IP Directed Broadcasts

Hey all,

We wish to send IP Directed Broadcasts through our routers (for SMS

2003). This will be used for our Wake on Lan packet. We would like to set up our interfaces to where the SMS server will be the only one that the broadcast packets would be allowed to be sent through (to prevent SMURF attacks). I've read that this was possible, but am not sure how to proceed. Thanks in advance for an assistance!
Reply to
joseph.m.carr
Loading thread data ...

One way to proceed would be with ingress ACLs on all the interfaces where you wish to defend against SMURF attempts inbound to the router.

A similar way to proceed would be with egress ACLS on all the interfaces where you wish to permit directed broadcasts emitted from the router.

Say your SMS server is at 1.1.1.100 and you have user segments at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.

Then you could use ACLs like:

ip access-list no-smurf-except-from-SMS-server permit ip host 1.1.1.100 host 2.2.2.255 permit ip host 1.1.1.100 host 3.3.3.255 deny ip any host 2.2.2.255 deny ip any host 3.3.3.255 permit ip any any

ip access-list no-smurf-at-all deny ip any host 2.2.2.255 deny ip any host 3.3.3.255 permit ip any any

If you were doing ingress ACLs then you'd put the following on the interface facing the SMS server:

interface Fa0/0 ip address 1.1.1.1 255.255.255.0 ip access-group no-smurf-except-from-SMS-server in

and the following on each other interface

interface Fa0/1 ip address ip access-group no-smurf-at-all in

If you were doing egress ACLs then you'd put the following on your

2.2.2.x and 3.3.3.x interfaces:

interface Fa0/0 ip address 2.2.2.1 255.255.255.0 ip access-group no-smurf-except-from-SMS-server out ip directed-broadcast

Of course, you should still make sure that you enable [or disable] "ip directed-broadcast" appropriately on all the interfaces adjacent [or not adjacent] to user subnets where you need the broadcasts to work.

Reply to
briggs

Here is how you control who can do directed broadcast:

access-list 100 remark Wake on LAN access-list 100 permit 10.1.2.1

interface fastethernet 0/0 ip directed-broadcast 100

On every interface that has PC's that you want to wake you put "ip directed-broadcast 100". This is not required on other interfaces (such as WAN). ACL 100 should list the IP's of the SMS servers (the servers sending the directed broadcasts.)

Reply to
Thrill5

I've been through this exact scenario, where we needed to forward SMS broadcasts on port 20000. The easiest way? Just do this to every layer-3 device in your network:

ip forward-protocol udp 20000

Brian

Reply to
response3

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.