Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted
Guest Blogger

AOS-CX - IP directed-broadcast and ACL

Hello,

 

I have an AOS-CX 8320 VSX cluster which acts as the default gateway for multiple VLANs, like 1 server VLAN and 2 client VLANs. The customer wants to use Wake-on-LAN (WoL). 

 

I enabled IP directed-broadcast on the client SVI's and this works. Now I would like to limit the number of servers that would be able to send WoL packets. 

 

I don't see an option to add an ACL directly to the IP directed-broadcast command, so I guess the only option would be to configure an ACL on SVI level. As far as I can see there is only an option to apply a policy in the routed-in direction. The WoL packet from the server to client is outbound for the client SVI, so I have to add the ACL to the server SVI.

 

Is that correct? 

 

This is a "live" environment so I cannot easily test, but below is the config snippet I would like to use.

 

class ip class-ipdb
    1 ignore udp 172.18.19.13 any eq 7
    2 match udp any any eq 7
policy policy-ipdb
    10 class ip class-ipdb action drop  
!
interface vlan19 
    vsx-sync active-gateways
    description servers
    ip address 172.18.19.253/24
    active-gateway ip 172.18.19.254 mac 00:00:00:00:00:19
    apply policy policy-ipdb routed-in
interface vlan21 
    vsx-sync active-gateways
    description clients1c                                      
    ip address 172.18.21.253/24                                
    active-gateway ip 172.18.21.254 mac 00:00:00:00:00:21      
    ip helper-address 172.18.19.1                              
    ip helper-address 172.18.19.2                              
    ip helper-address 172.18.19.94                             
    ip directed-broadcast                                      
interface vlan22                                               
    vsx-sync active-gateways                                   
    description clients2c                                      
    ip address 172.18.22.253/24                                
    active-gateway ip 172.18.22.254 mac 00:00:00:00:00:22      
    ip helper-address 172.18.19.1                              
    ip helper-address 172.18.19.2                              
    ip helper-address 172.18.19.94                             
    ip directed-broadcast 
@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl

Accepted Solutions
Highlighted
MVP Guru

Re: AOS-CX - IP directed-broadcast and ACL

This seems to be a very good option, with less configuration.

An other alternative, focused on destintation, is to use Ingress VLAN ACL on the destination VLANs, but this is more work as you may have to insert ACL for all VLANs. 

View solution in original post


All Replies
Highlighted
MVP Guru

Re: AOS-CX - IP directed-broadcast and ACL

This seems to be a very good option, with less configuration.

An other alternative, focused on destintation, is to use Ingress VLAN ACL on the destination VLANs, but this is more work as you may have to insert ACL for all VLANs. 

View solution in original post

Highlighted
New Contributor

Re: AOS-CX - IP directed-broadcast and ACL

Did that end up working out as expected? I'm finishing the config on a vsx pair of 8320s that I need to WOL with. 

 

The is is the config on the 5412zl2 that is being replaced. 

ip udp-bcast-forward

ip access-list extended wol-acl
permit udp 172.24.0.40 0.0.0.0 172.25.255.255 0.0.0.0 eq 9
exit
ip directed-broadcast access-group wol-acl

Highlighted
Guest Blogger

Re: AOS-CX - IP directed-broadcast and ACL

The configuration worked for me

 

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: