+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Wireless Networks Thread, Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5500 in Technical; Hi, I have 2 computer labs on 2 different VLANs: VLAN 1 (default) uses the 10.65.1.0/24 subnet, VLAN 3 uses ...
  1. #1

    Join Date
    Aug 2007
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5500

    Hi,

    I have 2 computer labs on 2 different VLANs: VLAN 1 (default) uses the 10.65.1.0/24 subnet, VLAN 3 uses the 10.65.3.0/24 subnet. The workstation of the person in charge of both labs is on VLAN 1. I wrote a script a while ago to allow that person to turn on both labs via Wake on LAN. The script just calls the wolcmd.exe utility (from Depicus) which broadcasts a magic packet for each MAC address.
    It worked great until the replacement of the layer 3 switch (3Com 5500) between the labs. Now WOL is limited to one subnet, i.e.: The computer running the script has to be on the same subnet as the computer lab it tries to wake up.

    I did my homework and found out that I needed to allow "subnet directed broadcasts" to allow the packets to cross subnets. So I entered "ip forward-broadcast" on the 3Com 5500 and I am now able to successfully ping the broadcast address of the other network (10.65.3.255) but WOL still doesn't work. The example here shows that the "ip forward-broadcast" command should also be run on the interface connecting to the other VLAN, but on the 3Com 5500, this particular command doesn't seem to be supported by the Gigabit port connecting to the VLAN.

    Did any of you run into the same problem? All suggestions are welcome.

  2. #2

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    748
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Hi,

    Try using mc-wol which allows you to do subnet broadcast, we use it here and it works well. You also need to find out what port the broadcast (WOL) is sent so you can create an ACL for this. I don't ip directed-broadcast works on its own as this will only broadcast certain type of traffic.

    Ash.

  3. #3

    Join Date
    Aug 2007
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Thanks ashok for your prompt reply.

    I was so close! By digging a bit further, I found the command I was missing. I needed to run "ip forward-broadcast" on the VLAN interface, not the port! So, I entered "interface vlan-interface 3" to switch to the VLAN 3 interface, then typed "ip forward-broadcast", and that was it, both labs turned on. I found the instructions here.

    Now, does anybody know how 3Com implements ACLs? I need to create an ACL that allows computers on network 10.65.1.0/24 to send directed broadcast to the 10.65.3.0/24 network. The wolcmd help says the magic packets are UDP packets and the default port is port 7. That's enough info to create a pretty restrictive ACL, but I don't know the 3Com syntax to create and apply ACLs, so if anybody knows, please chime in.

    I had a look at mc-wol but I fail to see how it would help in my case. As they say:

    "If a target computer is on another LAN, IP address must be specified. For example you have a segment using the class C network 192.168.5.0. The broadcast ip address of this subnet is 192.168.5.255 - that's what you use as the destination IP address on the packet."

    In other words, mc-wol creates a subnet-directed broadcast which would be blocked by the layer 3 switch unless it has been configured to let the broadcast pass through (as I did). I'll stick with wolcmd which lets me specify the port to use.

  4. #4

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    748
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Hi,

    Yes you are right you need the command ip forward-broadcast on the vlan because this is the layer 3 virtual interface that is actually involved in the routing.

    I'm not sure how to create an acl for 3com but for cisco it should go something like

    access-list 101 permit udp 10.65.1.0 0.0.0.255 10.65.3.0 0.0.0.255 eq 7

    the above access list should be specified on the vlan interface for the 10.65.3.0 network as an inbound for it to work. This will allow udp broadcast packets using port 7 from 10.65.1.0 TO 10.65.3.0

    The MCwol could be used but since you found the program that works for you you should probably use that. What we have at our place is oneserver from where a scheduled task (batch file) is created that shuts down the PCs and it makes the ACL easier as you only need to allow the broadcast packets from one computer rather than all but the above access list will allow all pc in 10.65.1.0 network to send wol

    This may help you in acl configuration on 3com:
    http://support.3com.com/infodeli/too...715-0BAA01.pdf

    Page 191 - ACL Configuration

    HTH,

    Ash.

  5. #5

    Join Date
    Aug 2007
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Thanks Ash.

    I am much more familiar with Cisco too, the challenge is to convert Cisco commands into 3Com commands... I have the user's manual so it's just a matter of time. I'll post my findings once I'm done.

    We have several multihomed servers with IPs on each subnet, so running wol from the servers is never a problem. I thought about using psexec to have the user run the script from the server but she would have to be a member of the server's administrators group for psexec to work and that's not an option. Also the labs are not in use every day and the schedule is not alway the same so a batch file running from the server doesn't really make sense in my case.

  6. #6

    Join Date
    Aug 2007
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Well, I am running into problems:

    Problem #1
    @Ash: You were saying the ACL should be applied to the inbound side of the VLAN 3 interface. Shouldn't it be outbound? The WOL packets come from VLAN 1 into the layer 3 switch and then are sent out to VLAN 3. So as far as the switch is concerned, these packets are outbound.

    Problem #2
    On a 3Com switch, you first define an "advanced ACL" and then add "rules" to it:

    acl number 3000 match-order config
    rule 0 permit udp source 10.65.1.0 0.0.0.255 destination 10.65.3.0 0.0.0.255 destination-port eq 7


    Now, do 3Com ACLs have an implied deny any any at the end like Cisco's?

    In any case, the goal of the ACL is to allow WOL and regular traffic, but to block the traffic now allowed through because of the ip forward-broadcast statement. Based on this post my final ACL looks like this:

    Advanced ACL 3000, 9 rules
    Acl's step is 1
    rule 0 permit udp source 10.65.1.0 0.0.0.255 destination 10.65.3.0 0.0.0.255 destination-port eq echo
    rule 1 deny ip source 0.0.0.0 0.255.255.255
    rule 2 deny ip source 127.0.0.0 0.255.255.255
    rule 3 deny ip source 255.0.0.0 0.255.255.255
    rule 4 deny ip destination 0.0.0.0 0.255.255.255
    rule 5 deny ip destination 127.0.0.0 0.255.255.255
    rule 6 deny ip destination 255.0.0.0 0.255.255.255
    rule 7 deny ip destination 10.65.3.255 0
    rule 8 permit ip


    Problem #3
    Assuming this ACL works, does anybody know how to apply it to the VLAN interface? It looks like I can only apply it to ports.

    Problem #4
    So I tried to apply the ACL to all the ports that are members of VLAN 3 but when I do, only the inbound option is available...

    If you know how to solve any of these problems, please let me know.

  7. #7

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    748
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Hi,

    The inbound traffic means traffic comming into the vlan 3 (in this case of broadcast to all ports on vlan 3). The outbound means traffic leaving vlan 3 and crossing over to other vlans. So i would say you need to assign it as an inbound to vlan 3.

    As for the access list the 3com things do look more complicated than cisco but i'm sure they will have a implicit deny statement at the end of the access list.

    in your case the access list you created seems fine (stated under problem 2) section.

    Can i ask is there layer 3 routing enabled on both vlans i.e. does each of the vlans (1 and 3 in your case) have an IP address assigned to them. How is other tarffic routing at the moment or are both vlans isolated (i.e. workstations from vlan 1 can't talk to workstations in vlan 3).

    if it is isolated and you don't require routing from one vlan to other then you only need to enable the access-list that just allows broadcasts for wol and then take out the ip forward-broadcast command from vlan 3's interface. Since the access-list will be there you won't require the ip forward broadcast command.

    Looking at the config guide for 3com i would have thought that you assign the access list to an inteface by using the following command

    packet-filter inbound ip-group 3000

    i.e. go to vlan 3's interface and then type in the above line. (assuming access-list 3000 is defined with the restriction you want)

    HTH,

    Ash.

  8. #8

    Join Date
    Aug 2007
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5

    Thanks for following up.

    Your explanation regarding the inbound traffic for VLAN 3 makes sense. I just always assumed that inbound and outbound were defined relatively to the switch itself.

    I'll have to check on Monday if routing is enabled between VLANs. I assumed it was but now that you bring it up, I'm not so sure anymore.

    Yes, the command to assign an ACL starts with packet-filter. However, this command is not available in the context of the VLAN interface, it only seems to apply to individual ports.

    I'll let you know what I find out on Monday.

  9. #9

    Join Date
    Aug 2007
    Posts
    7
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Just to confirm that routing is enabled between VLANs. Each VLAN has its own IP and routes have been defined to direct traffic between VLANs.

    My next step will be to assign the ACL to all ports members of VLAN 3 (unless somebody found a way to assign an ACL to an entire VLAN in one fell swoop).

  10. #10

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    748
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38
    Quote Originally Posted by SSTechIII View Post
    Just to confirm that routing is enabled between VLANs. Each VLAN has its own IP and routes have been defined to direct traffic between VLANs.

    My next step will be to assign the ACL to all ports members of VLAN 3 (unless somebody found a way to assign an ACL to an entire VLAN in one fell swoop).
    Hiya,

    Try the following when you at the vlan interface level

    packet-filter vlan 3 inbound ip-group 3000

    where 3 is the id of vlan and 3000 is the number for acl group. I'm not entirely sure if the above command should be run globally or at the vlan interface level. Try at the interface level and if not see if you can run it at a global level.

    Ash.
    Last edited by spc-rocket; 8th January 2008 at 10:17 AM.

  11. #11

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    748
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38

    Vlan and ACL on 3com

    Hi,

    Did you have any luck with the command i posted in my last post?

    Ash.

  12. #12

    Join Date
    Jan 2008
    Location
    Holland
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by ashok View Post
    Hi,

    Did you have any luck with the command i posted in my last post?

    Ash.
    Hi Ash,

    The commands you refered won't be recognized on the vlan interface level or globally.
    I'm having the same issues like sstechIII.

  13. #13

    Join Date
    Jul 2007
    Location
    Nottingham
    Posts
    199
    Thank Post
    19
    Thanked 7 Times in 7 Posts
    Rep Power
    17
    Did anyone find a way of assigning an ACL to a 3Com VLAN?

    I'm preparing the overhaul of our 3Com network and it would greatly reduce my headaches if it was possible.

  14. #14

    Join Date
    Jul 2007
    Location
    Nottingham
    Posts
    199
    Thank Post
    19
    Thanked 7 Times in 7 Posts
    Rep Power
    17
    Right, after some further looking around I think that the 'Packet-Filter VLAN' command is the right way to go. However you will need to upgrade the software on the switch to the latest version.

    I'm going to try and upgrade my 5500 switch tonight and see what happens.

  15. #15

    Join Date
    Jan 2008
    Location
    Holland
    Posts
    3
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by dan400007 View Post
    Right, after some further looking around I think that the 'Packet-Filter VLAN' command is the right way to go. However you will need to upgrade the software on the switch to the latest version.

    I'm going to try and upgrade my 5500 switch tonight and see what happens.
    Did you find any luck???



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. How to Wake on LAN
    By roland in forum How do you do....it?
    Replies: 17
    Last Post: 19th November 2010, 11:02 AM
  2. VLANs/ Subnets help
    By Ste_Harve in forum Wireless Networks
    Replies: 19
    Last Post: 25th June 2007, 01:42 PM
  3. AD Subnets and DHCP
    By Gatt in forum Wireless Networks
    Replies: 9
    Last Post: 2nd March 2007, 12:22 PM
  4. Wake on LAN and hibernate
    By ZeroHour in forum Windows
    Replies: 3
    Last Post: 21st June 2006, 10:35 AM
  5. Changing port vLANs on an HP ProCurve switch
    By MrDylan in forum Hardware
    Replies: 6
    Last Post: 9th March 2006, 04:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •