Table of Contents
Advertisement
Complete Software Guide for Junos
When to Enable IP Directed Broadcast
When Not to Enable IP Directed Broadcast
Related
Documentation
High Availability Features for EX Series Switches Overview
1110
®
OS for EX Series Ethernet Switches, Release 10.3
connected to that subnet receives a packet that has the subnet's broadcast IP address
as the destination address, the switch broadcasts the packet to all hosts on the subnet.
By default, IP directed broadcast is disabled.
IP directed broadcast is disabled by default. Enable IP directed broadcast when you want
to perform remote management or administration services such as backups or WOL
tasks on hosts in a subnet that does not have a direct connection to the Internet.
Enabling IP directed broadcast on a subnet affects only the hosts within that subnet.
Only packets received on the subnet's Layer 3 interface that have the subnet's broadcast
IP address as the destination address are flooded on the subnet.
Typically, you do not enable IP directed broadcast on subnets that have direct connections
to the Internet. Disabling IP directed broadcast on a subnet's Layer 3 interface affects
only that subnet. If you disable IP directed broadcast on a subnet and a packet that has
the broadcast IP address of that subnet arrives at the switch, the switch drops the
broadcast packet.
If a subnet has a direct connection to the Internet, enabling IP directed broadcast on it
increases the network's susceptibility to denial-of-service (DoS) attacks.
For example, a malicious attacker can spoof a source IP address (use a source IP address
that is not the actual source of the transmission to deceive a network into identifying the
attacker as a legitimate source) and send IP directed broadcasts containing Internet
Control Message Protocol (ICMP) echo (ping) packets. When the hosts on the network
with IP directed broadcast enabled receive the ICMP echo packets, they all send replies
to the victim that has the spoofed source IP address. This creates a flood of ping replies
in a DoS attack that can overwhelm the spoofed source address; this is known as a
"smurf" attack. Another common DoS attack on exposed networks with IP directed
broadcast enabled is a "fraggle" attack, which is similar to a smurf attack except that
the malicious packet is a User Datagram Protocol (UDP) echo packet instead of an ICMP
echo packet.
Example: Configuring IP Directed Broadcast on an EX Series Switch on page 1138
Configuring IP Directed Broadcast (CLI Procedure) on page 1164
High availability refers to the hardware and software components that provide redundancy
and reliability for packet-based communications. This topic covers the following high
availability features of Juniper Networks EX Series Ethernet Switches:
VRRP on page 1111
Graceful Protocol Restart on page 1111
Redundant Routing Engines on page 1112
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
