How to configure an IP access list to control directed broadcasts for the Wake-on-LAN setup

TCC_2 · ‎06-22-2009

Resolution

In order to configure an IP access list to control directed broadcasts, complete one of these steps:

Configure the ip directed-broadcast command directly on an interface:

Hostname(config)#interface FastEthernet
Hostname(config-if)#ip directed-broadcast
Configure an access control list (ACL) in order to permit traffic only from a trusted source. For example, 192.168.10.10 is the Wake-on-LAN (WoL) server.

Hostname(config)#access-list 10 permit 192.168.10.10

Then, apply that under the VLAN interface:

Hostname(config)#interface Vlan <Vlan id>
Hostname(config-if)#ip address x.x.y.y subnet mask
Hostname(config-if)#no ip redirects
Hostname(config-if)#ip directed-broadcast 10
!--- 10 is the ACL number.

Refer to the Control Directed Broadcasts section of document Improving Security on Cisco Routers for more information.

Jared Burton · ‎04-15-2015

I have my WoL server set to 172.16.2.2 in network 172.16.2.0/24 (vlan 2).

I have my client station set to 172.16.3.2 in network 172.16.2.0/24 (vlan 3)

My WoL server uses port 144 (verified with wireshark). Entered the following commands to set up WoL:

interface Vlan2
ip address 172.16.2.1 255.255.255.0
ip helper-address 172.16.3.255
!
interface Vlan3
ip address 172.16.3.1 255.255.255.0
ip directed-broadcast 101

!

ip forward-protocol udp 144

!

access-list 101 permit udp host 172.16.2.2 any eq 144

My full access-list looks like this:

Extended IP access list 101
10 permit udp host 172.16.2.2 any eq 144
20 deny ip any any

When I wake the computer with the server. It works as expected. However, when I change my WoL server to 172.16.2.5 in order to simulate an unauthorized server doing the same thing, it also works and wakes the client.

Why is my extended access-list not stopping sources that are not 172.16.2.2?

Any help would be greatly appreciated! Thanks and Cheers!