IP Directed Broadcasts

Discussion in 'Cisco' started by joseph.m.carr@gmail.com, Feb 26, 2007.

  1. Guest

    Hey all,

    We wish to send IP Directed Broadcasts through our routers (for SMS
    2003). This will be used for our Wake on Lan packet. We would like
    to set up our interfaces to where the SMS server will be the only one
    that the broadcast packets would be allowed to be sent through (to
    prevent SMURF attacks). I've read that this was possible, but am not
    sure how to proceed. Thanks in advance for an assistance!
    , Feb 26, 2007
    #1
    1. Advertising

  2. Guest

    In article <>, writes:
    > Hey all,
    >
    > We wish to send IP Directed Broadcasts through our routers (for SMS
    > 2003). This will be used for our Wake on Lan packet. We would like
    > to set up our interfaces to where the SMS server will be the only one
    > that the broadcast packets would be allowed to be sent through (to
    > prevent SMURF attacks). I've read that this was possible, but am not
    > sure how to proceed. Thanks in advance for an assistance!


    One way to proceed would be with ingress ACLs on all the interfaces
    where you wish to defend against SMURF attempts inbound to the router.

    A similar way to proceed would be with egress ACLS on all the interfaces
    where you wish to permit directed broadcasts emitted from the router.

    Say your SMS server is at 1.1.1.100 and you have user segments
    at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.

    Then you could use ACLs like:

    ip access-list no-smurf-except-from-SMS-server
    permit ip host 1.1.1.100 host 2.2.2.255
    permit ip host 1.1.1.100 host 3.3.3.255
    deny ip any host 2.2.2.255
    deny ip any host 3.3.3.255
    permit ip any any

    ip access-list no-smurf-at-all
    deny ip any host 2.2.2.255
    deny ip any host 3.3.3.255
    permit ip any any


    If you were doing ingress ACLs then you'd put the following on the
    interface facing the SMS server:

    interface Fa0/0
    ip address 1.1.1.1 255.255.255.0
    ip access-group no-smurf-except-from-SMS-server in

    and the following on each other interface

    interface Fa0/1
    ip address <whatever>
    ip access-group no-smurf-at-all in


    If you were doing egress ACLs then you'd put the following on your
    2.2.2.x and 3.3.3.x interfaces:

    interface Fa0/0
    ip address 2.2.2.1 255.255.255.0
    ip access-group no-smurf-except-from-SMS-server out
    ip directed-broadcast


    Of course, you should still make sure that you enable [or disable]
    "ip directed-broadcast" appropriately on all the interfaces adjacent
    [or not adjacent] to user subnets where you need the broadcasts to
    work.
    , Feb 26, 2007
    #2
    1. Advertising

  3. Thrill5 Guest

    Here is how you control who can do directed broadcast:

    access-list 100 remark Wake on LAN
    access-list 100 permit 10.1.2.1

    interface fastethernet 0/0
    ip directed-broadcast 100

    On every interface that has PC's that you want to wake you put "ip
    directed-broadcast 100". This is not required on other interfaces (such as
    WAN). ACL 100 should list the IP's of the SMS servers (the servers sending
    the directed broadcasts.)

    Scott
    <> wrote in message
    news:...
    > In article <>,
    > writes:
    >> Hey all,
    >>
    >> We wish to send IP Directed Broadcasts through our routers (for SMS
    >> 2003). This will be used for our Wake on Lan packet. We would like
    >> to set up our interfaces to where the SMS server will be the only one
    >> that the broadcast packets would be allowed to be sent through (to
    >> prevent SMURF attacks). I've read that this was possible, but am not
    >> sure how to proceed. Thanks in advance for an assistance!

    >
    > One way to proceed would be with ingress ACLs on all the interfaces
    > where you wish to defend against SMURF attempts inbound to the router.
    >
    > A similar way to proceed would be with egress ACLS on all the interfaces
    > where you wish to permit directed broadcasts emitted from the router.
    >
    > Say your SMS server is at 1.1.1.100 and you have user segments
    > at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.
    >
    > Then you could use ACLs like:
    >
    > ip access-list no-smurf-except-from-SMS-server
    > permit ip host 1.1.1.100 host 2.2.2.255
    > permit ip host 1.1.1.100 host 3.3.3.255
    > deny ip any host 2.2.2.255
    > deny ip any host 3.3.3.255
    > permit ip any any
    >
    > ip access-list no-smurf-at-all
    > deny ip any host 2.2.2.255
    > deny ip any host 3.3.3.255
    > permit ip any any
    >
    >
    > If you were doing ingress ACLs then you'd put the following on the
    > interface facing the SMS server:
    >
    > interface Fa0/0
    > ip address 1.1.1.1 255.255.255.0
    > ip access-group no-smurf-except-from-SMS-server in
    >
    > and the following on each other interface
    >
    > interface Fa0/1
    > ip address <whatever>
    > ip access-group no-smurf-at-all in
    >
    >
    > If you were doing egress ACLs then you'd put the following on your
    > 2.2.2.x and 3.3.3.x interfaces:
    >
    > interface Fa0/0
    > ip address 2.2.2.1 255.255.255.0
    > ip access-group no-smurf-except-from-SMS-server out
    > ip directed-broadcast
    >
    >
    > Of course, you should still make sure that you enable [or disable]
    > "ip directed-broadcast" appropriately on all the interfaces adjacent
    > [or not adjacent] to user subnets where you need the broadcasts to
    > work.
    Thrill5, Mar 1, 2007
    #3
  4. response3 Guest

    On Feb 28, 5:06 pm, "Thrill5" <> wrote:
    > Here is how you control who can do directed broadcast:
    >
    > access-list 100 remark Wake on LAN
    > access-list 100 permit 10.1.2.1
    >
    > interface fastethernet 0/0
    > ip directed-broadcast 100
    >
    > On every interface that has PC's that you want to wake you put "ip
    > directed-broadcast 100". This is not required on other interfaces (such as
    > WAN). ACL 100 should list the IP's of the SMS servers (the servers sending
    > the directed broadcasts.)
    >
    > Scott<> wrote in message
    >
    > news:...
    >
    > > In article <>,
    > > writes:
    > >> Hey all,

    >
    > >> We wish to send IP Directed Broadcasts through our routers (for SMS
    > >> 2003). This will be used for our Wake on Lan packet. We would like
    > >> to set up our interfaces to where the SMS server will be the only one
    > >> that the broadcast packets would be allowed to be sent through (to
    > >> prevent SMURF attacks). I've read that this was possible, but am not
    > >> sure how to proceed. Thanks in advance for an assistance!

    >
    > > One way to proceed would be with ingress ACLs on all the interfaces
    > > where you wish to defend against SMURF attempts inbound to the router.

    >
    > > A similar way to proceed would be with egress ACLS on all the interfaces
    > > where you wish to permit directed broadcasts emitted from the router.

    >
    > > Say your SMS server is at 1.1.1.100 and you have user segments
    > > at 2.2.2.x and 3.3.3.x where you wish to send directed broadcasts.

    >
    > > Then you could use ACLs like:

    >
    > > ip access-list no-smurf-except-from-SMS-server
    > > permit ip host 1.1.1.100 host 2.2.2.255
    > > permit ip host 1.1.1.100 host 3.3.3.255
    > > deny ip any host 2.2.2.255
    > > deny ip any host 3.3.3.255
    > > permit ip any any

    >
    > > ip access-list no-smurf-at-all
    > > deny ip any host 2.2.2.255
    > > deny ip any host 3.3.3.255
    > > permit ip any any

    >
    > > If you were doing ingress ACLs then you'd put the following on the
    > > interface facing the SMS server:

    >
    > > interface Fa0/0
    > > ip address 1.1.1.1 255.255.255.0
    > > ip access-group no-smurf-except-from-SMS-server in

    >
    > > and the following on each other interface

    >
    > > interface Fa0/1
    > > ip address <whatever>
    > > ip access-group no-smurf-at-all in

    >
    > > If you were doing egress ACLs then you'd put the following on your
    > > 2.2.2.x and 3.3.3.x interfaces:

    >
    > > interface Fa0/0
    > > ip address 2.2.2.1 255.255.255.0
    > > ip access-group no-smurf-except-from-SMS-server out
    > > ip directed-broadcast

    >
    > > Of course, you should still make sure that you enable [or disable]
    > > "ip directed-broadcast" appropriately on all the interfaces adjacent
    > > [or not adjacent] to user subnets where you need the broadcasts to
    > > work.


    I've been through this exact scenario, where we needed to forward SMS
    broadcasts on port 20000. The easiest way? Just do this to every
    layer-3 device in your network:

    ip forward-protocol udp 20000

    Brian
    response3, Mar 21, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ashley
    Replies:
    2
    Views:
    16,671
    ashley
    Jul 22, 2003
  2. VNTHOMAS

    IP directed-broadcast

    VNTHOMAS, Nov 12, 2003, in forum: Cisco
    Replies:
    0
    Views:
    804
    VNTHOMAS
    Nov 12, 2003
  3. Dave Ross

    no ip directed-broadcast

    Dave Ross, Dec 23, 2003, in forum: Cisco
    Replies:
    2
    Views:
    11,154
    Hansang Bae
    Dec 24, 2003
  4. news.unisource.ch

    no ip-directed bioadcast help

    news.unisource.ch, Oct 11, 2004, in forum: Cisco
    Replies:
    2
    Views:
    493
    Barry Margolin
    Oct 11, 2004
  5. tab

    Directed to wrong website

    tab, Sep 29, 2005, in forum: Computer Support
    Replies:
    6
    Views:
    656
    Evan Platt
    Sep 30, 2005
Loading...

Share This Page