Yup, that I know. Can I just specify the UDP port to forward in the extended ACL? I don't have a lab to test. If I use the extended ACL, do I still need the "ip forward-protocol udp <port>" command? That's what I'm wondering.

Sure you need 

ip forward-protocol udp

In both case' the ACL use only of l3 traffic not for l4 ports.

MHM

Perfect, that's all I needed to know, thank you! So there is no point in using an Extended ACL when doing Directed Broadcasts since the L4 portion of that ACL isn't considered when the router is making the decision to translate to a local broadcast and forward or drop the traffic.

I'll use a standard ACL along with the "ip forward-protocol udp <port>" command.

Yes correct 

MHM

You may and you did!

Let's break this down so I hopefully touch on everything....

May I ask why you need to enable direct broadcast to a range of subnets  or the forwarding of UDP broadcast?
Can you be more elaborate on what you are trying to accomplish as enabling broadcast forwarding can be quite resource intensive. One of our customers has some stream which is a broadcast and they want it sent to multiple sites. Yes, multicast could also do this but the ask was a direct broadcast. I've been instructed on more than one occasion to just do what I'm told and not to ask questions and not care why I'm doing what I'm doing. To which I've finally replied, "I hope the CIO asks me to remove STP from everywhere because he hates it. I'll do it immediately and then leave to go on PTO for a week." Back to your comment about being resource intensive; I've never configured this. I learned about it but never used it. Do you know how resource intensive this is? The resources will only be on the L3 device converting from a directed broadcast to a local broadcast and forwarding. The forwarding part won't consume so many resources, lots of broadcasts in L2 domains every second of the day. I could see a little resource intensive for the packets but if we only have one single stream, I don't think it's going to crash any modern L3 device. Thoughts?

Note: ip directed broadcast with an extended acl can control what host(s) and network(s) can send/receive the intended broadcast traffic  
Also enabling udp forwarding  by default opens up a lot of UDP ports that broadcast is flooded too.  Correct, that's why I'm specifying which port is allowed to be forwarded with the "ip forward-protocol udp 10" command. This will tell the router to only convert to a local broadcast and forward if the destination port is 10.

Hey Paul,

Let me start by saying the IPs are arbitrary, I know I used different IP space in my OP. I'm not asking someone to teach me subnetting, I just need to understand behavior of devices with commands, which I thought I knew but maybe not.

I'm a bit confused. This is my understanding of the behavior of the traffic with the commands entered:

1) Server begins forwarding a directed broadcast to a subnet outside of its own (server is 10.10.0.1/24 broadcast is sent to 10.10.1.255/24 which is a unicast message but meant for the broadcast domain)

2) Routers forward the traffic based on their routing tables

3) The final router, where the subnet lives, receives the traffic and by default, drops it.  (This is our current state)

4) I enter the following commands at the destination router:

acl 1 permit 10.10.0.1 any  (This command says defines communication sourced from 10.10.0.1 to a destination of anything.)

int vlan 20    (This command brings me into interface config so I can apply the config to the SVI for the 20.20.0.0/24 subnet)

ip directed-broadcast 1   (This tells the router to take a direct broadcast message (destination 20.20.0.255) and form a new packet with destination of 255.255.255.255 and forward it out all interfaces belonging to VLAN 20. By default, the router will transform ALL direct broadcast messages destined for VLAN 20 (20.20.0.0/24), I do not want this)

ip forward-protocol udp 1090   (This tells the router to only transform and forward direct broadcasts using UPD with a destination port of 1090)

5) Celebrate

Is my understanding incorrect?

If I use the ip-helper commands, won't that forward all broadcast traffic? I don't want to forward all broadcast traffic from one subnet to another.

I am a bit late to this discussion but hope that I can clarify a few aspects. There seems to be some confusion about where some commands are used:

The command ip forward-protocol udp 10 adds a port to the group of ports which could be forwarded to remote destinations. As Paul has pointed out there are several udp ports that are forwarded by default and this command adds a protocol to that list. This command is used on the interface where the server is connected that will generate the broadcast messages. It works in conjunction with the command ip helper-address which specifies remote destinations to which broadcasts will be forwarded. 

The command ip directed-broadcast 1 is used on the interface which is the destination of the forwarded broadcast and is used to specify what sources of forwarded broadcasts will be permitted. (note that by default no forwarded broadcast is permitted, so you need at least the ip directed-broadcast. Use of the acl is optional and allows you to control what broadcasts are permitted) I have not had any experience with using extended acl with directed-broadcast and am not sure what the results would be.I believe that the safe choice is to use standard acl for this.

I learned by testing in production that the ip forward-protocol udp 10 command is NOT what I need. That is for forwarding additional broadcast to the IP helper IPs. 

I did use an extended ACL on the destination SVI and it is working, I do see hits on the ACL and the user confirmed testing successful. I believe it is doing the protection that I originally thought "ip forward-protocol udp 10" would be doing.

I asked the user to use multicast but they said it's not supported.

Thanks for the update. I would address a couple of points:

- " the ip forward-protocol udp 10 command is NOT what I need" In the discussion you have disguised what protocol you are dealing with. If your implementation is working ok without using that command then it suggests that the protocol you are using is one of the several that are forwarded by default. 

- It is interesting that you are using an extended acl on the destination SVI and that it is working.

Here is the config:

conf t
  ip access-list extended 169
    10 permit udp host 10.192.1.186 any eq 5067
  exit
  !
  int vlan 200
    ip directed-broadcast 169
  !
  end

interface Vlan200
description Hosts VLAN
ip address 10.101.4.1 255.255.255.0
ip directed-broadcast 169
end

Extended IP access list 169
10 permit udp host 10.192.1.186 any eq 5067 (803723 matches)

The solution is a Windows servers that is sending GPS data to specific subnets. There are GPS clients then listening on port 5067.

Thank you again for your explanation and helping me understand which command goes where.