Hi Rick 

" 1) you do not need to specify a direction when using an access list with directed broadcast because directed broadcast is, by definition, about incoming traffic. " .

(access-list 102 permit udp host 192.168.80.10 any eq 7)

Interface vlan 100

Ip add 10.0.7.2 255.255.255.0

ip access-group testing  out

ip directed-broadcast 102

 As per the above access list the source ip is  (192.168.80.10) .  If  the direction is 'in' , the source will not match and the ACL will simply  drop  the traffic from 192.168.80.10 .  To match the source ip, the ip  must be  one from the  interface vlan subnet ( 10.0.7.0 /24).

Please correct me i am wrong 

2 ) What is the difference between the below lines .

permit udp host 192.168.80.10 any eq 7

permit udp host 192.168.80.10 eq 7 any

Thank you 

I can not correct you because you are not wrong. I should have been more careful about how I phrased my response and if you take my response literally then my response was wrong. What I meant to express is that the access list used for directed broadcast is about traffic coming into the router from somewhere and being sent out the interface on which the directed broadcast command is configured. There is an inbound component because the access list is examining source addresses. But the traffic that the access list is controlling is outbound. My mistake and I apologize.

2) (being more careful this time) the first example is checking for 7 to be the destination port in the traffic while the second example is checking for 7 to be the source port in the traffic.

HTH

Rick

Hi Rick 

When  you said incoming traffic , i thought  you are talking about  the direction 'in'.

Apologize and  thanks for your great  help .

I have one more question ,

the server use an apps which uses some random port (for example 62577)   and  sending udp packets to the destination port  7

if  i am writing  an access list with 'out'  direction , how it would be like ?

if my server is 192.168.80.10  the  below access list is ok ?

ip access-list extended test2
  permit udp host 192.168.80.10 any eq 7.

Thanks  

I am sorry that my original response was not more clear and accurate. It would have been better if I had said that it was outbound.

In your question the 62577 is the source port from the server? There is no requirement to specify the source port in your access list and the test2 list that you show should work fine specifying the source IP address and the destination port.

HTH

Rick

Hi rick 

I had no luck  with the above access list , wireshark capture from the server 192.168.80.10 shows  source port  62991 and destination port is 7 (attached image) . 

When i change the access list as below it did work .

permit ip host 192.168.80.10  any

Please help 

Thanks

I am a bit puzzled if the access list did not work. The capture clearly shows that it is a UDP packet with destination port of 7. So I would have thought that the access list

 permit udp host 192.168.80.10 any eq 7

should have worked. Perhaps you can tell us where you applied the access list and how you applied it?

HTH

Rick

Hi Rick 

Here is my access list and other configuration 

access-list 102 permit udp host 192.168.80.10 any eq 7

ip access-list extended testing
permit udp host 192.168.80.10 any eq 7
......--------------------------------------
and there are other lines , its a long list 

-----------------------------

 permit ip any any

interface vlan 100
Ip add 10.0.7.2 255.255.255.0

ip helper-address 192.168.1.20
ip access-group testing  out
ip directed-broadcast 102

"I just added  102  with ip directed-broadcast command even it does not make any sense since there is an ACL (testing ) already there on the  interface "  .

Thanks

I am not sure that I understand what is going on here. But let me try to clarify one aspect of this discussion - the relationship of the access list used in the directed broadcast command and the access list applied to the interface. The access list applied to the interface using ip access-group examines and controls what packets are sent out the interface. The access list used in the directed broadcast command does not control what is sent out the interface. In that sense perhaps my initial reluctance to describe this access list as outbound was justified.

So if the access list in directed broadcast does not control outbound packets what does it do? In trying to explain that let us be clear how directed broadcast works and take the logic a step at a time. A directed broadcast is forwarded through networks just like a unicast packet. No router forwarding the packet can be sure whether it is a directed broadcast or not. Only the router connected to the destination LAN can be sure whether it is a directed broadcast or not.

So when the directed broadcast packet gets to the destination what does the router do? After the router determines that the packet is a directed broadcast it checks to see whether directed broadcast is enabled on that interface. (by default directed broadcast is disabled - so if you want it you must enable it) If the router determines that directed broadcast is enabled it then checks to see whether this particular directed broadcast should be forwarded. It does this by checking the access list (if an access list is configured) If the router determines that this particular directed broadcast should be forwarded it transforms the packet into a broadcast (I found one description of this which uses the term "explodes" the packet into a broadcast, which is an interesting way to describe it). So the function of the access list in directed broadcast is to control whether the packet is to be transformed or not. It is not a control over whether the packet is transmitted (like the interface access list is).

I hope this helps to clarify the difference between the access list applied to the interface (does control sending outbound traffic) and the access list applied to directed broadcast (does control the conversion of the packet into a local broadcast).

HTH

Rick