Using the ip forward-broadcast command, you can enable an interface to forward directed broadcast packets.
Using the undo ip forward-broadcast command, you can disable an interface from forwarding directed broadcast packets.
By default, disable the interface from forwarding directed broadcast packets.
Parameter |
Description |
Value |
|---|---|---|
acl acl-number |
Specifies the number of an ACL. |
The value is an integer that ranges from 2000 to 3999.
|
VE sub-interface view, VBDIF interface view, VLANIF interface view, Ethernet interface view, MultiGE interface view, GE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view
Usage Scenario
Directed broadcast packets are sent to a specified network. In the destination IP address of a directed broadcast packet, the network number is that of the specified network and the host number is all 1s.
Hackers use directed broadcast packets to attack networks, which threatens the network security. Therefore, directed broadcast packets are isolated by Layer 3 switches in normal cases. However, in some scenarios, the device needs to receive or forward these directed broadcast packets. For example, when Wake on LAN (WOL) is configured on a PC, the command can be run to enable the interface to forward directed broadcast packets. (WOL enables a PC in dormancy or shutdown state to wake up from dormancy state to running state or turn from shutdown state to power-on state through the instruction from the peer of the network.)
The device can also be enabled to receive and forward a certain type of directed broadcast packets based on ACLs. For example, if the basic ACL is used, run the acl (system view) and rule (basic ACL view) commands to define the directed broadcast packets to be received and forwarded as permit, and then run the ip forward-broadcast command to bind this ACL.
Only broadcast packets that match the permit action defined in the ACL are forwarded. Broadcast packets that match the deny action defined in the ACL or do not match any ACL rules are not forwarded.
Precautions
By default, the device identifies directed broadcast packets as malformed packets, and intercepts and discards them because the attack defense function of malformed packets is enabled on the device. In this case, the interface on the device cannot forward the directed broadcast packets.
To solve this problem, use either of the following methods:
Run the anti-attack abnormal disable command to disable the attack defense function of malformed packets. However, after this command is configured, other malformed packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.
Run the anti-attack disable command to disable all attack defense functions. However, after this command is configured, not only malformed packets but also fragmented, tcp-syn, udp-flood, and icmp-flood attack packets will not be intercepted and discarded, which brings certain security risks. Use this command with caution.
This command does not apply to VPN scenarios, IP address unnumbered scenarios, and scenarios of conflicts between host routes and subnet broadcast routes due to network segment overlapping.
# Enable VLANIF100 to forward directed broadcast packets.
<HUAWEI> system-view [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] ip forward-broadcast
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] ip forward-broadcast