Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3391
Views
0
Helpful
2
Replies

Wake-on LAN security best practise

g.gil
Level 1
Level 1

‎05-29-2005 03:55 AM - edited ‎03-02-2019 10:56 PM

Hi Guys,

I need to enable Wake-on Lan on multiple user LANs. I am not sure if there is a more secure way of enabling these funtionality than just disabling "ip directed-broadcast" on each interface. I can see the command can be bound to an access-list.

What is the recommended way of configuring WOL?

Thx.

G.

Labels:
0 Helpful
2 Replies 2

Not applicable

‎06-03-2005 04:45 AM

In order for "WOL" to work, you need not only 'ip helper-address' point to the sever, but, also "ip directed-broadcast" on the interface as well in order for the server get to the client. In addition udp 1776, you might need to enable also

ip forward-protocol udp 1765

ip forward-protocol udp 1761

0 Helpful

Kevin Dorrell
Level 10
Level 10

‎06-03-2005 05:21 AM

The server wakes up the client by generating a broadcast that contains, somewhere in the packet, a magic sequence. The magic sequence consists of six bytes of FF followed by the MAC address of the target, repeated 16 times. It has to be a broadcast because a client in standby is unaware of its IP address. It's all done with MAC addresses.

When a server is addressing a client on a remote LAN, I'm not sure whether it is intelligent enough to send its packet to the presumed directed broadcast

address of the remote LAN, but I assume not - I assume it broadcasts it splat regardless of its location. (If anyone knows otherwise, please let me know.)

So on the (V)LAN where your server resides, you need an ip helper-address to the directed broadcast address of the (V)LAN where the client resides. (If there are several remote LANs, you need one command for each. This will be forwarded to the remote (V)LAN. Once there, it will be transmitted as a broadcast, but only if ip directed-broadcast is enabled.

Yes, you can make this more secure by restricting the ip directed-broadcast on the client LAN to an access list. Make a standard access list containing just the address of the server, and attach it to the ip directed-broadcast command. That will allow the server to generate the directed-broadcast and nobody else.

Of course, it is not 100% secure because the broadcast (like almost all broadcasts) is connectionless. That makes it easy to spoof. Anybody could generate a magic packet, ostensibly from the server, to the directed broadcast address of the client's LAN, and wake up the client (if they know the MAC addresses, which is difficult from a remote location).

Hope that helps.

Kevin Dorrell

Luxembourg

0 Helpful
Customers Also Viewed These Support Documents