Pages

Tuesday, October 16, 2012

How To Setup Wake On LAN With VLANs and HP ProCurve Switches


If you are in a VLAN environment where you have HP ProCurve switches and want to Wake-On-LAN or WOL packets to be forwarded to different VLANs

On the switch that is doing your routing, in my case, a ProCurve 5300 series switch, I typed the commands below.
ip directed-broadcast
ip udp-bcast-forward
vlan 2
     ip address 10.0.2.2 255.255.255.0
     ip forward-protocol udp 10.0.5.255 9
vlan 5
     ip address 10.0.5.2 255.255.255.0

VLAN 2 is where my FOG server sits and the WOL packets it sends out are forwarded to VLAN 5.

------------------------------------------------------
I was recently asked to give a little more detail on this post. (I also found a typo I made and fixed it too. I changed 10.0.16.255 to 10.0.5.255)

This post assumes that you are using virtual LANs or VLANs. If you are not using VLANs, you don't have to do this.

Here is the quick and dirty of VLANs.
- VLANs take your one physical network and breaks it up into multiple logical networks. The closest example I can give is a hard drive. You can have one physical hard drive but multiple partitions.
Please keep in mind that this is an over simplification VLANs and what they can do.

On to the questions.

To expand on this example

  • Lets say that the IP address of my FOG server is 10.0.2.50 and with a subnet mask of 255.255.255.0. 
  • The server is sits in VLAN 2.
  • VLAN 2 gateway address is 10.0.2.2
  • VLAN 5 gateway address is 10.0.5.2
  • The desktop computer that I want to image using FOG is in VLAN 5 and is setup to get an IP address from the DHCP server.
  • The desktop computer is set up to boot from the network (PXE) first and has Wake-On-LAN (WOL) enabled
Wake-On-LAN (WOL) or "magic" packets send out a broadcast to wake up a computer. By design, VLANs keep any kind of broadcasts within it's own VLAN. (Back to the hard drive example, you can't save a 500mb file across two partitions of flash drives.) This prevents a user or someone else from taking down your entire network when they plug both ends of a network cable into the wall or switch, it will only take down that VLAN.

On HP switches (and I assume other manufactures as well), you can allow broadcasts to be passed on from one VLAN to another based on IP address and port number. This is where the command "ip forward-protocol udp 10.0.5.255 9" comes into play.

The WOL packet uses UDP port 9. The 10.0.5.255 is the broadcast address for VLAN 5. 

When my FOG server sends out a wake up broadcast (packet) using UDP port 9 in VLAN 2, my HP switch will forward that wake up broadcast (packet) on to VLAN 5.

I hope this clears up any confusion that you may have.

--Updated 3/18/13 9:20am

7 comments:

  1. Hi Michael,

    Can you please give in a little more detail:
    1. In vlan 2:
    The IP address given is presumably for your FOG (FOG?) server. However, it is not clear what the "ip forward-protocol udp 10.0.16.255 9" part means.
    2. In vlan 5:
    I'm also assuming the IP address given here is the IP address allocated to the switch within the target subnet?

    Cheers,

    David.

    ReplyDelete
  2. Hi David,
    ip forward-protocol ->means the packets broadcast from the vlan 2

    udp -> in udp protocol

    10.0.16.255 -> (broadcast on the network 10.0.16.0/24 for which the wildcard mask is 0.0.0.255 so the broadcast is 10.0.16.255) means all the IP in vlan 5 can be forwarded by this router which as an IP on vlan 2 and an other IP in vlan 5.
    It's like an ip helper-address on Cisco equipment...if you know.
    Cheers,
    Sarah

    ReplyDelete
  3. Hi,
    Thank you for this guide, we are working on using WOL from OS X Workgroup Manager to wake up computers on another VLAN and subnet. Is there any security concern with turning on

    ip directed-broadcast
    ip udp-bcast-forward

    or do they not actually do anything until you config a vlan and add the command

    ip forward-protocol udp 10.0.5.255 9


    I do not want to open any additional security holes on my core switch by running those 2 commands.

    Thanks!
    Squelchtone

    ReplyDelete
    Replies
    1. You might want to double check me on this but from my understanding, they do not do anything until you configure the vlan.

      Delete
  4. Hi is this possible on remote sites on a private WAN

    I have multiple site on different vlans

    each with single router connects to HP switch with L2 and L3 mix

    how can I control from one site

    Ta

    ReplyDelete
    Replies
    1. Let me just make sure that I understand you correctly. Say you are in your main office in New York and you want to wake-up the computers in the Chicago office.

      If this is correct, I am not if it can be done. It is my understanding that routers do not forward wake on lan packets because they consider them broadcasts. I might be wrong. I have only worked with Cisco routers and the ones that I have worked on do not forward WOL packets.

      Delete
    2. Routers by default are usually configured to reject directed broadcasts (DoS attack risk) but the routed interface nearest WoL server (my SCCM box's VLAN) you add the ip directed-broadcast option and then apply an ACL to only accept from that server and boom-magic. but if there is 802.1x involved... no guarantees

      Delete