Wake on LAN (Magic Packets) to subnets

Hi Experts

To get SCCM to working to remote subnets. I need to set up my Cisco 6500 forward requests Magic Packets to other remote subnets for the purpose of Wake on LAN. I was hoping for some advice.

SCCM server is sitting on the 10.1.0.0 subnet.
Remote computers are sitting in on subnets 10.20.0.0 & 10.30.00 etc& that are connected via VPN ipsec tunnels.

What commands do I have to issue to the router to forward these WOL to the appropriate subnets.

ip forward-protcol udp 9 ?
Cedar0GuitarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lanboyoCommented:
You need to enable the " ip directed-broadcast command " on every interface that the magic packet will traverse to get to it's destination.

You can set an access list to permit only specific hosts to be able to send the magic packets (or smurf attacks).

Wake on lan does not need to use udp 9, it has been configured in udp 0,1 7 and ipx frames.

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a008084b55c.shtml#WOL


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lanboyoCommented:
Did this help?
0
Cedar0GuitarAuthor Commented:
A little more research. Cisco TAC tells me that this is not possible with out IPSEC Tunnels. any thoughts on this?
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

Cedar0GuitarAuthor Commented:
A little more research. Cisco TAC tells me that this is not possible with our IPSEC Tunnels. any thoughts on this? ......corrected grammer..
0
lanboyoCommented:
Most likely they know better than me. Hmmn. Is it observed not to work? I can imagine a possible code issue with the ipsec interesting traffic not encapsulating the frame. The IPSec in not an interface per se, if the ipsec encapsulation code does not permit directed broadcast, then it does not.

For some really half assed solutions;

 - Put in GRE tunnels to the sites, and enable directed broadcasts on them. You lose 32 bits a packet to the gre, but you can run ospf.

- Statically map arps to interface addresses, and put static mac entries in the switches at the remote sites. Direct the magic packet to individual IP addresses. This would be a operational NIGHTMARE.

- Set the Arp timeout and MAC address timeout on the remote router/switch to ridiculously high numbers at the remote site. Direct the magic packet to individual IP addresses.  This would could cause some broadcast storms if a switch interface drops, the arp is active so the traffic gets sent, but the mac address is gone since the port is down and the traffic gets sent to every port on the network.

Hey.... This is an Idea. I claim patent protection on it now. Pick an unused IP address on the remote network, put a static arp entry for it in the remote router with a mac of either an ethernet interface on a machine you know will never be on site, or the actual ethernet broadcast mac address. Send the magic packet to that IP address.


If you feel like experimenting, let me know the make and model of the remote equipment, and I can give you some things to try. also.. Can you chose a unicast IP address for the destination of the magic packet?


0
Cedar0GuitarAuthor Commented:
I'm giving up on IPSEC Tunnel (for now), but you are right about the "ip directed-broadcast command ". Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.