Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

AOS-CX - IP directed-broadcast and ACL

This thread has been viewed 35 times

  • 1.  AOS-CX - IP directed-broadcast and ACL

    Posted Oct 25, 2019 04:04 AM

    Hello,

     

    I have an AOS-CX 8320 VSX cluster which acts as the default gateway for multiple VLANs, like 1 server VLAN and 2 client VLANs. The customer wants to use Wake-on-LAN (WoL). 

     

    I enabled IP directed-broadcast on the client SVI's and this works. Now I would like to limit the number of servers that would be able to send WoL packets. 

     

    I don't see an option to add an ACL directly to the IP directed-broadcast command, so I guess the only option would be to configure an ACL on SVI level. As far as I can see there is only an option to apply a policy in the routed-in direction. The WoL packet from the server to client is outbound for the client SVI, so I have to add the ACL to the server SVI.

     

    Is that correct? 

     

    This is a "live" environment so I cannot easily test, but below is the config snippet I would like to use.

     

    class ip class-ipdb
    1 ignore udp 172.18.19.13 any eq 7
    2 match udp any any eq 7
policy policy-ipdb
    10 class ip class-ipdb action drop  
!
interface vlan19 
    vsx-sync active-gateways
    description servers
    ip address 172.18.19.253/24
    active-gateway ip 172.18.19.254 mac 00:00:00:00:00:19
    apply policy policy-ipdb routed-in
interface vlan21 
    vsx-sync active-gateways
    description clients1c                                      
    ip address 172.18.21.253/24                                
    active-gateway ip 172.18.21.254 mac 00:00:00:00:00:21      
    ip helper-address 172.18.19.1                              
    ip helper-address 172.18.19.2                              
    ip helper-address 172.18.19.94                             
    ip directed-broadcast                                      
interface vlan22                                               
    vsx-sync active-gateways                                   
    description clients2c                                      
    ip address 172.18.22.253/24                                
    active-gateway ip 172.18.22.254 mac 00:00:00:00:00:22      
    ip helper-address 172.18.19.1                              
    ip helper-address 172.18.19.2                              
    ip helper-address 172.18.19.94                             
    ip directed-broadcast


  • 2.  RE: AOS-CX - IP directed-broadcast and ACL
    Best Answer

    EMPLOYEE
    Posted Oct 25, 2019 08:26 AM

    This seems to be a very good option, with less configuration.

    An other alternative, focused on destintation, is to use Ingress VLAN ACL on the destination VLANs, but this is more work as you may have to insert ACL for all VLANs. 



  • 3.  RE: AOS-CX - IP directed-broadcast and ACL

    Posted Dec 19, 2019 11:13 AM

    Did that end up working out as expected? I'm finishing the config on a vsx pair of 8320s that I need to WOL with. 

     

    The is is the config on the 5412zl2 that is being replaced. 

    ip udp-bcast-forward

    ip access-list extended wol-acl
    permit udp 172.24.0.40 0.0.0.0 172.25.255.255 0.0.0.0 eq 9
    exit
    ip directed-broadcast access-group wol-acl



  • 4.  RE: AOS-CX - IP directed-broadcast and ACL

    Posted Dec 20, 2019 03:33 AM

    The configuration worked for me