This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

WoL Wake on LAN to routed remote location

WoL Wake on LAN to routed remote location

PeterK
Contributor III

‎09-29-2021 11:21 AM

Hello,

I’ve a customer with routed remote-locations via MPLS.

Wake on LAN on the main location is working fine (upd-profile with match-criteria to 3 source-IPs, dst-broadcast-mac and dst udp port)

To get WoL running on the remote-location (also routing exos) I need to send WoL Pakets to a remote Broadcast-IP-Address and enable directed broadcast in dst-vlan. In theorie… not tested yet.

Now I need / I will reduce the security impact. Only directed broadcasts from a limited group of IPs should be accepted.

How can / should I do this? 

ACL? UDP-Profile? Where to bind?

0 Kudos
4 REPLIES 4

PeterK
Contributor III

‎09-29-2021 01:35 PM

You’re right. Normaly inside the vlan it should addressed as FF:FF:FF:FF:FF:FF / 255.255.255.255.

But, is it impossible that something is sending to L3-Broadcastaddress inside the vlan? I’m not sure.

Yes, currently the WOL Pakets should only send from the main location.

I need to enable directed broadcast on the destination vlan. If I bind the ACL in the main location, I can not prevent the dst. vlan from directed broadcasts from other vlans in the same remote-location.

But than, I would make more sense again to bind ACL to destination vlan.

0 Kudos

Stefan_K_
Valued Contributor

‎09-29-2021 12:23 PM

Good question. Broadcasts inside the VLAN are addresses for FF:FF:FF:FF:FF:FF / 255.255.255.255. A ACL that denies traffic to 192.168.1.255 (given that the subnet is 192.168.1.0/24) shouldn’t affect this.

Will the WoL Packets only be sent from the main location to remote locations? Why not map the ACL there? 

0 Kudos

PeterK
Contributor III

‎09-29-2021 12:12 PM

Thanks for your answer.

The Question is, does it make sense to bind this ACL to the destination vlan on the remote-location?

If think, this could also effect broadcasts inside of the destination-vlan. So I think, it would make more sense to bind the ACL to the Transfer-VLAN of MPLS-Router.

Or, what do you think?

0 Kudos

Stefan_K_
Valued Contributor

‎09-29-2021 12:02 PM

Q A: How does EXOS treat directed broadcast traffic? | Extreme Portal (force.com)

You could limit it by with an ACL, with two entries:

Allow Traffic to remote Broadcast-Address for some source addresses

Deny Traffic to remote Broadcast-Address.

0 Kudos
GTM-P2G8KFN