Hello,
I have an AOS-CX 8320 VSX cluster which acts as the default gateway for multiple VLANs, like 1 server VLAN and 2 client VLANs. The customer wants to use Wake-on-LAN (WoL).
I enabled IP directed-broadcast on the client SVI's and this works. Now I would like to limit the number of servers that would be able to send WoL packets.
I don't see an option to add an ACL directly to the IP directed-broadcast command, so I guess the only option would be to configure an ACL on SVI level. As far as I can see there is only an option to apply a policy in the routed-in direction. The WoL packet from the server to client is outbound for the client SVI, so I have to add the ACL to the server SVI.
Is that correct?
This is a "live" environment so I cannot easily test, but below is the config snippet I would like to use.
class ip class-ipdb
1 ignore udp 172.18.19.13 any eq 7
2 match udp any any eq 7
policy policy-ipdb
10 class ip class-ipdb action drop
!
interface vlan19
vsx-sync active-gateways
description servers
ip address 172.18.19.253/24
active-gateway ip 172.18.19.254 mac 00:00:00:00:00:19
apply policy policy-ipdb routed-in
interface vlan21
vsx-sync active-gateways
description clients1c
ip address 172.18.21.253/24
active-gateway ip 172.18.21.254 mac 00:00:00:00:00:21
ip helper-address 172.18.19.1
ip helper-address 172.18.19.2
ip helper-address 172.18.19.94
ip directed-broadcast
interface vlan22
vsx-sync active-gateways
description clients2c
ip address 172.18.22.253/24
active-gateway ip 172.18.22.254 mac 00:00:00:00:00:22
ip helper-address 172.18.19.1
ip helper-address 172.18.19.2
ip helper-address 172.18.19.94
ip directed-broadcast