Month: September 2020

Moving a Client to specific UAC/MD on Aruba 8.x Cluster

Moving a Client to specific UAC/MD on Aruba 8.x Cluster

The previous post cover bucketmap and UAC computation concept of Aruba 8.x Architecture.

http://the-ethernets.com/2020/09/aruba-bucketmap-uac-computation-concept/

Many a times there are situation/requirement where we would like to have control on what MD, the APs and clients should connect. This might be needed for some validation test or other use cases.

The Cluster feature does allow option to disable loadbalancing for the APs, use ap-move command, this gives you control of pointing a specific AP to a specific controller via the LMS or static configuration. However there is no straight forward method to control the clients, the Cluster feature does not have an options to disable loadbalancing feature for the clients. Also there is no client-move command as available for the APs.

There is however a method via which you can define what UAC should a station/client index be assigned. Thus giving you control of defining the UAC for a specific client/station index.

******Please note this is not a recommended practice and should not be performed regularly. This command is also disruptive and would impact other clients as well********

This method moves the client from one UAC to another, but unfortunately, it changes the UAC and Standby UAC of all clients in the same bucket index, not a single client, because UACs and Standby UACs of clients follow the bucket index.

Following are the steps:

  1. Identify the bucket index / station index for your test client.

(Test)[MDC] #cluster-debug calc-sta-uac 5a:10:5e:5a:21:c9 TEST
STA Index:178
STA A-UAC:10.1.2.36
STA S-UAC:10.1.2.35

The above command gives the bucket index / station index 178 for the client mac 5a:10:5e:5a21:c9 connected to the TEST SSID.

2. Identify the UAC ID assigned to the MD where you want to move the test Client.

(Test) [MDC] #show aaa cluster essid-all bucketmap
Bucket map for Test, Rcvd at : Tue Sep 22 08:41:14 2020
Item Value
—- —–
Essid Test
UAC0 10.17.10.10
UAC1 10.17.10.11

From the above you can see for the Test SSID, MD 10.17.10.10 is assigned ID of 0 and MD 10.17.10.11 is assigned ID of 1.

3. Identify the Cluster Leader.

From my experience I have noticed the cluster leader is assigned the UAC ID of 0, however it always better to confirm.

(Test) [MDC] #show lc-cluster group-membership
Cluster Enabled, Profile Name = “Test_Cluster”

peer 10.17.10.10 128 L2-Connected CONNECTED (Member, last HBT_RSP 75ms ago, RTD = 1.241 ms)
self 10.17.10.11 128 N/A CONNECTED (Leader)

4. From the Cluster Leader, assign the new UAC to the bucket index/station index.

(Test)[MDC] #cluster-debug bucketmap essid Test bucketindex 178 active 1 standby 0

In the above command we are assigning the bucket/station index to a new active UAC ID and Standby UAC ID. You can check the show user-table to validate the new UAC is pushed to the client.

Please note that above command has to be executed on the Cluster Leader.

******Please note this is not a recommended practice and should not be performed regularly. This command is also disruptive and would impact other clients as well********

Happy Reading….

Aruba bucketmap, UAC Computation Concept

Aruba bucketmap, UAC Computation Concept

The Aruba 8.x architecture introduced a new feature of Cluster. The Clustering is a combination of multiple managed devices (MDs) working together to provide high availability to all clients, ensuring service continuity and load-balancing feature.

The clustering feature provides :
Seamless Roaming
Client Stateful Switchover
AP and Client Loadbalancing

Cluster bucketmap/mapping table:

The Aruba Controller creates a mapping table called the bucketmap. The mapping table/bucketmap is table that provides the mapping of the station/client index to the UAC(User Anchor Controller). This table is pre-populated even before any client/user is connected to the Aruba AP.

The bucketmap is per ssid basis, each ssid has its own bucket map. The output below shows the two bucketmap for the SSID: Test and LAB_TEST

(Test) [MDC] #show aaa cluster essid-all bucketmap

Bucket map for Test, Rcvd at : Tue Sep 22 08:41:14 2020

Item Value
—- —–
Essid Test
UAC0 10.17.10.10
UAC1 10.17.10.11
Active Map[0-31] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[32-63] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[64-95] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[96-127] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[128-159] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[160-191] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[192-223] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[224-255] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01

Bucket map for LAB_TEST, Rcvd at : Tue Sep 22 06:59:44 2020

Item Value
—- —–
Essid LAB_TEST
UAC0 10.17.10.10
UAC1 10.17.10.11
Active Map[0-31] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[32-63] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[64-95] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[96-127] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[128-159] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[160-191] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[192-223] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01
Active Map[224-255] 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01

As you can see the bucket map include variables like: SSID, UAC. Thus this bucketmap would not change until change in cluster size or any new SSID added. We can pretty much say the bucketmap is permanent and this is what allows each client to have the same UAC wherever/to any AP it connect in the network.

Once the bucketmap is computed, the Cluster leader pushes the mapping table to all the APs.

Now that the AP has this mapping table, the AP uses this to decide what should be the UAC for the client that has connected to it. When a user connects to an AP, the AP runs the hashing algorithm on the user mac address ( the algorithm uses the last 3 bytes of the client mac address) and spits out a Station index. This station index is a value between 0 – 255 and is referred against the mapping table/bucketmap to decide the UAC for the client.

Following diagram gives a brief of the process.

In the output below you see the details for the user with mac address: 20:4c:03:62:aa:d3 and IP address 10.17.11.90.

The station/client index computed for the client is: 27. The station index was referred against the bucketmap and identified that 10.17.10.10 was the UAC for this station/client.

(Test) [MDC] #show aaa cluster essid LAB_TEST users

Active Users for ESSID : LAB_TEST

BUCKET MAC IP Active UAC Standby UAC
—— — — ———- ———–
27 20:4c:03:62:aa:d3 10.17.11.90 10.17.10.10 10.17.10.11

You can also use the following command if you are aware of the client mac address and ssid name the client is connected.

(Test)[MDC] #cluster-debug calc-sta-uac 5a:10:5e:5a:21:c9 LAB_TEST
STA Index:178
STA A-UAC:10.1.2.36
STA S-UAC:10.1.2.35

Thus to summarised as explained by David Westcott in one of the Airheads forum:

https://community.arubanetworks.com/t5/Wireless-Access/UAC-Assignment-After-Client-Leaves-User-Table/td-p/536405

When the cluster is created, the cluster leader builds a bucket map for each ESSID that is part of the cluster. The cluster leader takes the total number of cluster members and assigns a number to each one, starting with 00, 01, 02… for however many cluster MCs there are. The cluster leader then creates a bucket map for one of the ESSIDS and distributes the numbers across the bucket map. Think of the bucket map as simply two lookup tables for each ESSID with 256 positions in each lookup table. The first tables is the active or UAC pointers and the 2nd table is the standby or S-UAC pointers. (This is done for each ESSID)

When the maps are created for each ESSID, they are sent to the APs. This map will be the same, as long as you do not add an MC or remove an MC from the cluster. So the APs hold the maps. When a user tries to connect to an ESSID, the AP performs a hash on the extended unique identifier (last 6 hex digits in the MAC address) of the user MAC address, and generates an ASCII number between 0-255.

Once the AP has generated the hash for the client, it simply uses the ASCII hash value and looks up that position in both the active and standby tables in the bucket map, finds the controller number 00,01,.. and cross references it to the IP address of the MC and establishes the UAC and S-UAC tunnels for the user.

Happy Reading….

iPERF Throughput Test

iPERF Throughput Test

Iperf is a handy tool to measure the bandwidth and the quality of a network link. It is a commonly used network testing tool that can create Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) data streams and measure the throughput of a network that is carrying them.

Iperf allows the users to vary various parameters that can be used for testing the network, or alternatively for optimizing and tuning a network. Iperf has a client and server functionality, and can measure the throughput between the two ends, either unidirectionally or bi-directionally.

Iperf can be installed very easily on any Linux or Microsoft Windows system, where one host can be configured as a client, the other one as server.

Setup required for running the iperf test:

1. Download the iperf setup, you can download it from: https://iperf.fr/
2. Copy the setup file on the two hosts you would be using to perform the test.
3. Set one host in the server mode and the other in the client mode with the following syntax:

To set the host in server mode use the command : iperf -s

C:\IOS Images\iperf-2.0.5-2-win32>iperf -s
————————————————————
Server listening on TCP port 5001
TCP window size: 64.0 KByte (default)
————————————————————

To set the client in client mode use the command : iperf -c <server ip address>

C:\IOS Images\iperf-2.0.5-2-win32>iperf -c 192.168.1.5      // Where 192.168.1.5 is server ip address.

The other parameters available in iperf are:

C:\IOS Images\iperf-2.0.5-2-win32>iperf –helpUsage: iperf [-s|-c host] [options]       iperf [-h|–help] [-v|–version]

Client/Server:
-f, –format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes
-i, –interval # seconds between periodic bandwidth reports
-l, –len #[KM] length of buffer to read or write (default 8 KB)
-m, –print_mss print TCP maximum segment size (MTU – TCP/IP header)
-o, –output output the report or error message to this specified file
-p, –port # server port to listen on/connect to
-u, –udp use UDP rather than TCP
-w, –window #[KM] TCP window size (socket buffer size)
-B, –bind bind to , an interface or multicast address
-C, –compatibility for use with older versions does not sent extra msgs
-M, –mss # set TCP maximum segment size (MTU – 40 bytes)
-N, –nodelay set TCP no delay, disabling Nagle’s Algorithm
-V, –IPv6Version Set the domain to IPv6

Server specific:
-s, –server run in server mode
-U, –single_udp run in single threaded UDP mode
-D, –daemon run the server as a daemon

Client specific:
-b, –bandwidth #[KM] for UDP, bandwidth to send at in bits/sec
(default 1 Mbit/sec, implies -u)
-c, –client run in client mode, connecting to
-d, –dualtest Do a bidirectional test simultaneously
-n, –num #[KM] number of bytes to transmit (instead of -t)
-r, –tradeoff Do a bidirectional test individually
-t, –time # time in seconds to transmit for (default 10 secs)
-F, –fileinput input the data to be transmitted from a file
-I, –stdin input the data to be transmitted from stdin
-L, –listenport # port to receive bidirectional tests back on
-P, –parallel # number of parallel client threads to run
-T, –ttl # time-to-live, for multicast (default 1)
-Z, –linux-congestion set TCP congestion control algorithm (Linux only)

Miscellaneous:
-x, –reportexclude [CDMSV] exclude C(connection) D(data) M(multicast) S(settings) V(server) reports
-y, –reportstyle C report as a Comma-Separated Values
-h, –help print this message and quit
-v, –version print version information and quit

[KM] Indicates options that support a K or M suffix for kilo- or mega-

Use the syntax with some additional parameters ” iperf.exe – c -P 10 -w 1000k ” ( -P refers to the number of parallel TCP streams and –w referes to the TCP window size )

Happy Reading….

Creating Chained Certificate

Creating Chained Certificate

Many a times we see that the CA (Third Party Certificate Authority) does not provide a chained cert rather they provide  a signed Server Cert and might provide us the Intermediate CA cert and the Root CA cert separately.

In couple of cases they just provide you a signed Server Cert and might expect you to download the Intermediate cert and the Root cert and chain the final cert if required and use it. Many vendor devices do not support an unchained Server cert and they expect you to get a chained Server cert  before it could uploaded to the device.

Lets see how we can generate a chained cert from an unchained certificate. I’ll use the following server cert as an example.

The above cert is a Server cert issue by “Go Daddy” well known CA. However the certificate is not  chained, if you open the certificate in notepad you’ll find that it is just a Server cert.

For generating a chained cert you need to append the Server cert with the Intermediate CA cert and the Root CA cert. In our case “Go Daddy Secure Certificate Authority” is the Intermediate CA and “Go Daddy Class 2 Certificate Authority” is the Root CA.

The way you need to append the file is, you need to keep the Server cert on top, followed by Intermediate CA cert and then the Root CA cert i.e it is just the opposite as it is show in the Certificate Path on the server Cert. Open all the certificates in notepad, also open a blank notepad and copy paste the Server cert, followed by Intermediate cert and then the Root cert and save this as a final cert which should be ready to be uploaded to the device.

—–BEGIN CERTIFICATE—–
Server Cert
—–END CERTIFICATE———-BEGIN CERTIFICATE—–
Intermediate CA Cert
—–END CERTIFICATE———-BEGIN CERTIFICATE—–
Root CA Cert
—–END CERTIFICATE—–

All the certificates on windows 7 are stored in the windows register and not in any specific folder. You can view the certificates using the cert manager (Type certmgr.msc and it will bring up the following window).

For Mac users the certificates are stored in Keychain Access (In the Finder, open Utilities and then open Keychain Access.)
These are the repositories where all the certificates are stored and referenced to check if any certificate is valid or not i.e the Certificate Authority is a Trusted Root CA or not.
There are chances that the Intermediate CA certificate may have expired which will cause the entire certificate to go invalid (untrusted).
In a recent incident DigiCert’s Intermediate Certificate expired, which caused multiple users to get the untrusted certificate error.

The expired certificate in question was the “DigiCert High Assurance EV Root CA” [Expiration July 26, 2014] certificate. This temporary intermediate certificate was used in years past as part of a compatibility chain for older devices.The problem was related to the locally installed legacy intermediate certificate that was no longer used and no longer required for the certificate installation. This certificate was not been used for over three years and was unnecessary for installations, however the device having issues were not updated. The users affected appear to have the expired intermediate in the ‘login’ keychain or stored locally on their server or in have the expired intermediate installed on a backend server or application.

DigiCert fixed the issue for the customer’s by getting the old cert removed from their machines and new valid Intermediate cert updated on these devices.

How to create the chained cert when the Root CA cert and Intermediate CA cert is not provided the CA:

Usually your CA will provide you the Intermediate CA cert and the Root CA cert or the steps to get them from their Website. However if this is not the case for you and if these are some well known CA’s we should already have their Intermediate and Root cert on your laptop in the registry or the Keychain Access. Lets see how we can get the Intermediate and the Root CA certificate.

Click on the Server cert to open it. Goto the “Certificate path” click on the Intermediate Certificate for your test certificate it is “Go Daddy Secure Certificate Authority”

Click on View Certificate on the lower right corner, which will open up the Intermediate CA cert. Now we want to export this cert so that we can use the cert for chaining. Goto the Details tab for the certificate.

Click on Copy to File, which should open up the export Wizard.

Click Next > Choose the format : ” Base-64 encoded x.59″

Click on Next > Browse and give a name to the file. (Remember this is the Intermediate CA cert so save it some where on your laptop and give it a name like intermediatecert). Click Next and Finish. This will successfully export the Intermediate CA cert on you desktop, now repeat the same process to get the Root CA cert exported on your desktop you click on the Root CA cert in the server or the Intermediate CA cert.

Once you have successfully exported both the Intermediate and the Root CA cert you can open them in notepad and append the Server cert as we already discussed initially.

Added information:

The certificates are stored in the registry at: HKLM/Software/Microsoft/SystemCertificates

Personal certificates, or other certificates specific to the logged in user are at: HKCU/Software/Microsoft/SystemCertificates

They are stored as binary blobs, so they need to be decoded, and the MMC plugin is a good way to do this.

Happy Reading….

SNMP walk/get from the the Cisco IOS CLI

SNMP walk/get from the the Cisco IOS CLI

In my previous post I have discussed about how to do a SNMP walk from the MIB browser or from the Cisco Prime Infrastructure.

http://the-ethernets.com/2020/09/using-mib-browser-for-snmp-walk-query/

http://the-ethernets.com/2020/09/snmpwalk-from-cisco-prime-infrastructure/

 

However many a times you would like to test if the device is responding to a specific MIB/OID or not, while you don’t have access to the PI or you cannot connect to the device via MIB browser.

Interestingly the Cisco IOS device does support querying the device itself for a specific OID using SNMP under the tclsh (TCL shell).

Enable the snmp server manager on the device using the command:

 

Router(config)# snmp-server manager

Router#tclsh
Router(tcl)#snmp_getnext TEST 1.3.6.1.4.1.9.9.13.1.3 // here TEST is the community {<obj oid=’ciscoEnvMonTemperatureStatusEntry.2.1′ val=’chassis’/>}

More on this is available on the following link:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ios_tcl/configuration/15-mt/ios-tcl-15-mt-book/nm-script-tcl.html#GUID-C3694BC4-2CD9-4873-843B-3CDA5B4FCC39

Happy Reading…..

SNMPWALK from Cisco Prime Infrastructure

SNMPWALK from Cisco Prime Infrastructure

Many a times when information is not polled correctly on Cisco PI, from your WLC or any other added devices, you would like to check if the device is responding to SNMP queries send by the Cisco Prime or not.

SNMP walk would be good test to check if are getting any SNMP response from the managed devices. Following would be the syntax for the Snmpv2 and Snmpv3 for doing an snmp walk from your Cisco Prime.

You need to have root access to run the snmpwalk on the Cisco Prime. 

SNMPWALK VERSION 2:

nms-pi/admin# rootEnter root patch password :
Starting root bash shell …
ade # su –

[root@nms-pi ~]# snmpwalk -v2c -c <community> <ip>

You can also follow this with the OID or the MIB identifier you want to query, like: 

[root@nms-pi ~]#snmpwalk -v2c -c bharath 10.10.10.10 1.3.6.1.4.1.9.9.513.1.2.10.1.2
[root@nms-pi ~]#snmpwalk -v2c -c bharath 10.10.10.10 cLApDot11RadioRateStatsRxPackets

SNMPWALK VERSION 2:

[root@nms-pi ~]#snmpwalk -v3 -l <noAuthNoPriv|authNoPriv|authPriv> -u <username> [-a <MD5|SHA>] [-A <authphrase>]  [-x DES|AES] [-X <privaphrase>] <ipaddress>[:<dest_port>]

[root@nms-pi ~]#snmpwalk -v3 -u piv3user -l authPriv -a SHA -A piv3user1234 -x AES -X piv3user1234 10.10.10.1 cLApDot11RadioRateStatsRxPackets

Happy Reading….

Using MIB Browser for SNMP Walk/Query

Using MIB Browser for SNMP Walk/Query

At times you would need to quick easy way to do a SNMPwalk/query for specific OIDs of your managed devices for some troubleshooting purpose.

This could be done using open/free snmp tools available on the internet. I found the Ireasoning mib browser quick helpful and easy.

http://ireasoning.com/mibbrowser.shtml

Install the Mib Browser and add your managed device using v2/v3.

Configured the MIB browser as following: Tools > Options > Agent > Add > Add the managed device ip address and the community string.

Get the correct MIB file for your managed device. I am using Cisco WLC as the managed device and got the MIB downloaded from the Cisco support Site.

http://software.cisco.com/download/release.html?mdfid=284493532&flowid=34542&softwareid=280775088&release=8.0&relind=AVAILABLE&rellifecycle=&reltype=latest

Load the correct MIB file on the Mib Browser. File > Load Mibs > Choose the file location.

Browse and poll for the related OID.

I am polling for the AP native vlan Id as follows:

If you know the OID, you can directly use the OID and do get to get the related information:


Happy Reading…..

Adding a Network/Share Drive

Adding a Network/Share Drive

Having a share drive/folder on a central server and allowing access to it generally used for easy access to the shared content and to increase storage for the users. Once the shared folder is created on the Server the users and easily map it on their machines so that they need not to remember its name/ip each time they need to access this drive/folder.

Mapping is sometimes also referred to a “Mounting” i.e Mounting a network drive/Folder.

Lets see how we can map the shared folder on the Windows 7 machine.

Click on Start > Goto My Computer.

It will bring up the window which will show the drives on your machine. Click on Map Network Drive on the top.

This will bring up a new window, which will show you the drive name, which you can choose from the drop down from A-Z.
Also it will ask you to put in the folder name in the format : \\Server\Share  i.e you need to specify the Servername or ip which is hosting the shared folder followed by the share folder name.

In my case, my server admin has hosted this folder on the Server with ip address : 10.20.20.10 and the name of the folder being shared is : TFTPRoot so I’ll use the folder name as :\\10.20.20.10\TFTPRoot.

Click on Connect using different credentials and click on Finish.

This will ask you to login with your credentials, contact your server admin and check in case your local credentials do not work.

Once authentication is successful, it will add in the drive name that you selected in your drive list.

Lets see how we can mount a drive on a Mac OS.

Open the finder which should be located on your Dock. Click on the Go menu and click on Connect to Server.

This will open up the Connect to Server window. In the Server address type in the Servername/ip followed by the folder name as we did for the Windows machine in the format: smb://10.20.20.10/TFTPRoot

Click on the Plus sign to add this folder in your favorite folder list so that next time you want to connect to it you can directly choose from this list. And then click on Connect.

You’ll be asked to authentication, please put in your credentials and click OK. It will create an icon of a Server on your desktop click on it to connect to your Share drive/folder.

Happy Reading….

Creating loopback adapter on Windows

Creating loopback adapter on Windows

We can compare a loopback adapter to a loopback interface on any router. Like the loopback interface on a router is not associated to any physical interface and is always up irrespective of the physical connectivity to the Router, similar a a loopback adapter.

A loopback interface is a virtual interface that resides on a router. It is not connected to any other device. Loopback interfaces are very useful because they will never go down, unless the entire router goes down.

There might be a situation where in you would need to assign an ip address to your laptop and use it for any testing/application. You would not be able to use the ip address assigned to your physical interface useless the physical interface itself is connected to a lan cable. May be a situation wherein the ip address assigned to your physical interface is via dhcp from your Service Provider router and changing the ip on the physical interface is not possible.

How to create a loopback adapter on windows machine :

Click Start > On the search Program and Files type : hdwwiz

or Open cmd and type:hdwwiz it should bring up the Hardware Wizard.

Once you get the add Hardware Wizard window click Next > Click on Install the hardware that I manually select from the list.

You are ready to go.

Goto your network connections ( shortcut type ncpa.cpl in the cmd window), you should see a Local Area Connection 1 or 2 depending on the number of existing connections.

You can disable/enable this adpater as required and right click on properties to assign ip address and use it .

Happy Reading….

IP-Helper Uses

IP-Helper Uses

Like many other, I was under a misconception that IP-HELPER command was only used for relaying DHCP packets, until recently I found other uses of IP-HELPER.

As we know we configure helper address so that the L3 device can redirect the broadcast packets as a unicast to the helper address. Routers use helper addresses to forward broadcasts to another server or router on another network.

DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices might use broadcasts to locate TFTP servers. Some clients might need to broadcast to locate a TACACS security server. In a complex hierarchical network, clients might not reside on the same subnet as key servers. These broadcast requests would be dropped by the Router as per its default behavior.

Some clients are unable to make a connection without services such as DHCP. For this reason, the administrator must provide DHCP and DNS servers on all subnets or use the Cisco IOS software helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative problems, so the first option is not very appealing. When possible, administrators use the ip helper-address command to relay broadcast requests for these key User Datagram Protocol (UDP) services.

By using the ip helper-address command, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP addressBy using the ip helper-address command, a router can be configured to accept a broadcast request for a UDP service and then forward it as a unicast to a specific IP address.

By default, the ip helper-address command forwards the eight UDP servicesBy default, the ip helper-address command forwards the eight UDP services

ServicesPorts
Time37
TACACS49
DNS53
BOOTP/DHCP Server67
BOOTP/DHCP Client68
TFTP69
NetBIOS name service137
NetBIOS datagram service138

In addition to the default eight services the Cisco IOS software provides the global configuration command ip forward-protocol to allow an administrator to forward any UDP port.To forward UDP on port 517, use the global configuration command ip forward-protocol udp 517. You can also take off the default services using the same command using the keyword “no”.

Example:

RTA(config-if)#ip helper-address 192.168.1.254
RTA(config-if)#exit
RTA(config)#ip forward-protocol udp 517
RTA(config)#no ip forward-protocol udp 37
RTA(config)#no ip forward-protocol udp 49
RTA(config)#no ip forward-protocol udp 137

Happy Reading…