Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure an IP access list to control directed broadcasts for the Wake-on-LAN setup


In order to configure an IP access list to control directed broadcasts, complete one of these steps:

  1. Configure the ip directed-broadcast command directly on an interface:

    Hostname(config)#interface FastEthernet
    Hostname(config-if)#ip directed-broadcast

  2. Configure an access control list (ACL) in order to permit traffic only from a trusted source. For example, is the Wake-on-LAN (WoL) server.

    Hostname(config)#access-list 10 permit

    Then, apply that under the VLAN interface:

    Hostname(config)#interface Vlan <Vlan id>
    Hostname(config-if)#ip address x.x.y.y subnet mask
    Hostname(config-if)#no ip redirects
    Hostname(config-if)#ip directed-broadcast 10   
    !--- 10 is the ACL number.

Refer to the Control Directed Broadcasts section of document Improving Security on Cisco Routers for more information.
Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:08 PM
Updated by:
Labels (1)
Everyone's tags (3)
New Member

I have my WoL server set to in network (vlan 2).

I have my client station set to in network (vlan 3)

My WoL server uses port 144 (verified with wireshark).  Entered the following commands to set up WoL:

interface Vlan2
 ip address
 ip helper-address
interface Vlan3
 ip address
 ip directed-broadcast 101


ip forward-protocol udp 144


access-list 101 permit udp host any eq 144


My full access-list looks like this:

Extended IP access list 101
    10 permit udp host any eq 144
    20 deny ip any any

When I wake the computer with the server. It works as expected. However, when I change my WoL server to in order to simulate an unauthorized server doing the same thing, it also works and wakes the client.

Why is my extended access-list not stopping sources that are not

Any help would be greatly appreciated! Thanks and Cheers!