02-13-2012 08:49 AM - edited 03-07-2019 04:54 AM
Hi all,
I'm quite new to ACL's so fogive any errors.
I am currently trying to get Wake on LAN working in our enviroment to allow SCCM 2007 to wake computers. I have configured the ACL's to allow the packets across VLANS.
I followed the CISCO guide
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a008084b55c.shtml and it works, but i am concerned that i have left the security to open.
First i allowed the server in an ACL entry
permit udp host 192.168.99.x eq 7
then i allowed fowarding of WOL packets in broadcasts.
ip forward-protocol udp 7
Then on the VLAN interface i got a bit stuck. in the guide it says to input the ACL number after. however i use ACL names and i cannot add the name.
ip directed-broadcast ACLNumber
It WORKS great if i simply don't put the ACL number, but i fear that this is to "Open".
Any advice greatly appreciated!
Matt
Solved! Go to Solution.
02-14-2012 01:40 AM
Hey Matt,
Per the command reference, only numbered ACLs can be given as an argument to the 'ip directed-broadcast' command, so you'll need to use config like:
access-list 101 permit udp host 192.168.1.x any eq 7
ip directed-broadcast 101
I didn't find any pending enhancements to allow named ACLs at this time.
Cheers,
/Phil
02-13-2012 11:11 AM
Matt
It is certainly true that ip directed-broadcast with ACL is more secure than ip directed-broadcast with no ACL. The degree of risk is probably not high, but you are better off if you get the access list to work.
I am puzzled at the ACL that you are trying to use. Since it specifies udp and specifies eq 7 it looks like it would be an extended access list. But since it only lists one IP address it looks like a standard access list and not extended access list. Perhaps you can supply more detail about the access list?
If you are trying to add the ACL for directed-broadcast and it is not accepting names of access lists it may be that the command requires that the ACL be a numbered list rather than a named list. I am not clear about that requirement, but it sounds that way from your description, and I know that the times that I have configured WOL I have used numbered access lists and they have worked fine.
HTH
Rick
02-13-2012 11:32 AM
As Rick mentioned, 'ip directed-broadcast' typically only takes a numbered (not named) access-list. It would help to know the specific platform and software release in use to confirm that!
Cheers,
/Phil
02-14-2012 01:02 AM
Hi guys,
Thanks for getting back to me so fast.
The ACL is an extended list, my apologies the ACL entry i put in is below slight typo.
permit udp host 192.168.99.x any eq 7
Below is a Sh Ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by cisco Systems, Inc.
Compiled Tue 02-Mar-10 02:55 by tinhuang
Image text-base: 0x40101040, data-base: 0x42DD9910
ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17a, RELEASE SOFTWARE (fc1)
a-svr-6509-1 uptime is 1 year, 6 weeks, 3 days, 21 hours, 8 minutes
Time since a-svr-6509-1 switched to active is 1 year, 6 weeks, 3 days, 21 hours, 7 minutes
System returned to ROM by s/w reset at 09:02:07 GMT Thu Dec 30 2010 (SP by power -on)
System restarted at 11:45:23 GMT Thu Dec 30 2010
System image file is "sup-bootflash:s72033-ipservicesk9-mz.122-18.SXF17a.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
cisco WS-C6509 (R7000) processor (revision 3.3) with 458720K/65536K bytes of memory.
Processor board ID SAL1023R106
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.
30 Virtual Ethernet/IEEE 802.3 interfaces
240 FastEthernet/IEEE 802.3 interfaces
58 Gigabit Ethernet/IEEE 802.3 interfaces
4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Thanks
Matt
02-14-2012 01:40 AM
Hey Matt,
Per the command reference, only numbered ACLs can be given as an argument to the 'ip directed-broadcast' command, so you'll need to use config like:
access-list 101 permit udp host 192.168.1.x any eq 7
ip directed-broadcast 101
I didn't find any pending enhancements to allow named ACLs at this time.
Cheers,
/Phil
02-14-2012 06:05 AM
Hi Phil,
So is that basically setting up a standard ACL simply for the purpose of of securing the WOL ip directed-broadcast?
Cheers
Matt
02-14-2012 06:51 AM
Exactly Matt. To be precise it would be an IP extended access-list (numbers 101-199) to allow specifying the UDP port.
Cheers,
/Phil
02-14-2012 07:40 AM
Thanks guys for your help!
Matt
02-14-2012 10:58 AM
Matt
I do not want to be overly picky. But I want to respond to something in your post to be sure that we are clear. You said:
So is that basically setting up a standard ACL
There are two aspects of the ACL that we need to be careful about - is it a standard ACL or an extended ACL and is it a named ACL or a numbered ACL.
To control the directed broadcast that you are doing for WOL it needs to be an extended access list (not standard) and it needs to be numbered ACL (not named).
HTH
Rick
02-15-2012 12:55 AM
Hi Rick,
Yes i have created a numbered extended access control list.
Thanks for clarifying,
Matt
04-02-2022 06:00 AM - edited 04-02-2022 06:01 AM
hi,
maybe somebody can tell me, why I don´t see ACL Hitcounts or Logging Entries when I use this configuration?
access-list 101 permit udp host 192.168.1.x any log
ip directed-broadcast 101
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide