Hi,  We are trying to get WOL working here on our enterprise network using the Unicast method.  It seems that this method depends on the machine you wish to wake having an entry in the router/switch ARP cache.  The problem is that this cache times out rather quickly by default and the suggestion was to increase this timeout setting so the entry stays in the cache longer when the device goes offline.  Our WAN guys are saying that is a bad idea and can cause all kinds of issues if we set this to say 12-24 hours.  How is everyone else using Unicast WOL dealing with this issue?

Hi,

I would say that most don't use the unicast method due to the fact you stated above.... Don't know anyone that actually changed the ARP cache. Depending on your network setup perhaps Subnet Directed broadcasts is an option event with the downside that this offers, there are also 3rd party products that works in a different way.

Regards,
Jrgen

do you have static IP addresses?

If the target computer has changed its IP address since it last sent its inventory information, the wake-up packet will reach the wrong computer but it will not wake it up because the MAC address in the wake-up packet transmission will not match.

https://technet.microsoft.com/en-us/library/bb693568.aspx?f=255&MSPPError=-2147217396

I realize the link above is for SCCM 2007 but the protocol has not changed. Most use DHCP and thus use subnet directed broadcasts.

Both methods require routers to forward UDP packets from your site server.

• Edited by mdkelley 11 hours 21 minutes ago

We have always used the Subnet-directed broadcasts

Thanks for the responses.  I think we will lean toward the subnet directed broadcast method then.  I know this method is less secure and will need to get approval from the security team.  Does anyone have any specifics for what exactly needs to be configured on routers/switches to enable subnet directed broadcasts?  Any links/guides to get it working properly with Cisco equipment?

You will have to set the ACL on the cisco routers to allow UDP broadcast traffic from whatever port you configure within the SCCM console settings (default is port 9) coming from the IP of your primary site server.

There is some info here about broadcast packets:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/12-4/iap-12-4-book/iap-bph.html#GUID-9BCB3E1F-6BB1-4523-ABAA-DF9F6F15E5B0

Your network guys probably know how to set this up. As for security, if you just have one server (primary site) sending broadcasts on one UDP port (9) it should be a pretty easy sell. You don't have to allow all UDP broadcast packets through.

info here regarding security and ACL:

https://supportforums.cisco.com/document/6516/acl

• Edited by mdkelley 7 hours 57 minutes ago

do you have static IP addresses?

If the target computer has changed its IP address since it last sent its inventory information, the wake-up packet will reach the wrong computer but it will not wake it up because the MAC address in the wake-up packet transmission will not match.

https://technet.microsoft.com/en-us/library/bb693568.aspx?f=255&MSPPError=-2147217396

I realize the link above is for SCCM 2007 but the protocol has not changed. Most use DHCP and thus use subnet directed broadcasts.

Both methods require routers to forward UDP packets from your site server.

• Edited by mdkelley Wednesday, March 18, 2015 8:19 PM

A few corrections and notes:

- Yes, unicast WoL traffic requires the system to be in the ARP cache of the final layer-3 device. This has nothing to do with WoL though. This is a requirement for *all* unicast traffic. That's simply how ethernet works.

- Subnet-directed broadcasts aren't less secure. They can however be exploited enabling certain types of DoS attacks most notably the Smurf attack. This can be easily and reliably mitigated as mentioned though.

- "Both methods require routers to forward UDP packets from your site server." This is a deceptive statement at best. In Unicast, the traffic is transmitted just like all other traffic on the network and requires nothing special on the network side and no configuration of any "forwarding". Only with subnet-directed broadcasts is the network required to "forward" traffic.

- While a consideration, DHCP is usually not a factor with desktops unless you have a ridiculously short lease time. With laptops, same story unless they actually change subnets but then there's nothing you can really do about that. This is why I recommend setting the heartbeat to at least once a day if not more often however.

Finally, do you know about Peer wakeup in 2012 SP1 and R2? Peer wakeup is much more reliable. You generally use unicast with peer wakeup but it overcomes the ARP cache limit.

Sorry if anyone felt decieved. I was not going for that. That was an incorrect statement, Unicast does not require forwarders as Jason mentioned. I meant both methods send UDP packets from the site server! must be getting late here in the eastern time zone. DHCP and Unicast - that is just a Microsoft recommendation from the link I inserted and it is an old link. It could be dated info that is no longer relevant. Peer wakeup sounds very interesting... that may be worth investigating and even save you some work.

You will have to set the ACL on the cisco routers to allow UDP broadcast traffic from whatever port you configure within the SCCM console settings (default is port 9) coming from the IP of your primary site server.

There is some info here about broadcast packets:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/12-4/iap-12-4-book/iap-bph.html#GUID-9BCB3E1F-6BB1-4523-ABAA-DF9F6F15E5B0

Your network guys probably know how to set this up. As for security, if you just have one server (primary site) sending broadcasts on one UDP port (9) it should be a pretty easy sell. You don't have to allow all UDP broadcast packets through.

info here regarding security and ACL:

https://supportforums.cisco.com/document/6516/acl

• Edited by mdkelley Wednesday, March 18, 2015 11:44 PM

Thanks Jason and mdkelley for the very helpful information!

Jason,  Do you have any links for how peer wakeup works and is configured?  I can't really find much from searching around the web on it.  Do you use WOL in your environment?  If so what method do you use?

Thanks!

See https://technet.microsoft.com/en-us/library/gg712701.aspx?f=255&MSPPError=-2147217396#BKMK_PlanToWakeClients

I'm don't have a real environment as I'm not an admin.

Thanks Jason,  That sounds very good and easy in theory.  Really I would just need to change a CM client setting and ensure UDP packet forwarding is enabled on all the network switches/routers to make it work.  Do you know anyone who uses it out there with success?  One thing I did notice is it doesn't support WinXP and we still have about 1400 XP devices out there but that's not a deal breaker.

Well, given that XP is not supported at all anymore by Microsoft (unless you are foolish enough to pay them a boat load of money), not having XP support is not surprising.

Yes, there are folks out there using. Heed the cations on that page though -- make sure you coordinate this with the network team because MAC addresses of sleeping systems will be taken over by other systems on the same subnet. If your network devices are not expecting this or limit the number of MAC addresses per port, get ready for lots of not-fun. 

You don't need to enable subnet directed broadcasts at all though -- in fact, if you enable subnet-directed broadcasts and they work for you, peer wakeup adds no real value. Unicast is the preferred and best method for use with peer wakeup. Also as mentioned, UDP traffic doesn't need to be "forwarded" it is simply transmitted like all of IP encapsulated traffic.

Jason, Thanks for all your help, much appreciated!