How to securely forward wake-on-lan packets from remote subnets through Cisco layer 3 switches
To facilitate software deployments, we need to wake PCs up from the deployment server. As the server uses directed broadcasts to the destination subnet, this fails in any reasonably secure network.In our scenario, the SCCM server resides in VLAN10, while the destination PC lives in VLAN20. The SCCM server sends a "magic packet" to 192.168.20.255. This packet will normally be discarded by the router / L3 switch.
To be a bit more obscure, we have choosen port 12287. During the tests it seemed like the packet needed to be allowed in several ways:
- explicitly enable forwarding for udp 12287
- explicitly allow such a packet on the ingress interface with an ACL
- explicitly allow the packet on the egress interface with an ACL
(but I might be mistaken here. -> needs testing if it works without)
Despite the fact that we do use a Microsoft SCCM server, it's WOL function wouldn't work for us. We used a 3rd party WOL tool instead and schedule the wake-ups. Wolcmd could do that for you.