No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Service

S7700 and S9700 V200R013C00

This document describes the configurations of IP service, including IP address, ARP, DHCP, DNS, mDNS gateway, mDNS relay, UDP Helper, IP performance optimization, IPv6, DHCPv6, IPv6 DNS, IPv6 over IPv4 tunnel and IPv4 over IPv6 tunnel.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an Interface to Forward Directed Broadcast Packets

Configuring an Interface to Forward Directed Broadcast Packets

Context

Directed broadcast packets are sent to a specified network. In the destination IP address of a directed broadcast packet, the network number is that of the specified network and the host number is all 1s.

Hackers use directed broadcast packets to attack networks, which threatens the network security. Therefore, directed broadcast packets are isolated by Layer 3 switches in normal cases. However, in some scenarios, the device needs to receive or forward these directed broadcast packets. For example, when Wake on LAN (WOL) is configured on a PC, the interface can be set to forward directed broadcast packets. (WOL enables a PC in dormancy or shutdown state to wake up from dormancy state to running state or turn from shutdown state to power-on state through the instruction from the peer of the network.)

As shown in Figure 8-1, on Switch A, GE1/0/1 is on the same network segment with PC A; GE1/0/2 is on another network segment with the WOL server. The WOL server uses directed broadcast packets to wake up PC A. In normal cases, the directed broadcast packets are isolated by Switch A. After the ip forward-broadcast command is run on Switch A's GE1/0/1 to enable the interface to forward the directed broadcast packets, PC A can receive the directed broadcast packets from the WOL server.

Figure 8-1  Configuring the interface to forward directed broadcast packets in the WOL scenario
NOTE:

By default, the device identifies directed broadcast packets as malformed packets, and intercepts and discards them because the attack defense function of malformed packets is enabled on the device. In this case, the interface on the device cannot forward the directed broadcast packets.

To solve this problem, use either of the following methods:

  • Run the anti-attack abnormal disable command to disable the attack defense function of malformed packets. However, after this command is configured, other malformed packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.

  • Run the anti-attack disable command to disable all attack defense functions. However, after this command is configured, not only malformed packets but also fragmented, tcp-syn, udp-flood, and icmp-flood attack packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.

The device can also be enabled to receive and forward a certain type of directed broadcast packets based on ACLs. For example, if the basic ACL is used, run the acl (system view) and rule (basic ACL view) commands to define the directed broadcast packets to be received and forwarded as permit, and then run the ip forward-broadcast command to bind this ACL.

Procedure

  1. Configure the basic or advanced ACL. For details, see Configuring an ACL or Deleting an ACL in "ACL Configuration" in the S7700 and S9700 V200R013C00 Configuration Guide - Security.
  2. Run system-view

    The system view is displayed.

  3. Run interface interface-type interface-number

    The interface view is displayed.

  4. (Optional) On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

  5. Run ip forward-broadcast [ acl acl-number ]

    The interface is configured to forward directed broadcast packets.

    By default, an interface does not forward directed broadcast packets.

    Only broadcast packets that match the permit action defined in the ACL are forwarded. Broadcast packets that match the deny action defined in the ACL or do not match any ACL rules are not forwarded.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100065743

Views: 29552

Downloads: 31

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next