Re: Why I Can't forward syslog messages using the ip

From: Blaine Williams (williams.blaine@gmail.com)
Date: Sun Jun 24 2007 - 14:49:55 ART

• Next message: Edison Ortiz: "Re: BGP Best path selection"
• Previous message: Shafagh Zandi: "Re: Why I Can't forward syslog messages using the ip"
• Maybe in reply to: Peter Kingston: "Re: Why I Can't forward syslog messages using the ip"
• Next in thread: Bit Gossip: "Re: Why I Can't forward syslog messages using the ip"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Louis,

Why don't you just log the syslog messages unicast to the Solarwinds
box in the first place? IE: logging <syslog server IP>. Does the
scenario say that the messages have to be sent as broadcasts? Are you
trying to get the syslog server to see these packets as broadcasts, or
are you trying to get them sent out as broadcasts and then converted
back to unicast?

To get it working down this road, though, the ip directed-broadcast
command is in the wrong spot. In this case, you'll need it on the
Eth0 int of R4. In order for the ip helper-address command to work,
the interface needs to see the packets as ffff.ffff.ffff and
255.255.255.255. Otherwise, it won't forward it. The ip
directed-broadcast command allows a router to forward a packet
destined for a subnet broadcast address onto that subnet as a
ffff.ffff.ffff/255.255.255.255 frame/packet. In your current config,
R4 will route the packet to the Eth0 interface. However, the Eth0
interface will drop the packet instead of forwarding it because the
default for the interface is no ip directed-broadcast.

Furthermore, the ip helper-address IP you have needs to be set to the
unicast address of the solarwinds box. This will allow R1 to accept
the broadcast syslog packets and convert them to unicast for the
solarwinds box.

If you are just trying to get the solarwinds box to see the syslog
messages as broadcast packets, just change the logging command to
192.168.1.255, leave the ip directed-broadcast command on FA1/0/48 on
SW1, and forget about the ip helper-address/ip forward-protocol
commands.

You should debug ip packet to watch what is really happening here.
It'll make more sense once you actually see the packets being passed
around. You shouldn't have to translate any UDP ports. The R4 should
send the packets as UDP 514, the same port that Solarwinds is
listening on.

Blaine W.

On 6/24/07, louis john <west_coast@inbox.com> wrote:
>
>
> Hi Blaine, Hi all
>
>
> It did not work with me or maybe I am not able to adjust things fine, to make things more easy I did new scenario :
>
> R4 ---- Ethernet --- R1-----Ethernet---SW1--FAS1/0/48---Solarwinds Syslog server.
>
> as I understood from the documentation , an ip broadcast is an ip packet whose destination is a valid broadcast for some IP subnet, but which originates from a node that is not itself part of the destination subnet.
>
> so in this case R4 will send the logging messages as broadcast to R1, R1 should consult the ip helper-address and forward the udp traffic towards the ip address of sw2 (192.168.1.80).
>
>
> when the traffic reach 192.168.1.80, it should explode into a physical address 192.168.1.255
>
> anyways this is not happening!, and as a side note, how the syslog server will understand this traffic ? the solarwinds syslog server listens on udp port 514 !
>
> should not I re-translate things to be destined for udp 514 !
>
> can someone experience here in the group explain how can I make it work ?
>
> here are the simple configuration on my devices (IGP is reachable every where):
>
> R4
> interface Ethernet0
> description Connected R1 E1
> ip address 172.16.1.4 255.255.255.0
>
> logging 172.16.1.255
>
>
> R1
> interface Ethernet1
> description Connected R4 E0
> ip address 172.16.1.1 255.255.255.0
> ip helper-address 192.168.1.80
>
> ip forward-protocol udp syslog
>
> interface Ethernet0
> description Connected SW1 Fast 1/0/1
> ip address 172.17.1.1 255.255.255.0
>
> SW1
>
> interface FastEthernet1/0/48
> no switchport
> ip address 192.168.1.80 255.255.255.0
> ip directed-broadcast
>
>
> interface FastEthernet1/0/1
> no switchport
> description Connected To R1 E0
> ip address 172.17.1.7 255.255.255.0
>
>
>
>
>
>
>
>
>
> > -----Original Message-----
> > From: williams.blaine@gmail.com
> > Sent: Sun, 24 Jun 2007 09:53:55 -0400
> > To: west_coast@inbox.com
> > Subject: Re: Why I Can't forward syslog messages using the ip
> > helper-address command
> >
> > Louis,
> >
> > R1 needs to receive the syslog messages as broadcasts for the ip
> > helper-address command to work. Try logging to the directed broadcast
> > 150.1.1.255 on R4. Don't forget to allow directed broadcasts on R1's
> > loopback. Then move your ip helper-address command from int Se0 to
> > Lo0. It has to be enabled on the interface receiving the broadcasts.
> >
> > You shouldn't have to set the broadcast address on SW2. If everything
> > goes correctly, the syslog packets will be sent to the directed
> > broadcast 150.1.1.255 on R4. R1 will route it to it's Lo0 interface.
> > The ip directed-broadcast functionality will allow the directed
> > broadcast to be exploded to the physical broadcast 255.255.255.255.
> > With ip helper-address 192.168.1.101 on Lo0 and the ip
> > forward-protocol udp syslog, R1 will then take the physical broadcast
> > packet and unicast it to your syslog server. Of course, I haven't
> > tried this using loopbacks before, just the directly connected
> > interfaces.
> >
> > Let us know if you get it working.
> >
> > Blaine W.
> >
> > On 6/21/07, louis john <west_coast@inbox.com> wrote:
> >> Hi All,
> >>
> >> I am trying to forward the syslog messages received by the serial
> >> interface of R1 to the syslog server connected to SW2, but I can not see
> >> any syslog messages on my server.R4 is forwarding the syslog messages to
> >> R1, that's why I configured the "logging 150.1.1.1" toward R1.
> >> the condition is to use the ip helper-address, so I can not configure
> >> the simple logging command toward the server.
> >>
> >> shouldn't the command ip helper-address forward the syslog messages to
> >> the address associated with it? maybe I am not able to do it because the
> >> syslog is reaching R1 an unicast, and the rule it must be all IP levle
> >> broadcast for the ip helper-address command to start work !
> >>
> >> if this is case then how I will convert the syslog traffic to be
> >> broadcast then !
> >>
> >>
> >>
> >>
> >>
> >> I will be thankful if you shed light on this issue
> >>
> >>
> >> R4----R1-----SW2---SYSLOG SERVER(192.168.1.101)
> >>
> >>
> >> R4
> >> logging 150.1.1.1
> >>
> >> R1
> >> inter loopback 0
> >> ip address 150.1.1.1
> >>
> >> interface Serial0
> >> ip helper-address 192.168.1.101
> >>
> >>
> >> ip forward-protocol udp syslog
> >>
> >> SW2
> >> interface fas1/0/48
> >> no switchport
> >> ip add 192.168.1.80 255.255.255.0
> >> ip broadcast-address 192.168.1.255
> >>
> >>
> >> Note: Reachability is done between all devices
> >>
> >> ____________________________________________________________
> >> FREE ONLINE PHOTOSHARING - Share your photos online with your friends
> >> and family!
> >> Visit http://www.inbox.com/photosharing to find out more!
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
>
> ____________________________________________________________
> GET FREE 5GB EMAIL - Check out spam free email with many cool features!
> Visit http://www.inbox.com/email to find out more!

• Next message: Edison Ortiz: "Re: BGP Best path selection"
• Previous message: Shafagh Zandi: "Re: Why I Can't forward syslog messages using the ip"
• Maybe in reply to: Peter Kingston: "Re: Why I Can't forward syslog messages using the ip"
• Next in thread: Bit Gossip: "Re: Why I Can't forward syslog messages using the ip"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART