Ethernet Switching
Highlighted
Ethernet Switching

Directed/targeted broadcast on EX-series

‎04-30-2013 10:19 PM

Hi all,

I'm looking at enabling targeted broadcasts on specific edge VLANs to support Wake-on-LAN.

It looks like there aren't any knobs to control the behaviour:

admin@switch# set interfaces vlan unit 100 family inet targeted-broadcast ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  |                    Pipe through a command
{master:0}[edit]

Is there any way to control which source IPs can send targeted broadcasts, or is it as it seems -- i.e. that it's all or nothing?

 

Can firewall filters be used in this scenario? Perhaps an egress filter on the RVI that permits traffic destined towards the subnet broadcast IP from specific sources, denies everything else towards the subnet broadcast IP, then permits everything else:

 

admin@switch# show firewall
family inet {
    filter control-targeted-broadcast {
        term 1 {
            from {
                source-address {
                    1.1.1.1/32;
                }
                destination-address {
                    10.32.121.255/32;
                }
            }
            then accept;
        }
        term 2 {
            from {
                destination-address {
                    10.32.121.255/32;
                }
            }
            then {
                discard;
            }
        }
        term 3 {
            then accept;
        }
    }
}

 

admin@switch# show interfaces vlan.100
family inet {
    filter {
        output control-targeted-broadcast;
    }
    address 10.32.120.1/23;
}

 

I haven't really thought through the above filter and its potential to negatively impact other legitimate traffic but hopefully you get the idea. I am keen to see how other folks have tackled this issue.

 

Lastly, the "forward-and-send-to-re" and "forward-only" config knobs to control forwarding aren't there on my JUNOS EX boxes. Does anyone know what the behaviour is on EX-series?

Cheers!

3 REPLIES 3
Highlighted
Ethernet Switching

Re: Directed/targeted broadcast on EX-series

‎05-03-2013 03:22 PM

The filter looks like it would work, The host that the targeted broadcast is directed to, are they on the vlan 100? if yes then it should be an input filter. If no then I would apply it as an input on the vlan.X interface where the targeted host are. If you were to manually send it, then you would specify the source like this:

>ping 10.32.121.255 source 1.1.1.1 rapid count 50 ( whatever number you want to use)  

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: Directed/targeted broadcast on EX-series

‎05-08-2013 12:24 AM

Hi lyndidon,

 

The broadcast is sent to the subnet broadcast address, not an individual host; in the example I provided, this is 10.32.121.255. The sender of the traffic (1.1.1.1) is not within the VLAN. If they were, they could send the traffic without me having to enable targeted-broadcast.

 

So, it makes sense to me that it'd be an egress filter applied to the RVI.

 

I just want to make sure I don't inadvertently drop legitimate traffic in the process of restricting who can send WoL magic packets (UDP port 9) to the subnet broadcast address.

 

Cheers.

 

Ethernet Switching

Re: Directed/targeted broadcast on EX-series

‎05-08-2013 07:46 PM

For the record, here's what I ended up pushing out to allow WoL to work:

 

firewall {
    family inet {
        filter VlanEgress100 {
            term 1 {
                from {
                    /* SCCM Wake-on-LAN Sources */
                    source-address {
                        10.1.2.27/32;
                        10.1.2.28/32;
                        10.1.2.68/32;
                        10.1.2.69/32;
                    }
                    destination-address {
                        10.31.9.255/32;
                    }
                    protocol udp;
                    destination-port 9;
                }
                then accept;
            }
            term 2 {
                from {
                    source-address {
                        0.0.0.0/0;
                    }
                    destination-address {
                        10.31.9.255/32;
                    }
                }
                then {
                    discard;
                }
            }
            term 3 {
                then accept;
            }
        }
    }
}
interfaces {
    vlan {
        unit 100 {
            family inet {
                targeted-broadcast;
                filter {
                    output VlanEgress100;
                }
                address 10.31.8.1/23;
            }
        }
    }
}

 

I'm still none-the-wiser about how this traffic is processed (i.e. its impact on control plane) but I aim to get to the bottom of that in the testing that will now follow. 

 

Cheers!