Wake-on-LAN (WOL) is a combination of hardware and software technologies to wake up sleeping systems. WOL sends specially coded network packets, called magic packets, to systems equipped and enabled to respond to these packets. The WOL feature allows the administrator to remotely power up all sleeping machines so that they can receive updates. WOL is based on the principle that when the PC shuts down, the NIC still receives power, and keeps listening on the network for the magic packet to arrive. This magic packet is mostly based on UDP.
If you send WOL packets from remote networks, the routers must be configured to allow directed broadcasts. This must be done for these two reasons:
- Because the PC is asleep, it will not have an IP address and will not respond to Address Resolution Protocols (ARPs) from the router. Therefore, only a local subnet IP broadcast packet is transmitted on the segment without an ARP.
- If there is a Layer 2 switch between the router and the PC, which is true for most networks today, the switch does not know to which port the PC is physically connected. Only a Layer 2 broadcast or an unknown unicast frame is sent out to all switch ports. All IP broadcast packets are addressed to the broadcast MAC address.
Directed broadcasts
IP directed broadcasts are used in the common and popular smurf denial of service attack, and can also be used in related attacks.
That’s why directed broadcasts are disabled by default on a Cisco interface.
To let wake on lan (WOL) for Altiris work in a intra vlan environment,
the WOL packets should be forwarded from the server vlan to user vlan(s).
This can be done by directed broadcasts.
Configuration steps to forward WOL packets:
1. Specify the protocol and port to be forwarded.
ip forward-protocol udp 402
2. Specify which directed broadcasts should e forwarded.
!-- This accepts directed broadcasts only from the Altiris server (UDP port 402)
access-list 101 permit permit udp host < IP Altiris server > any eq 402
3. Enable forwarding of WoL packets to clients.
Interface vlan 100
description server-vlan
!-- Works in conjunction with the ip forward-protocol command.
ip helper-address < broadcast IP of user subnet (s) >
4. enable the translation of a directed broadcast to physical broadcasts.
interface vlan 200
description user-vlan
ip directed-broadcast 101
ip helper-address < IP Alterist server >
wol configuration example:
User lan: 10.10.100.0/24
Server lan 10.10.200.0/24
Altiris server 10.10.200.25
ip forward-protocol udp 402
!
Interface vlan 100
description user-lan
ip address 10.10.100.1 255.255.255.0
ip helper-address 10.10.200.25
ip directed-broadcast 101
!
Interface vlan 200
description server-lan
Ip address 10.10.200.1 255.255.255.0
ip helper-address 10.10.100.255
!
access-list 101 permit permit udp host 10.10.200.25 any eq 402
|
