ip directed broadcast

kidem · ‎12-23-2003

is there a access list for ip directed broadcast? we need to enable WOL and PXE and need this but need to use access list accoring to security any thoughts?

aretana · ‎12-23-2003

No "standard" access-list exists for directed broadcasts because it depends on the addressing scheme in your network.

I'm not sure if you need directed broadcast for the new applications or if you need to block directed broadcast all together..??

In any case, you might want to take a look at the use of an ACL associated to the 'ip directed-broadcast' command.

Alvaro.

kidem · ‎12-24-2003

ok...this is for Altiris deployment server, which uses WOL and PXE, but WOL and PXE wont cross subnets, im new by the way, and from what i understand using Ip directed broadcast can be dangerous for smurf attacks, not sure if true but,

subbarao.s · ‎12-23-2003

Never tried but below logically should work.

Let us assume your network is 192.168.1.0/24, therefore directed broadcst ip address becomes 192.168.1.255. So by enabling "ip directed broadcast" in interface confiugration mode in addition you configure Extended ACL as below.

I assume 101 as extended ACL number applied to the interface.

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.255

HTH

kidem · ‎12-24-2003

i think i didnt really tell you all what i wanted, i just want WOL port 402 and PXE port 4011 to be Ip directed broadcasr, sorry i didnt specify

DWAM_2 · ‎01-07-2004

Hello,

I had got a similar reflexion :

Here are my answer :

You will find a very good documentation here :

http://www.giac.org/practical/Andrew_Scheible_GSEC.doc

And from different forum on cisco :

ip directed-broadcast and wake on lan :

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee9701a

Router Configuration for Wake On Lan :

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee85627

prkrishn - CISCO SYSTEMS

"I cannot think of any other way to make Wake on LAN work. I have seen lot of customers implement it using "ip directed-broadcasts"

ahoejmark - Network System Engineer, NetDesign A/S, CCIE

"Some of my customers are actually putting a 'WOL proxy' on each and every VLAN to get WOL... "

s-klett

"enabling directed broadcasts you enable your network to the smurf attack! "

matt.alvord - SENIOR CONSULTANT, CISCO CONSULTANT PROGRAM

"I believe WOL requires directed broadcasts enabled on router interfaces which probably isn't a good thing."

Exemple of implementaion of directed broadcast on 4506 with sup IV :

-> access-list 15 permit @IP_Server_WOL

-> int vlan XX

-> ip directed-broadcast 15

It works very good and the customer is happy.

Best regards.

andhidal · ‎02-16-2012

this is the thing very simple:

L3(config)#access-list 101 permit udp host 172.16.3.2 any eq 7

where 172.16.3.2 is the IP address of the PXE, WoL server

ip forward-protocol udp 7

where UDP port 7 is the one you use, it canh also be 9, 69, 4011....

L3(config-if)#interface vlan 2
L3(config-if)#ip address 172.16.2.1 255.255.255.0
L3(config-if)#ip helper-address 172.16.3.2

if you want to route the WoL magic packets or the PXE bootp packets

L3(config-if)#ip directed-broadcast 101

where 101 is the ACL number

Now the thing is that there are several bugs that may no have this to work, however with this configuration and having the correct ports you should be able to do it.

Reminder: ip directed BD is a global command i believe.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a008084b55c.shtml