topic WoL Wake on LAN to routed remote location in ExtremeSwitching (EXOS/Switch Engine)

WoL Wake on LAN to routed remote location

PeterK — Wed, 29 Sep 2021 18:21:52 GMT

Hello,

I’ve a customer with routed remote-locations via MPLS.

Wake on LAN on the main location is working fine (upd-profile with match-criteria to 3 source-IPs, dst-broadcast-mac and dst udp port)

To get WoL running on the remote-location (also routing exos) I need to send WoL Pakets to a remote Broadcast-IP-Address and enable directed broadcast in dst-vlan. In theorie… not tested yet.

Now I need / I will reduce the security impact. Only directed broadcasts from a limited group of IPs should be accepted.

How can / should I do this?

ACL? UDP-Profile? Where to bind?

Re: WoL Wake on LAN to routed remote location

Stefan_K_ — Wed, 29 Sep 2021 19:02:27 GMT

Q A: How does EXOS treat directed broadcast traffic? | Extreme Portal (force.com)

You could limit it by with an ACL, with two entries:

Allow Traffic to remote Broadcast-Address for some source addresses

Deny Traffic to remote Broadcast-Address.

Re: WoL Wake on LAN to routed remote location

PeterK — Wed, 29 Sep 2021 19:12:28 GMT

Thanks for your answer.

The Question is, does it make sense to bind this ACL to the destination vlan on the remote-location?

If think, this could also effect broadcasts inside of the destination-vlan. So I think, it would make more sense to bind the ACL to the Transfer-VLAN of MPLS-Router.

Or, what do you think?

Re: WoL Wake on LAN to routed remote location

Stefan_K_ — Wed, 29 Sep 2021 19:23:23 GMT

Good question. Broadcasts inside the VLAN are addresses for FF:FF:FF:FF:FF:FF / 255.255.255.255. A ACL that denies traffic to 192.168.1.255 (given that the subnet is 192.168.1.0/24) shouldn’t affect this.

Will the WoL Packets only be sent from the main location to remote locations? Why not map the ACL there?

Re: WoL Wake on LAN to routed remote location

PeterK — Wed, 29 Sep 2021 20:35:06 GMT

You’re right. Normaly inside the vlan it should addressed as FF:FF:FF:FF:FF:FF / 255.255.255.255.

But, is it impossible that something is sending to L3-Broadcastaddress inside the vlan? I’m not sure.

Yes, currently the WOL Pakets should only send from the main location.

I need to enable directed broadcast on the destination vlan. If I bind the ACL in the main location, I can not prevent the dst. vlan from directed broadcasts from other vlans in the same remote-location.

But than, I would make more sense again to bind ACL to destination vlan.