WoL – Wake On LAN

If a computer on local LAN network is turned off and administrator needs to do some regular maintenance on it, he will need to use Wake-On-LAN (WoL) to power the system up remotely.

Of course, network devices need to be configured to enable that kind of “magic” packet forwarding.

NIC cards on machines need to support WoL for this to work, but we don’t bother with this here..

WoL is sending “magic packets” to computer NIC card in order to start the system up. NIC which supports WoL is still receiving power when PC is turned off. NIC then keeps listening on the network for the magic packet and if received it will initialise the system boot process and power up the PC.

Magic packet is specially crafted network directed broadcast packet typically sent with connectionless UDP, port 7.

You would usually have a WoL server somewhere on you network which will be used to source magic packets. If you send magic packets across network segments (between VLANs or from some remote subnet), last router in the path, one having client subnet locally connected, needs to be configured with directed broadcast. The first router on the path, router with server subnet locally connected, should have ip helper configured pointing to directed broadcast IP address (in our case 172.19.1.255).

In our example below, both ip helper and directed broadcast are configured on the same L3 device since this is the only router connecting two subnets.

Directed broadcast on Cisco devices is off by default since IOS 12.0 and needs to be configured on specific subnets where WoL will be needed.

You need directed broadcast because PC which needs to be woken up is asleep and while asleep it will not have an IP nor it will respond to ARP. Only way to get some packets to that PC without an ARP resolution is by using local subnet L2 broadcast.

Furthermore, we can surely assume that your PCs are connected to L2 Access Switch. That switch will not know to which port is the PC connected while that PC is asleep. Only a Layer 2 broadcast (and unknown unicast) will be sent out all ports on a switch.

Make Directed Broadcast Secure

IP directed broadcasts, if enabled on the network equipment, can make your network vulnerable to DOS attacks.

IP directed broadcast is a packet sent to the broadcast address of a subnet but from a sender which is not directly connected. This kind of packet will get forwarded through the network like a normal unicast packet until the target subnet (for example 172.19.1.255 for 172.19.1.0/24). When it arrives at its local subnet it will be transformed into link-layer broadcast (L2 destination MAC address is FFFF.FFFF.FFFF).

DOS attack can happen if the attacker starts to send ICMP echo requests with a rouge source address to a directed broadcast address (again, for example 172.19.1.255 for 172.19.1.0/24). All hosts on 172.19.1.0/24 subnet will then reply to rogue source IP address. Making a large ICMP stream to this one directed broadcast address will create huge number of replies directed to one IP address. If you simulated this IP to be an IP of some important server or other type of host, this huge stream of ICMP responses can deplete server resources or available bandwidth and prohibit normal network communication.

For Cisco and other vendors equipment to, this was good enough reason to have “no ip directed-broadcast” command as default for all interfaces. If you still need ip directed-broadcast on some specific network segments, you will enable it only where needed and protect sourcing of directed broadcast traffic to only specific source IP addresses. In our case, we will be able to use WoL, which needs ip directed-broadcast, but only on particular segments and with only WoL server in access list. Access list will take care that only this particular server can source directed broadcast.

Configuration Example

WoL Wake On Lan

WoL Server sent magic packet towards the directed broadcast destination 172.19.1.255 . In order to get L3 switch to direct this packet from sourced VLAN10 towards destination VLAN11, L3 switch needs to be configured because by default it will automatically discard this kind of packet.

Configuration needs to be done on two sides, on the VLAN10 where server is connected, so that magic packets can be sent, and on the client side VLAN11 to enable that magic packets can be delivered to clients. In this story in order to forward magic packet through the L3 Switch, we need ip helper-address pointing towards broadcast address of the target LAN, it our case interface of VLAN11 which broadcast IP address will be 172.19.1.255 . On the target LAN (interface VLAN11), we need ip directed-broadcast with an access-list limiting who is permitted to send directed broadcast (WoL Server).

Configuring ip helper-address will solve the server side part, and configuring ip directed-broadcast will solve the client side of the deal.

L2 switch does not need any additional configuration because he will just forward link-layer broadcast when received from L3 switch. L3 Switch is the one configured and with below configuration he will receive IP directed broadcast from server on interface VLAN10 and transform the magic packet to link-layer broadcast outbound on interface VLAN11 sending L2 packet to FFFF.FFFF.FFFF (All Clients on the local VLAN).
Magic packet additional contains MAC address of targeted PC (learned before and saved in WoL Server application) which will enable All machines NICs to distinguish which one of them needs to reacy to magic packet and initiate power on of the machine.
Here’s the configuration described above:
Access-list 111 below will permit only WoL server (with IP address 10.10.10.10) to source magic packets.
L3_SW(config)#access-list 111 permit udp host 10.10.10.10 any eq 7

Enables UDP port 7 (magic packet) to be forwarded as IP directed broadcast

L3_SW(config)#ip forward-protocol udp 7

Server VLAN interface

L3_SW(config-if)#interface vlan 10
L3_SW(config-if)#ip address 10.10.10.1 255.255.255.0
L3_SW(config-if)#ip helper-address 172.19.1.255
Client VLAN interface
L3_SW(config-if)#interface vlan 11
L3_SW(config-if)#ip address 172.19.1.1 255.255.255.0
L3_SW(config-if)#ip directed-broadcast 111

Leave a Reply

%d bloggers like this: