Hi,
I would say that most don't use the unicast method due to the fact you stated above.... Don't know anyone that actually changed the ARP cache. Depending on your network setup perhaps Subnet Directed broadcasts is an option event with the downside that this offers, there are also 3rd party products that works in a different way.
Regards,
Jrgen
do you have static IP addresses?
If the target computer has changed its IP address since it last sent its inventory information, the wake-up packet will reach the wrong computer but it will not wake it up because the MAC address in the wake-up packet transmission will not match.
https://technet.microsoft.com/en-us/library/bb693568.aspx?f=255&MSPPError=-2147217396
I realize the link above is for SCCM 2007 but the protocol has not changed. Most use DHCP and thus use subnet directed broadcasts.
Both methods require routers to forward UDP packets from your site server.
- Edited by mdkelley 11 hours 21 minutes ago
You will have to set the ACL on the cisco routers to allow UDP broadcast traffic from whatever port you configure within the SCCM console settings (default is port 9) coming from the IP of your primary site server.
There is some info here about broadcast packets:
Your network guys probably know how to set this up. As for security, if you just have one server (primary site) sending broadcasts on one UDP port (9) it should be a pretty easy sell. You don't have to allow all UDP broadcast packets through.
info here regarding security and ACL:
https://supportforums.cisco.com/document/6516/acl
- Edited by mdkelley 7 hours 57 minutes ago
do you have static IP addresses?
If the target computer has changed its IP address since it last sent its inventory information, the wake-up packet will reach the wrong computer but it will not wake it up because the MAC address in the wake-up packet transmission will not match.
https://technet.microsoft.com/en-us/library/bb693568.aspx?f=255&MSPPError=-2147217396
I realize the link above is for SCCM 2007 but the protocol has not changed. Most use DHCP and thus use subnet directed broadcasts.
Both methods require routers to forward UDP packets from your site server.
- Edited by mdkelley Wednesday, March 18, 2015 8:19 PM
A few corrections and notes:
- Yes, unicast WoL traffic requires the system to be in the ARP cache of the final layer-3 device. This has nothing to do with WoL though. This is a requirement for *all* unicast traffic. That's simply how ethernet works.
- Subnet-directed broadcasts aren't less secure. They can however be exploited enabling certain types of DoS attacks most notably the Smurf attack. This can be easily and reliably mitigated as mentioned though.
- "Both methods require routers to forward UDP packets from your site server." This is a deceptive statement at best. In Unicast, the traffic is transmitted just like all other traffic on the network and requires nothing special on the network side and no configuration of any "forwarding". Only with subnet-directed broadcasts is the network required to "forward" traffic.
- While a consideration, DHCP is usually not a factor with desktops unless you have a ridiculously short lease time. With laptops, same story unless they actually change subnets but then there's nothing you can really do about that. This is why I recommend setting the heartbeat to at least once a day if not more often however.
Finally, do you know about Peer wakeup in 2012 SP1 and R2? Peer wakeup is much more reliable. You generally use unicast with peer wakeup but it overcomes the ARP cache limit.
You will have to set the ACL on the cisco routers to allow UDP broadcast traffic from whatever port you configure within the SCCM console settings (default is port 9) coming from the IP of your primary site server.
There is some info here about broadcast packets:
Your network guys probably know how to set this up. As for security, if you just have one server (primary site) sending broadcasts on one UDP port (9) it should be a pretty easy sell. You don't have to allow all UDP broadcast packets through.
info here regarding security and ACL:
https://supportforums.cisco.com/document/6516/acl
- Edited by mdkelley Wednesday, March 18, 2015 11:44 PM
Thanks Jason and mdkelley for the very helpful information!
Jason, Do you have any links for how peer wakeup works and is configured? I can't really find much from searching around the web on it. Do you use WOL in your environment? If so what method do you use?
Thanks!
See https://technet.microsoft.com/en-us/library/gg712701.aspx?f=255&MSPPError=-2147217396#BKMK_PlanToWakeClients
I'm don't have a real environment as I'm not an admin.
Well, given that XP is not supported at all anymore by Microsoft (unless you are foolish enough to pay them a boat load of money), not having XP support is not surprising.
Yes, there are folks out there using. Heed the cations on that page though -- make sure you coordinate this with the network team because MAC addresses of sleeping systems will be taken over by other systems on the same subnet. If your network devices are
not expecting this or limit the number of MAC addresses per port, get ready for lots of not-fun.
You don't need to enable subnet directed broadcasts at all though -- in fact, if you enable subnet-directed broadcasts and they work for you, peer wakeup adds no real value. Unicast is the preferred and best method for use with peer wakeup. Also as mentioned, UDP traffic doesn't need to be "forwarded" it is simply transmitted like all of IP encapsulated traffic.