Targeted Broadcast
Targeted broadcast helps in remote administration tasks such as backups and wake-on LAN (WOL) on a LAN interface, and supports virtual routing and forwarding (VRF) instances. The below topic discuss the process and functioning of targeted broadcast, its configuration details, and the status of the broadcast on various platforms.
Understanding Targeted Broadcast
Targeted broadcast is a process of flooding a target subnet with Layer 3 broadcast IP packets originating from a different subnet. The intent of targeted broadcast is to flood the target subnet with the broadcast packets on a LAN interface without broadcasting to the entire network. Targeted broadcast is configured with various options on the egress interface of the router or switch, and the IP packets are broadcast only on the LAN (egress) interface. Targeted broadcast helps you implement remote administration tasks, such as backups and wake-on LAN (WOL) on a LAN interface, and supports virtual routing and forwarding (VRF) instances.
Regular Layer 3 broadcast IP packets originating from a subnet are broadcast within the same subnet. When these IP packets reach a different subnet, they are forwarded to the Routing Engine (to be forwarded to other applications). Because of this, remote administration tasks such as backups cannot be performed on a particular subnet through another subnet. As a workaround, you can enable targeted broadcast to forward broadcast packets that originate from a different subnet.
Layer 3 broadcast IP packets have a destination IP address that is a valid broadcast address for the target subnet. These IP packets traverse the network in the same way as unicast IP packets until they reach the destination subnet, as follows:
- In the destination subnet, if the receiving router has targeted broadcast enabled on the egress interface, the IP packets are forwarded to an egress interface and the Routing Engine or to an egress interface only.
- The IP packets are then translated into broadcast IP packets, which flood the target subnet only through the LAN interface, and all hosts on the target subnet receive the IP packets. The packets are discarded If no LAN interface exists.
- The final step in the sequence depends on targeted broadcast:
- If targeted broadcast is not enabled on the receiving router, the IP packets are treated as regular Layer 3 broadcast IP packets and are forwarded to the Routing Engine.
- If targeted broadcast is enabled without any options, the IP packets are forwarded to the Routing Engine.
You can configure targeted broadcast to forward the IP packets only to an egress interface. This is helpful when the router is flooded with packets to process, or to both an egress interface and the Routing Engine.
Any firewall filter that is configured on the Routing Engine loopback interface (lo0) cannot be applied to IP packets that are forwarded to the Routing Engine as a result of a targeted broadcast. This is because broadcast packets are forwarded as flood next-hop traffic and not as local next-hop traffic, and you can apply a firewall filter only to local next-hop routes for traffic directed towards the Routing Engine.
Understanding IP Directed Broadcast
IP directed broadcast helps you implement remote administration tasks such as backups and wake-on-LAN (WOL) application tasks by sending broadcast packets targeted at the hosts in a specified destination subnet. IP directed broadcast packets traverse the network in the same way as unicast IP packets until they reach the destination subnet. When they reach the destination subnet and IP directed broadcast is enabled on the receiving switch, the switch translates (explodes) the IP directed broadcast packet into a broadcast that floods the packet on the target subnet. All hosts on the target subnet receive the IP directed broadcast packet.
This topic covers:
- IP Directed Broadcast Overview
- IP Directed Broadcast Implementation
- When to Enable IP Directed Broadcast
- When Not to Enable IP Directed Broadcast
IP Directed Broadcast Overview
IP directed broadcast packets have a destination IP address that is a valid broadcast address for the subnet that is the target of the directed broadcast (the target subnet). The intent of an IP directed broadcast is to flood the target subnet with the broadcast packets without broadcasting to the entire network. IP directed broadcast packets cannot originate from the target subnet.
When you send an IP directed broadcast packet, as it travels to the target subnet, the network forwards it in the same way as it forwards a unicast packet. When the packet reaches a switch that is directly connected to the target subnet, the switch checks to see whether IP directed broadcast is enabled on the interface that is directly connected to the target subnet:
If IP directed broadcast is enabled on that interface, the switch broadcasts the packet on that subnet by rewriting the destination IP address as the configured broadcast IP address for the subnet. The switch converts the packet to a link-layer broadcast packet that every host on the network processes.
If IP directed broadcast is disabled on the interface that is directly connected to the target subnet, the switch drops the packet.
IP Directed Broadcast Implementation
You configure IP directed broadcast on a per-subnet basis by enabling IP directed broadcast on the Layer 3 interface of the subnet’s VLAN. When the switch that is connected to that subnet receives a packet that has the subnet’s broadcast IP address as the destination address, the switch broadcasts the packet to all hosts on the subnet.
By default, IP directed broadcast is disabled.
When to Enable IP Directed Broadcast
IP directed broadcast is disabled by default. Enable IP directed broadcast when you want to perform remote management or administration services such as backups or WOL tasks on hosts in a subnet that does not have a direct connection to the Internet.
Enabling IP directed broadcast on a subnet affects only the hosts within that subnet. Only packets received on the subnet’s Layer 3 interface that have the subnet’s broadcast IP address as the destination address are flooded on the subnet.
When Not to Enable IP Directed Broadcast
Typically, you do not enable IP directed broadcast on subnets that have direct connections to the Internet. Disabling IP directed broadcast on a subnet’s Layer 3 interface affects only that subnet. If you disable IP directed broadcast on a subnet and a packet that has the broadcast IP address of that subnet arrives at the switch, the switch drops the broadcast packet.
If a subnet has a direct connection to the Internet, enabling IP directed broadcast on it increases the network’s susceptibility to denial-of-service (DoS) attacks.
For example, a malicious attacker can spoof a source IP address (use a source IP address that is not the actual source of the transmission to deceive a network into identifying the attacker as a legitimate source) and send IP directed broadcasts containing Internet Control Message Protocol (ICMP) echo (ping) packets. When the hosts on the network with IP directed broadcast enabled receive the ICMP echo packets, they all send replies to the victim that has the spoofed source IP address. This creates a flood of ping replies in a DoS attack that can overwhelm the spoofed source address; this is known as a smurf attack. Another common DoS attack on exposed networks with IP directed broadcast enabled is a fraggle attack, which is similar to a smurf attack except that the malicious packet is a User Datagram Protocol (UDP) echo packet instead of an ICMP echo packet.
Configure Targeted Broadcast
The following sections explain how to configure targeted broadcast on an egress interface and its options:
Configure Targeted Broadcast and Its Options
You can configure targeted broadcast on an egress interface with different options.
Either of these configurations is acceptable:
-
You can allow the IP packets destined for a Layer 3 broadcast address to be forwarded on the egress interface and to send a copy of the IP packets to the Routing Engine.
-
You can allow the IP packets to be forwarded on the egress interface only.
Note that the packets are broadcast only if the egress interface is a LAN interface.
To configure targeted broadcast and its options:
SRX
devices do not support the targeted broadcast option
forward-and-send-to-re.
Display Targeted Broadcast Configuration Options
The following example topics display targeted broadcast configuration options:
- Example: Forward IP Packets on the Egress Interface and to the Routing Engine
- Example: Forward IP Packets on the Egress Interface Only
Example: Forward IP Packets on the Egress Interface and to the Routing Engine
Purpose
Display the configuration when targeted broadcast is configured on the egress interface to forward the IP packets on the egress interface and to send a copy of the IP packets to the Routing Engine.
Action
To display the configuration, run the show
command at the [edit interfaces interface-name
unit interface-unit-number family inet]
where the interface name is ge-2/0/0, the unit value is set to 0, and the
protocol family is set to inet.
[edit interfaces interface-name unit interface-unit-number family inet]
user@host#show
targeted-broadcast {
forward-only;
}
Example: Forward IP Packets on the Egress Interface Only
Purpose
Display the configuration when targeted broadcast is configured on the egress interface to forward the IP packets on the egress interface only.
Action
To display the configuration, run the show
command at the [edit interfaces interface-name
unit interface-unit-number family inet]
where the interface name is ge-2/0/0, the unit value is set to 0, and the
protocol family is set to inet.
[edit interfaces interface-name unit interface-unit-number family inet]
user@host#show
targeted-broadcast {
forward-only;
}
Configuring IP Directed Broadcast (CLI Procedure)
Before you begin to configure IP directed broadcast:
Ensure that the subnet on which you want broadcast packets using IP direct broadcast is not directly connected to the Internet.
Configure a routed VLAN interface (RVI) for the subnet that will be enabled for IP direct broadcast. See Configuring Routed VLAN Interfaces on Switches (CLI Procedure).
We recommend that you do not enable IP directed broadcast on subnets that have a direct connection to the Internet because of increased exposure to denial-of-service (DoS) attacks.
This task uses Junos OS for EX Series switches that does not support the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI.
You can use IP directed broadcast on an EX Series switch to facilitate remote network management by sending broadcast packets to hosts on a specified subnet without broadcasting to the entire network. IP directed broadcast packets are broadcast on only the target subnet. The rest of the network treats IP directed broadcast packets as unicast packets and forwards them accordingly.
To enable IP directed broadcast for a specified subnet:
See Also
Example: Configuring IP Directed Broadcast on a Switch
IP directed broadcast provides a method of sending broadcast packets to hosts on a specified subnet without broadcasting those packets to hosts on the entire network.
This example shows how to enable a subnet to receive IP directed broadcast packets so you can perform backups and other network management tasks remotely:
- Requirements
- Overview and Topology
- Configuring IP Directed Broadcast for non-ELS Switches
- Configuring IP Directed Broadcast for Switches with ELS Support
Requirements
This example uses the following software and hardware components:
Junos OS Release 9.4 or later for EX Series switches or Junos OS Release 15.1X53-D10 for QFX10000 switches.
One PC
One EX Series switch or QFX10000 switch
Before you configure IP directed broadcast for a subnet:
Ensure that the subnet does not have a direct connection to the Internet.
Configure routed VLAN interfaces (RVIs) for the ingress and egress VLANs on the switch. For non-ELS, see Configuring Routed VLAN Interfaces on Switches (CLI Procedure) or Configuring VLANs for EX Series Switches (J-Web Procedure). For ELS, see l3-interface.
Overview and Topology
You might want to perform remote administration tasks such as backups and wake-on-LAN (WOL) application tasks to manage groups of clients on a subnet. One way to do this is to send IP directed broadcast packets targeted at the hosts in a particular target subnet.
The network forwards IP directed broadcast packets as if they
were unicast packets. When the IP directed broadcast packet is received
by a VLAN that is enabled for targeted-broadcast, the switch
broadcasts the packet to all the hosts in its subnet.
In this topology (see Figure 1), a host is connected to an interface on a switch to manage the
clients in subnet 10.1.2.1/24. When the switch receives
a packet with the broadcast IP address of the target subnet as its
destination address, it forwards the packet to the subnet’s
Layer 3 interface and broadcasts it to all the hosts within the subnet.
Topology
Table 1 shows the settings of the components in this example.
| Property | Settings |
|---|---|
Ingress VLAN name |
|
Ingress VLAN IP address |
|
Egress VLAN name |
|
Egress VLAN IP address |
|
Interfaces in VLAN |
|
Interfaces in VLAN |
|
Configuring IP Directed Broadcast for non-ELS Switches
To configure IP directed broadcast on a subnet to enable remote management of its hosts:
Procedure
CLI Quick Configuration
To quickly configure the switch to accept
IP directed broadcasts targeted at subnet 10.1.2.1/24,
copy the following commands and paste them into the switch’s
terminal window:
[edit]
set interfaces ge-0/0/0.0 family ethernet-switching vlan members v1
set interfaces ge-0/0/1.0 family ethernet-switching vlan members v1
set interfaces vlan.1 family inet address 10.1.2.1/24
set interfaces ge-0/0/3.0 family ethernet-switching vlan members v0
set interfaces vlan.0 family inet address 10.1.1.1/24
set vlans v1 l3-interface vlan.1
set vlans v0 l3-interface vlan.0
set interfaces vlan.1 family inet targeted-broadcast Step-by-Step Procedure
To configure the switch to accept IP directed broadcasts
targeted at subnet 10.1.2.1/24:
Add logical interface
ge-0/0/0.0to VLANv1:[edit interfaces] user@switch# set ge-0/0/0.0 family ethernet-switching vlan members v1
Add logical interface
ge-0/0/1.0to VLANv1:[edit interfaces] user@switch# set ge-0/0/1.0 family ethernet-switching vlan members v1
Configure the IP address for the egress VLAN,
v1:[edit interfaces] user@switch# set vlan.1 family inet address 10.1.2.1/24
Add logical interface
ge-0/0/3.0to VLANv0:[edit interfaces] user@switch# set ge-0/0/3.0 family ethernet-switching vlan members v0
Configure the IP address for the ingress VLAN:
[edit interfaces] user@switch# set vlan.0 family inet address 10.1.1.1/24
To route traffic between the ingress and egress VLANs, associate a Layer 3 interface with each VLAN:
[edit vlans] user@switch# set v1 l3-interface vlan.1 user@switch# set v0 l3–interface vlan.0
Enable the Layer 3 interface for the egress VLAN to receive IP directed broadcasts:
[edit interfaces] user@switch# set vlan.1 family inet targeted-broadcast user@switch# set vlan.0 family inet targeted-broadcast
Results
Check the results:
user@switch# show
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members v1;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members v1;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members v0;
}
}
}
}
vlan {
unit 0 {
family inet {
targeted-broadcast;
address 10.1.1.1/24;
}
}
unit 1 {
family inet {
targeted-broadcast;
address 10.1.2.1/24;
}
}
}
vlans {
default;
v0 {
l3-interface vlan.0;
}
v1 {
l3-interface vlan.1;
}
}
Configuring IP Directed Broadcast for Switches with ELS Support
To configure IP directed broadcast on a subnet to enable remote management of its hosts:
Procedure
CLI Quick Configuration
To quickly configure the switch to accept
IP directed broadcasts targeted at subnet 10.1.2.1/24,
copy the following commands and paste them into the switch’s
terminal window:
[edit]
set interfaces ge-0/0/0.0 family ethernet-switching vlan members v1
set interfaces ge-0/0/1.0 family ethernet-switching vlan members v1
set interfaces irb.1 family inet address 10.1.2.1/24
set interfaces ge-0/0/3.0 family ethernet-switching vlan members v0
set interfaces irb.0 family inet address 10.1.1.1/24
set vlans v1 l3-interface irb.1
set vlans v0 l3-interface irb.0
set interfaces irb.1 family inet targeted-broadcast Step-by-Step Procedure
To configure the switch to accept IP directed broadcasts
targeted at subnet 10.1.2.1/24:
Add logical interface
ge-0/0/0.0to VLANv1:[edit interfaces] user@switch# set ge-0/0/0.0 family ethernet-switching vlan members v1
Add logical interface
ge-0/0/1.0to VLANv1:[edit interfaces] user@switch# set ge-0/0/1.0 family ethernet-switching vlan members v1
Configure the IP address for the egress VLAN,
v1:[edit interfaces] user@switch# set irb.1 family inet address 10.1.2.1/24
Add logical interface
ge-0/0/3.0to VLANv0:[edit interfaces] user@switch# set ge-0/0/3.0 family ethernet-switching vlan members v0
Configure the IP address for the ingress VLAN:
[edit interfaces] user@switch# set irb.0 family inet address 10.1.1.1/24
To route traffic between the ingress and egress VLANs, associate a Layer 3 interface with each VLAN:
[edit vlans] user@switch# set v1 l3-interface irb.1 user@switch# set v0 l3–interface irb.0
-
Enable the Layer 3 interface for the egress VLAN to receive IP directed broadcasts:
[edit interfaces] user@switch# set irb.1 family inet targeted-broadcast user@switch# set irb.0 family inet targeted-broadcast
On QFX5000 Series, EX4300 Series, and EX4600 Series switches, the maximum number of targeted-broadcast supported is 63.
Results
Check the results:
user@switch# show
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
vlan {
members v1;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members v1;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members v0;
}
}
}
}
vlan {
unit 0 {
family inet {
targeted-broadcast;
address 10.1.1.1/24;
}
}
unit 1 {
family inet {
targeted-broadcast;
address 10.1.2.1/24;
}
}
}
vlans {
default;
v0 {
l3-interface irb.0;
}
v1 {
l3-interface irb.1;
}
}
Verifying IP Directed Broadcast Status
Purpose
Verify that IP directed broadcast is enabled and is working on the subnet.
Action
Use the show vlans extensive command to verify that IP directed broadcast is
enabled and working on the subnet as shown in Example: Configuring IP Directed Broadcast on a
Switch.