Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure an IP access list to control directed broadcasts for the Wake-on-LAN setup

Resolution

In order to configure an IP access list to control directed broadcasts, complete one of these steps:

  1. Configure the ip directed-broadcast command directly on an interface:

    Hostname(config)#interface FastEthernet
    Hostname(config-if)#ip directed-broadcast

  2. Configure an access control list (ACL) in order to permit traffic only from a trusted source. For example, 192.168.10.10 is the Wake-on-LAN (WoL) server.

    Hostname(config)#access-list 10 permit 192.168.10.10

    Then, apply that under the VLAN interface:

    Hostname(config)#interface Vlan <Vlan id>
    Hostname(config-if)#ip address x.x.y.y subnet mask
    Hostname(config-if)#no ip redirects
    Hostname(config-if)#ip directed-broadcast 10   
    !--- 10 is the ACL number.

Refer to the Control Directed Broadcasts section of document Improving Security on Cisco Routers for more information.
Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:08 PM
Updated by:
 
Labels (1)
Everyone's tags (3)
Comments
New Member

I have my WoL server set to 172.16.2.2 in network 172.16.2.0/24 (vlan 2).

I have my client station set to 172.16.3.2 in network 172.16.2.0/24 (vlan 3)

My WoL server uses port 144 (verified with wireshark).  Entered the following commands to set up WoL:

interface Vlan2
 ip address 172.16.2.1 255.255.255.0
 ip helper-address 172.16.3.255
!
interface Vlan3
 ip address 172.16.3.1 255.255.255.0
 ip directed-broadcast 101

!

ip forward-protocol udp 144

!

access-list 101 permit udp host 172.16.2.2 any eq 144

 

My full access-list looks like this:

Extended IP access list 101
    10 permit udp host 172.16.2.2 any eq 144
    20 deny ip any any

When I wake the computer with the server. It works as expected. However, when I change my WoL server to 172.16.2.5 in order to simulate an unauthorized server doing the same thing, it also works and wakes the client.

Why is my extended access-list not stopping sources that are not 172.16.2.2?

Any help would be greatly appreciated! Thanks and Cheers!