Solved

WOL - why do i need .255 broadcast address in the vlan of the sccm 2012 server

Posted on 2014-01-06
6
1,553 Views
Last Modified: 2014-01-22
Hi - I'm having trouble setting up WOL for scccm 2012.

It was suggested I require ip-helpers to in the VLAN config on the VLAN that the sccm server is in (sender) -  1 for each vlan broadcast address to) to the .255 broadcast address.

Can someone please explain why i need these (see example config below with ip-helpers in  quotes "") My understanding of ip-helper is along lines of client (dhcp for eg) finds ip-helper in vlan to allow broadcast to go to dhcp server accross vlan.

interface Vlan20
description 1st Floor Vlan Wake on Lan Client
ip address 192.168.1.0 255.255.255.0
ip directed-broadcast 100

interface Vlan30
description 2nd Floor Vlan Wake on Lan Client
ip address 192.168.2.0 255.255.255.0
ip directed-broadcast 100

interface vlan40
description Wake on Lan Server
ip address 192.168.3.0 255.255.255.0
"ip helper-address 192.168.1.255"
"ip helper-address 192.168.2.255"

WHY DO I NEED THESE LAST 2 LINES? - or do I?

Can someone please give me explanation.
this in 3750 cisco router
0
Comment
Question by:philb19
  • 2
  • 2
  • 2
6 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 39761218
A WOL frame is a broadcast frame, as such the sending host puts the IP broadcast address for the subnet the sender is on.

Since you are trying to send the WOL to a host in a different subnet, you use the ip helper command to change the IP broadcast address.

Say your source host is 192.168.3.20 and mask is 255.255.255.0.  The broadcast would be 192.168.3.255.  If you want to send this to a host on 192.168.1.0/24 or 192.168.2.0/24 subnet, it would be ignored by all hosts because 192.168.3.255 is not the broadcast address for those subnets.  The ip helper address will cause the router to send out the WOL frame using the dest IP address of 192.168.1.255 and 192.168.2.255.
0
 

Author Comment

by:philb19
ID: 39761256
ok great thanks clear explanation. I have a Cisco engineer who is saying Its not required - and he has setup  WOL without it. - stating it is is dangerous? - allowing broadcast

I initially put in as suggested config and - as it does not work without it i imagine i was right.

I imagine with each vlan having ip directed-broadcast 101 as an ACL it will only allow broadcast from the sccm server
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 39761842
I will double check, I have never had to set this up personally, just helped others do it.  However, I'm not sure how it would work without.

Without that the WOL magic packet will NOT be forwarded to the other VLAN's.

Allowing it can cause problems.  Thinks about it, in your setup L2/L3 broadcast frame on VLAN 40 is now forwarded to both VLAN 30 and VLAN 20 no matter what.  That could be a ton of traffic or next to nothing.

However, as you stated, you can reduce the possibility of problems by creating an ACL to limit the source IP address(es) that will trigger the process.
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 
LVL 16

Expert Comment

by:vivigatt
ID: 39765151
If the packets need to be sent to broadcast address, there MUST be some kind of broadcast forwarding or relaying if the computer that sends the magic packets is on another subnet than the computers to be awaken. Broadcasts are not supposed to be transmitted from one subnet to another. I would not forward all broadcasts between 2 subnets, this is not desirable.
You should check what kind of packets are sent by your WOL sender and forward only said packets (for instance UDP port 7 or 9).
Use a network packet capture tool (WireShark or MS Netmon), record a trace when the sender and receiver are on the same subnet and make some assumptions from there that will allow you to set the correct rules so that you don't forward all broadcasts from sender's subnet to receivers' subnets.
Another way around is to use Subnet directed broadcasts or a WOL proxy/Relay such as http://www.mylanviewer.com/wake-on-lan-proxy-server.html .


There are several types of WOL packets:
Magic Packets (described in this article in particular):
http://en.wikipedia.org/wiki/Wake-on-LAN
Pattern Match:
http://technet.microsoft.com/en-us/library/ee617165%28v=ws.10%29.aspx

Some useful links:
http://niksideas.blogspot.fr/2011/12/wake-on-lan-wol.html
0
 

Author Comment

by:philb19
ID: 39765516
thanks to all posts -just to add here it does work with the .255 to all vlans. - I do have
an ACL allowing  only sccm to direct-broadcast - and  sh access-list has hit-count 4 on the udp port 9 - all other ACE's to other ports have hit of 0 - so i will prune the acl I guess
0
 
LVL 16

Expert Comment

by:vivigatt
ID: 39765661
You can run a packet capture tool on one of the receivers subnets to check that you have not more forwarded broadcasts than what you want.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Infrastructure for Branch Office 16 87
Radius Debug Error 16 40
Cisco Router help 5 50
Need help with VLAN issue 6 31
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now