There's a mobile version of our website.
I'm quite new to ACL's so fogive any errors.
I am currently trying to get Wake on LAN working in our enviroment to allow SCCM 2007 to wake computers. I have configured the ACL's to allow the packets across VLANS.
I followed the CISCO guide
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a008084b55c.shtml and it works, but i am concerned that i have left the security to open.
First i allowed the server in an ACL entry
permit udp host 192.168.99.x eq 7
then i allowed fowarding of WOL packets in broadcasts.
Then on the VLAN interface i got a bit stuck. in the guide it says to input the ACL number after. however i use ACL names and i cannot add the name.
ip directed-broadcast ACLNumber
It WORKS great if i simply don't put the ACL number, but i fear that this is to "Open".
Any advice greatly appreciated!
It is certainly true that ip directed-broadcast with ACL is more secure than ip directed-broadcast with no ACL. The degree of risk is probably not high, but you are better off if you get the access list to work.
I am puzzled at the ACL that you are trying to use. Since it specifies udp and specifies eq 7 it looks like it would be an extended access list. But since it only lists one IP address it looks like a standard access list and not extended access list. Perhaps you can supply more detail about the access list?
If you are trying to add the ACL for directed-broadcast and it is not accepting names of access lists it may be that the command requires that the ACL be a numbered list rather than a named list. I am not clear about that requirement, but it sounds that way from your description, and I know that the times that I have configured WOL I have used numbered access lists and they have worked fine.
As Rick mentioned, 'ip directed-broadcast' typically only takes a numbered (not named) access-list. It would help to know the specific platform and software release in use to confirm that!
Thanks for getting back to me so fast.
The ACL is an extended list, my apologies the ACL entry i put in is below slight typo.
permit udp host 192.168.99.x any eq 7
Below is a Sh Ver
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by cisco Systems, Inc.
Compiled Tue 02-Mar-10 02:55 by tinhuang
Image text-base: 0x40101040, data-base: 0x42DD9910
ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF17a, RELEASE SOFTWARE (fc1)
a-svr-6509-1 uptime is 1 year, 6 weeks, 3 days, 21 hours, 8 minutes
Time since a-svr-6509-1 switched to active is 1 year, 6 weeks, 3 days, 21 hours, 7 minutes
System returned to ROM by s/w reset at 09:02:07 GMT Thu Dec 30 2010 (SP by power -on)
System restarted at 11:45:23 GMT Thu Dec 30 2010
System image file is "sup-bootflash:s72033-ipservicesk9-mz.122-18.SXF17a.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
cisco WS-C6509 (R7000) processor (revision 3.3) with 458720K/65536K bytes of memory.
Processor board ID SAL1023R106
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
TN3270 Emulation software.
30 Virtual Ethernet/IEEE 802.3 interfaces
240 FastEthernet/IEEE 802.3 interfaces
58 Gigabit Ethernet/IEEE 802.3 interfaces
4 Ten Gigabit Ethernet/IEEE 802.3 interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
Per the command reference, only numbered ACLs can be given as an argument to the 'ip directed-broadcast' command, so you'll need to use config like:
access-list 101 permit udp host 192.168.1.x any eq 7
ip directed-broadcast 101
I didn't find any pending enhancements to allow named ACLs at this time.
I do not want to be overly picky. But I want to respond to something in your post to be sure that we are clear. You said:
So is that basically setting up a standard ACL
There are two aspects of the ACL that we need to be careful about - is it a standard ACL or an extended ACL and is it a named ACL or a numbered ACL.
To control the directed broadcast that you are doing for WOL it needs to be an extended access list (not standard) and it needs to be numbered ACL (not named).
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion