 
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
what sort of udp packets are you seeing on clients? The question is why is the router forwarding broadcasts, it is not supposed to do that accross subnet bounderies if it is not specifically told to do so. the ip helper address enables ios to forward dhcp related udp packets in order to make dhcp work for subnets other than the one in which  a dhcp server is located. ip forward-protocol gives you more control on which specific udp ports to forward. if you do not have sun servers you do not need that command. in any case you can try and see what happens.
0
 
KETTANEHAuthor Commented:
i did it before posting this topic, no ip forw.. nd
didnt fix the issue. do i have to to stop all other types
e.g.
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
no ip forward-protocol udp bootpc
......



here some logs  from wireshark in branch 10.5.0.0
Protocol          : UDP
Local Address     : 10.1.0.10
Remote Address    : 255.255.255.255
Local Port        : 67
Remote Port       : 68
Local Host        :
Remote Host       :
Service Name      : bootps
-------------------
Protocol          : UDP
Local Address     : 10.1.80.7
Remote Address    : 255.255.255.255
Local Port        : 2001
Remote Port       : 2001
---------------------
Protocol          : UDP
Local Address     : 10.105.101.1
Remote Address    : 239.255.255.250
Local Port        : 25087
Remote Port       : 1900
------------------
Protocol          : UDP
Local Address     : 10.105.101.1
Remote Address    : 239.255.255.250
Local Port        : 25088
Remote Port       : 1900
-----------------
Protocol          : UDP
Local Address     : 10.105.101.1
Remote Address    : 239.255.255.250
Local Port        : 25089
Remote Port       : 1900
Local Host        :
---------------

Protocol          : UDP
Local Address     : 10.110.102.150
Remote Address    : 255.255.255.255
Local Port        : 67
Remote Port       : 68
Local Host        :
Remote Host       :
Service Name      : bootps
-------------
Protocol          : UDP
Local Address     : 10.15.80.3
Remote Address    : 255.255.255.255
Local Port        : 2001
Remote Port       : 2001
-------------
Protocol          : UDP
Local Address     : 10.15.90.2
Remote Address    : 10.15.90.1
Local Port        : 51515
Remote Port       : 51515

####### NOTE : source and destination are in another store !!!
--------------
Local Address     : 10.24.0.10
Remote Address    : 255.255.255.255
Local Port        : 67
Remote Port       : 68
Local Host        :
Remote Host       :
Service Name      : bootps
------------










0
 
srgilaniCommented:
try using below option.

no dhcp-client broadcast-flag


0
 
srgilaniCommented:
also disable following

no ip multicast-routing

if that not help then you have to apply an access list to block this traffic.
0
 
Don JohnstonInstructorCommented:
What is that box that all three Branches are connected to?
What interface of the Branch 1 router connected to this box?
What kind of link is between the Branch 1 and this box?
And is this the same at the other Branches?
0
 
KETTANEHAuthor Commented:
thanks for the assistant. the issue is from L1 ( the provider connect one port from lan to wan !! because the router has one l3 fastethernet
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now