I’ve a customer with routed remote-locations via MPLS.
Wake on LAN on the main location is working fine (upd-profile with match-criteria to 3 source-IPs, dst-broadcast-mac and dst udp port)
To get WoL running on the remote-location (also routing exos) I need to send WoL Pakets to a remote Broadcast-IP-Address and enable directed broadcast in dst-vlan. In theorie… not tested yet.
Now I need / I will reduce the security impact. Only directed broadcasts from a limited group of IPs should be accepted.
How can / should I do this?
ACL? UDP-Profile? Where to bind?
You’re right. Normaly inside the vlan it should addressed as FF:FF:FF:FF:FF:FF / 255.255.255.255.
But, is it impossible that something is sending to L3-Broadcastaddress inside the vlan? I’m not sure.
Yes, currently the WOL Pakets should only send from the main location.
I need to enable directed broadcast on the destination vlan. If I bind the ACL in the main location, I can not prevent the dst. vlan from directed broadcasts from other vlans in the same remote-location.
But than, I would make more sense again to bind ACL to destination vlan.
Good question. Broadcasts inside the VLAN are addresses for FF:FF:FF:FF:FF:FF / 255.255.255.255. A ACL that denies traffic to 192.168.1.255 (given that the subnet is 192.168.1.0/24) shouldn’t affect this.
Will the WoL Packets only be sent from the main location to remote locations? Why not map the ACL there?
Thanks for your answer.
The Question is, does it make sense to bind this ACL to the destination vlan on the remote-location?
If think, this could also effect broadcasts inside of the destination-vlan. So I think, it would make more sense to bind the ACL to the Transfer-VLAN of MPLS-Router.
Or, what do you think?
You could limit it by with an ACL, with two entries:
Allow Traffic to remote Broadcast-Address for some source addresses
Deny Traffic to remote Broadcast-Address.