I configured a router interface E0 with command"ip address x.x.x.x y.y.y.y" only, but when I "show run", i found there's an extra command under E0(see below) which is "no ip directed-broadcast". I can't remove this line, not sure what this line is doing.
description : connect to O6LXC29OOBC01(switch)
ip address x.x.x.x y.y.y.y
no ip directed-broadcast
An ip directed broadcast is a brodcast to all hosts on a particular subnet eg.
The directed broadcast for the above network would be 192.168.5.255 which all machines will respond to. It is recommended to turn it off for security reasons because it has the potential for a denial of service eg.
Using the above network imagine a hacker wants to attack a particular server - 192.168.5.10. So he sends a packet with the destination address of 192.168.5.255 and a source address of 192.168.5.10.
Remember he can send this from a remote network because the packet is routed based on the destination address. If the packet is allowed onto the subnet then all machines will receive it and respond to 192.168.5.10 which will now have to deal with a lot of traffic. If he can send enough packets he could overload the server 192.168.5.10.
So you probably want it turned off unless you have an application that needs it. To turn it on
Thank you,Jon. So this will not affect the routing function,right? how can I remove this line if i want? it seems other routers' e0 interfaces don't have this command.
No it won't affect the routing. You probably don't want to remove it but have you tried what i put in previous post.
yeah, if i put down "ip directed-broadcast", but this will appear in the "show run" output, never mind.
i think it's just like a filter which blocks the broadcast address for that subnet. thanks.
Jon has provided a good discussion of ip directed-broadcast and the reasons why many people want to disable this. I would like to add a small supplement to his explanation about why it is in the config.
The command is added to the configuration by the IOS. As you comment you did not type it in but it is in the config automatically. A little background may help explain why IOS does automatically put this command into the config.
In earlier versions of IOS the default was to enable directed broadcasts (and in general people thought that it was a good feature). But as networks grew and as we faced more threats and network attacks people began to recognize the security weakness of directed-broadcast and began to want to turn it off. And at some point Cisco changed the default. Now the default is no ip directed-broadcast. And Cisco now automatically adds that to the configuration to be clear about what the behavior of the router will be.
Cisco has done this kind of thing for several commands where the default behavior has changed - to automatically insert into the config the command for the default that has changed (for example putting subnet-zero into the config).
If you want to remove the command no ip directed-broadcast from the configuration you can put ip directed-broadcast into the interface configuration and it will remove the no ip directed-broadcast. (of course it will insert the ip directed-broadcast under the interface configuration)
Yes you are right that it is like a filter that gets applied.
Thank you for the compliment and thanks for the rating.
Jon, a side question on the same subject.
If I look at the config on my switch/router and I do not see "no ip directed-broadcast" displayed in the config, does that mean that it is enabled? or must it expressly say one or other?
Whether the command shows up or not depends on the version of IOS that you are running.
It is not necessary that it expressly says one or the other. If you are not sure what behavior is enabled on your interface then I suggest that you use the command show ip interface. One of the lines in the output should show clearly whether directed broadcast is enabled or not.
Okay, with that command, I do see that it says, Directed broadcast forwarding is disabled.
The problem I have, then, how is it that my devices that must have directed broadcast enabled in order to reach a back office server, are working with the directed broadcast shown as disabled.
My devices, work like this. during the initialization they send a udp request to the .255 broadcast address. The device gets an ack from the back office server, then they switch to unicast packets. This process repeats every 10 minutes where it renews the connection all over again.
I am trying to provide justification to enable it, and I know that our implementation team has enabled it when we turn up a new segment that my devices attach to.
There are some parts of your explanation that I do not understand. Let me offer one observation that I hope might help. The ip directed-broadcast command has to do with the behavior if the interface receives a directed broadcast and does not impact whether or not to transmit a directed broadcast.
Here is my guess at what is going on. Your clients send the broadcast to some UDP port. The router interface is configured with ip helper-address which forwards the broadcast to the back end server. The back end server gets the request and sends a unicast response which gets to the client and then the client begins unicast communication. Note that doing this does not necessarily require directed broadcast (unless the helper-address specifies a broadcast destination - and in that case the directed broadcast needs to be configured on the interface where the server is located and not on the interface where the client is).
If that does not satisfy your question then please provide clarification - and relevant configs would also be helpful.