How to configure cisco ip helper-address for dhcp and one more service whose address is determined by broadcast?

M

Markuzzz2014-09-18 07:44:07

Cisco

Markuzzz, 2014-09-18 07:44:07

Greetings.
There is a Cisco Catalyst 3560G L3 switch.
It has 3 vlans, between which routing is configured.
vlan1 10.0.1.0/24 (wired network).
vlan2 10.0.2.0/24 (wireless network for "friends", WPA).
vlan3 10.0.3.0/24 (wireless network for guests, WPA-PSK).
vlan1 has a DHCP server on Microsoft Windows Server 2008 R2.
On the switch on the vlan 2 and vlan 3 interfaces, ip-helper is configured, which points to the address of the DHCP server. All clients in vlan2 and vlan3 receive addresses from the DHCP server in vlan1. Everything is working.
In vlan 2 there is a network projector with the address 10.0.2.63, the client software on the PC determines the address of the projector by a broadcast packet to the address 10.0.2.255 on 2425/udp. Wireless clients find the projector and work with it.
К сети иногда подключаются гости (vlan3), у которых установлен софт от проектора. Вот только софт этот проектор не находит и закрывается. Вручную указать адрес проектора нельзя. Софт у гостя шлет пакет на 10.0.3.255, который до проектора не доходит.

Умом понимаю что надо настроить в vlan3 второй ip helper-address, который будет указывать на проектор в vlan2. Но ведь в таком случае на проектор также пойдут dhcp-запросы и прочий разрешенный в ip forward-protocol бродкаст, что, как мне кажется, нежелательно.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

Z

zorruch, 2014-09-18
@zorruch

It seems to me that requests to search for a projector are sent to the broadcast and have little to do with dhcp initialization, if I understand correctly.
Accordingly, such a bundle will work only then - then the projector and the client will be on the same network, and you have them on different ones.
Accordingly, it is necessary to look for an opportunity to land the projector on two different networks, it will be lucky if they understand tagged packets.
Otherwise, prohibit guests from using the projector due to the impossibility of technical implementation.
You can write a request to the vendor - maybe they will tell you something about manually specifying the address of the projector.

T

throughtheether, 2014-09-18
@throughtheether

But in this case, dhcp requests and other broadcasts allowed in ip forward-protocol will also go to the projector, which, in my opinion, is undesirable.

You can filter these requests with ACLs on the out direction of the vlan2 interface , in my opinion.

the projector address is determined by the client software on the PC by a broadcast packet to the address 10.0.2.255

and not on 255.255.255.255?

V

Valentine, 2014-09-18
@vvpoloskin

Have you already tried with ip address-helper? Most likely, it forwards only requests to 255.255.255.255, and does not touch 10.0.2.255. Maybe you should try PBR. Here is an example , for http traffic only.
Or maybe even try to put the projector in a separate vlan?

S

speicher, 2016-01-14
@speicher

Forwarding broadcast traffic from one network to another is done using the command (globally):
ip forward-protocol udp discard
on the interface to which you want to broadcast, you must enable
ip directed-broadcast
What happens: The router encapsulates the broadcast packet of one domain in a Layer 2 frame and forwards it to a specific network (where directed-broadcast is specified)