IP directed-broadcast extended ACL

Answered Question
Feb 13th, 2012

Hi all,

I'm quite new to ACL's so fogive any errors.

I am currently trying to get Wake on LAN working in our enviroment to allow SCCM 2007 to wake computers. I have configured the ACL's to allow the packets across VLANS.

I followed the CISCO guide

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a008084b55c.shtml and it works, but i am concerned that i have left the security to open.

First i allowed the server in an ACL entry

permit udp host 192.168.99.x eq 7

then i allowed fowarding of WOL packets in broadcasts.

ip forward-protocol udp 7 

Then on the VLAN interface i got a bit stuck. in the guide it says to input the ACL number after. however i use ACL names and i cannot add the name.

ip directed-broadcast ACLNumber

It WORKS great if i simply don't put the ACL number, but i fear that this is to "Open".

Any advice greatly appreciated!

Matt

I have this problem too.
0 votes
Correct Answer by phiharri about 2 years 2 months ago

Hey Matt,

Per the command reference, only numbered ACLs can be given as an argument to the 'ip directed-broadcast' command, so you'll need to use config like:

access-list 101 permit udp host 192.168.1.x any eq 7

ip directed-broadcast 101

I didn't find any pending enhancements to allow named ACLs at this time.

Cheers,

/Phil

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Richard Burts Mon, 02/13/2012 - 11:11

Matt

It is certainly true that ip directed-broadcast with ACL is more secure than ip directed-broadcast with no ACL. The degree of risk is probably not high, but you are better off if you get the access list to work.

I am puzzled at the ACL that you are trying to use. Since it specifies udp and specifies eq 7 it looks like it would be an extended access list. But since it only lists one IP address it looks like a standard access list and not extended access list. Perhaps you can supply more detail about the access list?

If you are trying to add the ACL for directed-broadcast and it is not accepting names of access lists it may be that the command requires that the ACL be a numbered list rather than a named list. I am not clear about that requirement, but it sounds that way from your description, and I know that the times that I have configured WOL I have used numbered access lists and they have worked fine.

HTH

Rick

phiharri Mon, 02/13/2012 - 11:32

As Rick mentioned, 'ip directed-broadcast' typically only takes a numbered (not named) access-list. It would help to know the specific platform and software release in use to confirm that!

Cheers,

/Phil

matt_isda_bomb Tue, 02/14/2012 - 01:02

Hi guys,

Thanks for getting back to me so fast.

The ACL is an extended list, my apologies the ACL entry i put in is below slight typo.

permit udp host 192.168.99.x any eq 7

Below is a Sh Ver

Cisco Internetwork Operating System Software

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17a,                                                                                                                                                              RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by cisco Systems, Inc.

Compiled Tue 02-Mar-10 02:55 by tinhuang

Image text-base: 0x40101040, data-base: 0x42DD9910

ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)

BOOTLDR: s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17a,                                                                                                                                                              RELEASE SOFTWARE (fc1)

a-svr-6509-1 uptime is 1 year, 6 weeks, 3 days, 21 hours, 8 minutes

Time since a-svr-6509-1 switched to active is 1 year, 6 weeks, 3 days, 21 hours,                                                                                                                                                              7 minutes

System returned to ROM by s/w reset at 09:02:07 GMT Thu Dec 30 2010 (SP by power                                                                                                                                                             -on)

System restarted at 11:45:23 GMT Thu Dec 30 2010

System image file is "sup-bootflash:s72033-ipservicesk9-mz.122-18.SXF17a.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco WS-C6509 (R7000) processor (revision 3.3) with 458720K/65536K bytes of memory.

Processor board ID SAL1023R106

SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache

Last reset from power-on

SuperLAT software (copyright 1990 by Meridian Technology Corp).

X.25 software, Version 3.0.0.

Bridging software.

TN3270 Emulation software.

30 Virtual Ethernet/IEEE 802.3 interfaces

240 FastEthernet/IEEE 802.3 interfaces

58 Gigabit Ethernet/IEEE 802.3 interfaces

4 Ten Gigabit Ethernet/IEEE 802.3 interfaces

1917K bytes of non-volatile configuration memory.

8192K bytes of packet buffer memory.

65536K bytes of Flash internal SIMM (Sector size 512K).

Configuration register is 0x2102

Thanks

Matt

Correct Answer
phiharri Tue, 02/14/2012 - 01:40

Hey Matt,

Per the command reference, only numbered ACLs can be given as an argument to the 'ip directed-broadcast' command, so you'll need to use config like:

access-list 101 permit udp host 192.168.1.x any eq 7

ip directed-broadcast 101

I didn't find any pending enhancements to allow named ACLs at this time.

Cheers,

/Phil

matt_isda_bomb Tue, 02/14/2012 - 06:05

Hi Phil,

So is that basically setting up a standard ACL simply for the purpose of of securing the WOL ip directed-broadcast?

Cheers

Matt

phiharri Tue, 02/14/2012 - 06:51

Exactly Matt. To be precise it would be an IP extended access-list (numbers 101-199) to allow specifying the UDP port.

Cheers,

/Phil

Richard Burts Tue, 02/14/2012 - 10:58

Matt

I do not want to be overly picky. But I want to respond to something in your post to be sure that we are clear. You said:

So is that basically setting up a standard ACL

There are two aspects of the ACL that we need to be careful about - is it a standard ACL or an extended ACL and is it a named ACL or a numbered ACL.

To control the directed broadcast that you are doing for WOL it needs to be an extended access list (not standard) and it needs to be numbered ACL (not named).

HTH

Rick

matt_isda_bomb Wed, 02/15/2012 - 00:55

Hi Rick,

Yes i have created a numbered extended access control list.

Thanks for clarifying,

Matt

Actions

Login or Register to take actions

This Discussion

Posted February 13, 2012 at 8:49 AM
Stats:
Replies:9 Avg. Rating:5
Views:2530 Votes:0
Shares:0
Categories: Switches
+

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,725
4 7,083
5 6,742
Rank Username Points
165
82
70
69
55